GDPR Compliance

GDPR Compliance Statement for Schools and Colleges

Alps was developed to support schools and colleges, and groups of schools to drive improvement through good use of data. Protecting the sensitive data schools and colleges choose to send to us is a top priority.

At Alps we have now updated our systems and terms and conditions in line with the General Data Protection Regulation (“GDPR”) to ensure that we can carry on supporting schools and colleges.

We will keep you informed of any updates to our data protection documents or systems, if the Government guidance on how to apply GDPR, which is still being developed, requires us to change these further.

Alps Terms and Conditions  – Updates

In the following paragraphs “You” means and school or college or other educational body to who we provide analytical services and “Alps” or “we” means Alps.

Alps’ services under GDPR

As was the case under the Data Protection Act 1998, under GDPR, Alps continues to be a “data processor” in carrying out our services that have been requested by you. You will be the “data controller” as you decide whether to send us data and instruct Alps as to what we will do with it. Our terms and conditions reflect this.

Alps Terms and Conditions – the GDPR Processing Agreement

As a data controller you are required under the GDPR to have a written contract with us which fulfils certain requirements set out in the GDPR.

Our Terms and Conditions have been updated to reflect these requirements and now also serves as a GDPR processing agreement. The necessary elements that are covered include:

  • Alps will only use your data in accordance with your documented instructions;
  • Confidentiality;
  • Data security;
  • Assisting the controller with any exercise by individuals of their rights under GDPR; and
  • Returning or deleting data at the end of the services.

and are mainly included in the Data Processing Schedule.

How will Alps’ services work under GDPR?

We are a ‘data processor’ for the purposes of the GDPR whilst conducting activity such as the preparation of reports or analysis on behalf of a school or college or where passing on information to other bodies (e.g. Local Authority or DfE) when requested by a school or college.

The school or college using our services will be the ‘data controller’ because it decides whether and when to send any information to Alps and what we should do with it.

Please see our Privacy Policy which sets out how we deal with data collected to enable us to provide our services, and expands on some of the statements set out here.

On what basis can a school or college work with us under GDPR?

A school or college, as a data controller, should only process personal data if it can do so for one of the reasons allowed in the GDPR.  Which lawful basis for processing applies depends on the circumstances.

Maintained Schools, Colleges and Academies can be considered together as public bodies.  These schools and colleges can seek to rely on the “public interest” reason allowed.  Using Alps services for the purpose of providing state-funded education and school improvement is in the public interest because it is a way of fulfilling obligations that schools and colleges have.

Private Schools or Colleges can rely on the “legitimate interests” instead of the “public interest” reason because using Alps services is a way of running their businesses.  This could also apply to any fee-paying elements of colleges. Some Alps services could also fall under the “performance of a contract with the data subject” reason because we assist you in doing something you are required to do by such an agreement.

Either type of school or college could rely on “consent” in some cases. The GDPR sets a high standard for consent, it requires a positive opt-in, must be explicit and can be withdrawn at any time. In line with ICO guidance, if consent is difficult, schools and colleges are recommended to consider other lawful bases under the GDPR before considering “consent”. For example, where dealing with information under the other lawful bases is practically more achievable and reliable.

 

On what basis can a school or college share ‘special categories’ of information with Alps?

Special category data is personal data which the GDPR says is more sensitive, and so needs more protection, for example ethnicity data. In order to lawfully process special category data, you must identify both a lawful basis and a separate condition. Potential conditions for schools or colleges to share this type of information with Alps are:

  • Necessary for compliance with social protection law (such as the Equality Act and Public Sector Equality Duty);
  • Necessary for compliance with a task carried out in the public interest (such as school census returns or other reporting requirements as well as administration of a maintained school or college); or
  • Explicit consent (note the same ICO guidance about using other bases before using “consent” also applies here).

 

Terms and Conditions

A school or college, as a data controller, will be required from 25 May 2018 to have a written contract with us which fulfils certain requirements set out in the GDPR.  The contract must cover a list of elements including:

  • Only allowing use of the data within the controller’s documented instructions;
  • Confidentiality;
  • Data security;
  • Assisting the controller with any exercise by individuals of their rights under GDPR; and
  • Returning or deleting data at the end of the services.

