GDPR Compliance
Alps GDPR Compliance Statement for Schools and Colleges
Alps was developed to support schools and colleges, and groups of schools to drive improvement through good use of data. Protecting the sensitive data schools and colleges choose to send to us is a top priority.
At Alps we updated our systems and terms and conditions in line with the UK General Data Protection Regulation (“UK GDPR”) to ensure that we could carry on supporting schools, colleges and Groups.
Our data protection compliance is continuous and is regularly reviewed. We will keep you informed of any updates to our data protection documents or systems, if the Government guidance on how to apply the UK GDPR, which is regularly reviewed, or case law requires us to change these further.
Alps Terms and Conditions – UPDATES
In the following paragraphs “you” means school or college or other educational body to who we provide analytical services and “Alps” or “we” means Alps.
Alps’ services under GDPR
The UK GDPR and the Data Protection Act 2018 make a distinction between “data controllers” and “data processors”. Alps will be a “data processor” in carrying out our services that have been requested by You. You will be the “data controller” as you decide whether to send us data, what data to send us and instruct Alps as to what we will do with it. Our terms and conditions reflect this.
Alps Terms and Conditions – the GDPR Data Processing Agreement
As a data controller you are required under the UK GDPR to have a written contract with us, as a data processor, which fulfils certain requirements set out in the GDPR.
Our Terms and Conditions reflect these requirements and also serves as a GDPR data processing agreement. The necessary elements that are covered include:
- Alps will only use your data in accordance with your documented instructions;
- Confidentiality;
- Data security;
- Assisting the controller with any exercise by individuals of their rights under GDPR; and
- Returning or deleting data at the end of the services.
These provisions are mainly included in the Data Processing Schedule.
How do Alps’ services work under GDPR?
We are a ‘data processor’ for the purposes of the UK GDPR whilst conducting activity such as the preparation of reports or analysis on behalf of a school, college or Group where passing on information to other bodies (e.g. Local Authority or DfE) when requested by a school or college.
The school, college or Group using our services will be the ‘data controller’ because it decides whether and when to send any information to Alps and what we should do with it.
Please see our Privacy Policy which sets out how we deal with data collected to enable us to provide our services, and expands on some of the statements set out here.
On what basis can a school or college work with us under GDPR?
A school or college, as a data controller, should only process personal data if it can do so for one of the reasons allowed in the UK GDPR. Which lawful basis for processing applies depends on the circumstances.
Maintained Schools, Colleges and Academies are public authorities. These schools and colleges can seek to rely on the “public interest” reason allowed. Using Alps services for the purpose of providing state-funded education and school improvement is in the public interest because it is a way of fulfilling obligations that schools and colleges have.
Private Schools or Colleges can rely on the “legitimate interests” instead of the “public interest” reason because using Alps’ services is a way of running their businesses. This could also apply to any fee-paying elements of colleges. Some Alps services could also fall under the “performance of a contract with the data subject” reason because we assist you in doing something you are required to do by such an agreement.
Either type of school or college could rely on “consent” in some cases. The UK GDPR sets a high standard for consent, it requires a positive opt-in, must be explicit and can be withdrawn at any time. In line with ICO guidance, if consent is difficult, schools and colleges are recommended to consider other lawful bases under the GDPR before considering “consent”. For example, where dealing with information under the other lawful bases is practically more achievable and reliable.
On what basis can a school or college share ‘special categories’ of information with Alps?
Special category data is personal data which the UK GDPR says is more sensitive, and so needs more protection, for example ethnicity data. In order to lawfully process special category data, you must identify both a lawful basis and a separate condition. Potential conditions for schools or colleges to share this type of information with Alps are:
- Necessary for compliance with social protection law (such as the Equality Act and Public Sector Equality Duty);
- Necessary for compliance with a task carried out in the public interest (such as school census returns, equal opportunities monitoring, or other reporting requirements as well as administration of a maintained school or college); or
- Explicit consent (note the same ICO guidance about using other bases before using “consent” also applies here).
