NQT Privacy Policy

Herts for Learning

Privacy policy

This policy is to let you know how Herts for Learning Limited ('the Company', 'we', 'us' or 'our') will collect, use and process Personal Data. It is also designed to let you know your rights and what you can do if you have questions about Personal Data. The Company is the controller for the purposes of data protection laws.

This document sets out the types of Personal Data (meaning information about an individual from which that individual can be personally identified) we handle, the purposes of handling those Personal Data and any recipients of it.

We are committed to ensuring that your privacy is protected at all times. Any information that you provide will be handled in accordance with this privacy policy.

  1. Our details We are: Herts for Learning Limited Address: Robertson House, Six Hills Way, Stevenage, SG1 2FQ Information Commissioner's Office Registration Number: ZA154308 Our Data Protection Officer is: Lynette Dexter and their contact details are: Robertson House, Six Hills Way, Stevenage, SG1 2FQ

  2. Why we collect Data We collect and hold personal information relating to our users, and in relation to any individuals included in data sets that are being processed by the company under contractual agreements.

We may share Personal Data with other agencies, but only as necessary under our legal duties or otherwise in accordance with our duties/obligations as a Company.

The Personal Data we are provided with or collect is provided to us on a voluntary basis when users register or purchase products from this website, or by users under contractual agreements.

Below are set out the reasons why we collect and process Personal Data, as well as the legal basis on which we carry out this processing:

• to provide all users with the appropriate level of service: we will process Personal Data in order to effectively communicate and deliver our services to all users. • assess the quality of our services: we will process Personal Data so that we may reflect on our own practices to help us improve and provide the highest quality services that we can to all users.
• To review data relating to our customers’ subjects: Under contractual arrangements with our customers, and in our capacity as data processors, we will process data provided by our customers. This data may include, but not be limited to, personal data and information relating to members of school staff, and data relating to pupils in our customers’ schools or Early Years settings.

  1. Legal basis for processing Data The lawful basis for us to collect/process this Personal Data is by reason of necessity for the performance of a contract to which the both we and the Data Subject are party, or in order to take steps at the request of the Data Subject prior to entering into a contract.

We also process Personal Data where processing is necessary for the purposes of legitimate interests pursued by the controller or by a third party, except where such interests are overridden by the interests or fundamental rights and freedoms of the Data Subject. This will include processing where such processing is required in order to fulfil contractual obligations.

We do not process any special categories of Personal Data except where necessary for reasons of substantial public interest in complying with legal obligations including under the Equality Act 2010 or where necessary to protect the vital interests of the Data Subject or of another natural person and where safeguards are in place to ensure that this Personal Data is kept secure. For the avoidance of doubt where special categories of Personal Data are collected it shall not be used for the purposes of automated decision making and/or profiling.

Special categories of data means Personal Data revealing: • racial or ethnic origin; • political opinions; religious or philosophical beliefs or trade union membership; • genetic or biometric data that uniquely identifies you; • data concerning your health, sex life or sexual orientation; or • data relating to criminal convictions or offences or related security measures.

Further Personal Data including special categories of Personal Data may be collected and/or processed where consent has been given. If consent is the only legal basis for processing and has been given then this may be revoked in which case the Personal Data will no longer collected/processed.

4.Categories of Data we collect about you As a user of our services, we may collect the following Personal Data about you (please note this list does not include every type of Personal Data and may be updated from time to time): i) your name; ii) name of your organisation; iii) your job title iv) telephone number; v) email address; vi) any postal addresses that you provide.

This information will be taken from you at the time that you register for our services, or make a purchase from us, or make contact with us through the contact us page. Contact information is used to respond to enquiries or get in touch with you when necessary.

Any Personal Data collected through this website will be treated as confidential under the principles of the Relevant Data Protection Law.

  1. Who will have access to your Data Personal Data will be accessible by members of staff. Where necessary, directors will also have access to Personal Data.

We will not share information with third parties without consent unless we are required to do so by law or our policies. We will disclose Personal Data to third parties: • if we are under a duty to disclose or share your Personal Data in order to comply with any legal obligation; • in order to enforce any agreements with you; • in order to perform contracts with third party suppliers acting as data processors, as required to fulfil our contractual arrangements with you.We have worked with these suppliers to obtain reassurance that they are compliant with Data Protection regulations, including GDPR. Our third party sub-contractors include: o Capita o RM o Health Management Limited o HCSS Education o Serco and Herts County Council o Sunrise o Booking Live • to protect the rights, property, or safety of the Company.

This may include sharing data with our Local Authority, the DfE (please see Section 2), the Police and other organisations where necessary.