Our Site terms and conditions comply as a GDPR processing agreement by including all the necessary elements.

Each school and college will need to agree to our new terms and conditions in order for us to process their data, and for us to provide our products and services to them.


How is information provided to us by schools or colleges stored?

Secure storage of data is important under the current law and will remain so under GDPR. Alps processes data provided by its clients both on its own systems and provided by third-party infrastructure providers. We apply stringent security practices to our data systems, validated by our ISO27001 accreditation.

Alps stores all data within the EU and ensures that all data it processes is encrypted in transit.


How long will we keep information provided to us by schools and colleges?

As with the current DPA the GDPR requires information to be kept and used for no longer than is needed for the purpose for which it was received in the first place. We will deal with information sent to us by schools and colleges in this way:

  • personal data will be deleted automatically after 5 years (Wales and Northern Ireland) or 4 years (England) – this is how long the data is needed for continued services, as we show four year trends in our analysis and additional progression data in Wales.
  • personal data will be deleted within 28 days of a confirmed request for deletion from the school or college or termination of a contract
  • personal data will be deleted within 28 days if a school or college does not confirm a contract renewal within 3 months of the start of the academic year, which shall be deemed to be 1 September each year
  • anonymised data will be held for 5 academic years and automatically deleted afterwards

 

Information shared with third parties

We will only share your data with third parties (such as your local authority or other body acting on your behalf) where we have your explicit agreement and instruction to do so. Our terms and conditions have been updated to clarify this.

There are circumstances in which we share statistics with third parties such as the DfE or local authorities for data analysis purposes.  In these circumstances all data is properly anonymised and falls outside the definition of “personal data” and so is outside the remit of the current DPA and the GDPR.  Similarly, our Directories of Curriculum Excellence are also prepared using anonymised statistics and fall outside the remit of the current DPA and the GDPR.

 

Local Authorities

If you are part of a LA/Group contract, we will require you to explicitly agree as part of the upload process to authorise Alps to facilitate the sharing of your data with the local authority or group. Our updated terms and conditions set out how each party (the school/college, Alps and the LA/Group) should use the data that is shared, in accordance with the GDPR.

You will need to ensure that the appropriate staff members within your organisation are set up as Alps Connect Administrators who can authorise the sharing of data as part of your instruction on upload to us, if required.

Alps will also send an automated email to a specified contact of your choice which will confirm what data use and data sharing has been requested by you.

Our new Alps Connect Data system will have a portal available which will list what data use and data sharing has been requested by you, which can be amended at any time, to give you control of this.

 

Directories of Curricular Excellence (“Directory”)

We provide Directories of Curricular Excellence for Regional School Commissioners and groups of schools and colleges across the RSC regions in England. Schools and colleges who are included in these Directories also receive a copy of the Directory for their region. The purpose of the Directory is to enable the sharing of best practice. Data is only included in accordance with agreed criteria, and only for high performing providers and subjects. The data does not go to individual student level.

As the Directory of Curricular Excellence does not include student level analysis and is based on anonymised data there is no personal identifiable information included within it so it does not fall under GDPR.

Although the data does not fall under GDPR, we will still explicitly ask for your agreement to be included in a Directory. When you instruct us to process reports or analysis for you, you will have the option of unticking a box that permits your data to be included in a Directory. You data will only be included in a Directory if you have agreed for this use by not unticking the box and if a Directory for your region is commissioned by the relevant RSC and school/college bodies. Not all regions will have a commissioned Directory. You can opt out and chose not to be included nor receive a copy of the Directory simply by unticking the relevant box on the Connect Data area of Alps Connect.

We will keep you informed on the updates that we are making. If you have any queries in the meantime please contact us on 01484 887 600 or email us at [email protected] or visit our website at www.alps.education.

Please be aware that this statement is not intended to be formal legal advice. We recommend that you seek your own expert advice wherever relevant.