Certain data collection obligations are placed on us by the DfE. To find out more about the data collection requirements placed on us by the DfE (for example; via the school census) visit: https://www.gov.uk/education/data-collection-and-censuses-for-schools.

The above listed third party suppliers will process data on our behalf. Therefore, we investigate these third party suppliers to ensure their compliance with Relevant Data Protection Laws and specify their obligations in written contracts.

  1. How Data will be processed Personal Data may be processed in a variety of ways; this will include but is not limited to: • maintaining written records; • identification; • sending by e-mail; • adding to spreadsheets, word documents or similar for the purposes of assessing Personal Data; • for educational software use (this could be for the purposes of helping children learn, discipline, reports and other educational purposes).

We use this information for the following reasons:

i) to process any orders you make through our e-commerce platform ii) to improve our products and services iii) for marketing our products and services to you iv) for market research

  1. Cookies Cookies are small files which are placed on your computer or device by websites you visit. If you return to the website later, your web browser sends the small file to the server to notify the website of any previous activity you engaged in on the site. Cookies help our site to respond to you as an individual and to work properly, for example remembering login details or items you had in a shopping basket.

You may delete and block all cookies from this website, but if you do parts of the site may not work.

We use traffic log cookies to identify which pages are being used on our site and analyse visitor behaviour through statistics. This may include the user’s IP address and session information such as the duration of the visit, type of browser used and broad demographic information.

Most web browsers allow some control of most cookies through the browser settings. To find out more about cookies, including how to see what cookies have been set and how to manage and delete them, visit: www.allaboutcookies.org.

To opt out of being tracked by Google Analytics across all websites visit: http://tools.google.com/dlpage/gaoptout

We use the following cookies on our website: Cookie name What is it? Purpose

_ga Used to distinguish users Expires: 2 years We use Google Analytics, a web analytics service provided by Google. Google Analytics uses 'cookies', which are text files placed on your computer, to help analyse how visitors use the website. Cookies set by Google Analytics SESS Session cookie Expires: when you close your browser Stores user session. Session cookies allow users to be recognized within a website so any page changes or item or data selection you do is remembered from page to page. NID Used by Google to store user preferences and information of Google maps We use Google Analytics, a web analytics service provided by Google. Google Analytics uses 'cookies', which are text files placed on your computer, to help analyse how visitors use the website. Cookies set by Google Analytics AWSELB Ensures a user's session is always sent to the same backend server We use the Amazon Web Services load balancer which provides stickiness Cookie-agreed Typical content: boolean Expires: 3 months Our site uses Drupal cookies to display and remember content based on selections you have already made. stripe_mid stripe_sid Session cookies for Stripe Technical session cookies to allow the Stripe payment gateway to work on our website. Stripe’s privacy policy

  1. Links to other websites You may encounter a link to an external website page whilst visiting our website. If the link is to a website that is operated by a third party you should know that we have no control over that website or its content and as such cannot be responsible for the protection and privacy of your data or information you provide whilst visiting the site. You are advised to check the privacy policy of those other sites for their terms and conditions.

  2. Where we store data and how we keep Data secure We are committed to ensuring that the data you provide is handled securely and have put in place suitable physical, electronic and managerial processes to safeguard your information. Paper copies of Personal Data are kept securely at the Company; for example, in secure filing cabinets.

Electronic copies of Personal Data are kept securely and information will only be processed where we are satisfied that it is reasonably secure.

All information you provide to us is stored on secure servers. Where we have given you (or where you have chosen) a password which enables you to access certain parts of our website, you are responsible for keeping this password confidential. You must not share your password with anyone.

When giving Personal Data to third parties (for example, sub-contracted software providers) it is possible that this Personal Data could be stored in a location outside of the European Economic Area. We do, however, ensure that all sensitive data relating to young people is only sub-contracted out to data processors who store that data within the EEA. We will take all steps reasonably necessary to ensure that your Personal Data is treated securely and in accordance with this privacy policy. In particular, any transfer of your Personal Data made by us to a location outside of the EEA will be governed by clauses in a written contract in order to keep these secure.

This site has security measures in place to protect the loss, misuse and alteration of the information under our control. All instances of unauthorised attempted access to our site are logged and investigated. Where necessary, Herts for Learning will inform law enforcement agencies or other relevant organisations regarding misconduct.

At the Company we respect the privacy of email accounts and we store your email addresses securely. Your details will not be passed to ANY organisation beyond us without your explicit permission.

However, we may use email to keep you up to date with news about products, services and offers that we think maybe are of interest to you. If you do not want to be kept informed in this way by email, please let us know.

  1. Retention Periods We will only retain Personal Data for as long as is necessary to achieve the purposes for which they were originally collected. As a general rule, Personal Data will be kept in accordance with guidance from the IRMS. Further information on retention periods can be obtained by contacting us via the details in Section 1 of this Notice.

Once the retention period concludes the data is securely and safely destroyed/ deleted.

  1. Your Data rights The General Data Protection Regulation and associated law gives you rights in relation to Personal Data held about you. These are:

• Right to be informed: you have the right to be informed about the collection and use of your data. This policy contains information in relation to the collection of your Personal Data, however, if we collect additional data for other purposes, we will inform you about this.

• Right of Access: if your Personal Data is held by us, you are entitled to access your Personal Data (unless an exception applies) by submitting a written request. We will aim to respond to that request within one month. If responding to your request will take longer than a month, or we consider that an exception applies, then we will let you know. You are entitled to access the Personal Data described in Section 4.

• Right of Rectification: you have the right to require us to rectify any inaccurate Personal Data we hold about you. You also have the right to have incomplete Personal Data we hold about you completed. If you have any concerns about the accuracy of Personal Data that we hold then please contact us.

• Right to Restriction: you have the right to restrict the manner in which we can process Personal Data where: o the accuracy of the Personal Data is being contested by you; o the processing of your Personal Data is unlawful, but you do not want the relevant Personal Data to be erased; or o we no longer need to process your Personal Data for the agreed purposes, but you want to preserve your Personal Data for the establishment, exercise or defence of legal claims.

Where any exercise by you of your right to restriction determines that our processing of particular Personal Data are to be restricted, we will then only process the relevant Personal Data in accordance with your consent and, in addition, for storage purposes and for the purpose of legal claims.

• Right to Erasure: you have the right to require we erase your Personal Data which we are processing where one of the following grounds applies: o the processing is no longer necessary in relation to the purposes for which your Personal Data were collected or otherwise processed; o our processing of your Personal Data is based on your consent, you have subsequently withdrawn that consent and there is no other legal ground we can use to process your Personal Data; o the Personal Data have been unlawfully processed; and o the erasure is required for compliance with a law to which we are subject.

• Right to Data Portability: you have the right to receive your Personal Data in a format that can be transferred. We will normally supply Personal Data in the form of e-mails or other mainstream software files. If you want to receive your Personal Data which you have provided to us in a structured, commonly used and machine-readable format, please contact us via the details in this Notice.

• Right to object: you have the right to object to the processing of your Personal Data where one of the following grounds apply: o the processing is based on legitimate interests or the performance of a task in the public interest; o the processing is for direct marketing; or o the processing is for the purposes of scientific/ historical research and statistics.

You can find out more about the way these rights work from the website of the Information Commissioner's Office (ICO).

  1. Controlling your information If at any time you wish to stop receiving information from us please contact us and we will update our records accordingly. If you no longer with to receive communications from us you can:

• send your request using the contact us form. • send an email to info@hertsforlearning.co.uk identifying yourself and asking that we remove you from our contact lists.

If you believe that any information we hold about you is incorrect or incomplete then please write to or email us as soon as possible and we will promptly correct any information found to be incorrect.

To change or modify information previously provided, you can: • send an email to info@hertsforlearning.co.uk clearly identifying yourself and asking that we correct or update our database. • or write to us at: FOI / Data Protection team Herts for Learning Ltd Robertson House Six Hills Way Stevenage SG1 2FQ

  1. Copies of your information (Requesting your Data) You are entitled request details of Personal Data that we hold about you. You are entitled to access that Personal Data and the following information (unless an exception applies:

• a copy of the Personal Data we hold concerning you, provided by the Trust; • details of why we hold that Personal Data; • details of the categories of that Personal Data; • details of the envisaged period for which that Personal Data will be stored, if possible; • information as to the source of Personal Data where that Personal Data was not collected from you personally.

If you would like a copy of the information held on you please write to us at the address below or email: dp.foi@hertsforlearning.co.uk Data Protection Herts for Learning Ltd Robertson House Six Hills Way Stevenage SG1 2FQ

  1. Making a Complaint If you are unhappy with the way we have dealt with any of your concerns, you can make a complaint to the ICO, the supervisory authority for data protection issues in England and Wales. We would recommend that you complain to us in the first instance, but if you wish to contact the ICO on the details you can do so on the details below. The ICO is a wholly independent regulator established in order to enforce data protection law.

ICO Concerns website: www.ico.org.uk/concerns ICO Helpline: 0303 123 1113 ICO Email: casework@ico.org.uk

ICO Postal Address: Information Commissioner's Office Wycliffe House Water Lane Wilmslow Cheshire SK9 5AF

  1. Changes to this Notice Any changes we make to this notice in the future will be posted on our website and, where appropriate, notified to you by e-mail. Please check back frequently to see any updates or changes.

This privacy policy was last updated on 9th May 2018.