Terms and Conditions
A school or college, as a data controller is required to have a written contract with us which fulfils certain requirements set out in the UK GDPR. The contract must cover a list of elements including:
- Only allowing use of the data within the controller’s documented instructions;
- Confidentiality;
- Data security;
- Assisting the controller with any exercise by individuals of their rights under GDPR; and
- Returning or deleting data at the end of the services.
Our Site Terms and Conditions comply as a GDPR data processing agreement by including all the necessary elements.
Each school and college will need to agree to our terms and conditions in order for us to process their data, and for us to provide our products and services to them.
How is information provided to us by schools or colleges stored?
Secure storage of data is important under the current law and will remain so under the UK GDPR. Alps processes data provided by its clients both on its own systems and provided by third-party infrastructure providers. We apply stringent security practices to our data systems, validated by our ISO27001 accreditation.
Alps stores all data within the EU and ensures that all data it processes is encrypted in transit.
Information from international schools and colleges (based in the EEA)
Alps stores all data within the UK or the EEA. Where a school or college is based outside of the UK but within the EEA, the transfer of pupil data to us will be an “international data transfer” for the purposes of the GDPR.
Both the UK government and the European Commission have agreed adequacy regulations are in place for both transfers to and from the UK to the EEA. This means that there are appropriate safeguards in place to protect personal information and no additional contractual requirements are required.
How long will we keep information provided to us by schools and colleges?
The UK GDPR requires information to be kept and used for no longer than is needed for the purpose for which it was received in the first place. We will deal with information sent to us by schools and colleges in this way:
- Analysis from personal data as provided by you will be deleted automatically after 8 years. Our online service will keep a record of your analysis for 8 years and our analysis tables show four year trends;
- Personal data will be deleted within 28 days of a confirmed request for deletion from the school or college;
- Personal data will be deleted within 28 days if a school or college does not confirm a contract renewal within one year and six months of the start of the academic year, which shall be deemed to be 1 September each year;
- Anonymised or de-identified data will be held for 6 academic years and automatically deleted afterwards.
Information shared with third parties
We will only share your data with third parties (such as your local authority or other body acting on your behalf) where we have your explicit agreement and instruction to do so. Our terms and conditions clarify this.
There are circumstances in which we share statistics with third parties such as the DfE or local authorities for data analysis purposes. In these circumstances all data is properly anonymised and falls outside the definition of “personal data” and so is outside the remit of the DPA and the GDPR. Similarly, our Directories of Curriculum Excellence are also prepared using anonymised statistics and fall outside the remit of the DPA and the GDPR.
Local Authorities
If you are part of a LA/Group contract, we will require you to explicitly agree as part of the upload process to authorise Alps to facilitate the sharing of your data with the local authority or group. Our terms and conditions set out how each party (the school/college, Alps and the LA/Group) should use the data that is shared, in accordance with the UK GDPR.
You will need to ensure that the appropriate staff members within your organisation are set up as Alps Connect Administrators who can authorise the sharing of data as part of your instruction on upload to us, if required.
Alps will also send an automated email to a specified contact of your choice which will confirm what data use and data sharing has been requested by you.
Alps Connect has an area available which will list what data use and data sharing has been requested by you, which can be amended at any time, to give you control of this.
Directories of Curricular Excellence (“Directory”)
We provide Directories of Curricular Excellence for Regional School Commissioners and groups of schools and colleges across the RSC regions in England. Schools and colleges who are included in these Directories also receive a copy of the Directory for their region. The purpose of the Directory is to enable the sharing of best practice. Data is only included in accordance with agreed criteria, and only for high performing providers and subjects. The data does not go to individual student level.
As the Directory of Curricular Excellence does not include student level analysis and is based on anonymised data there is no personal identifiable information included within it so it does not fall under the UK GDPR.
Although the data does not fall under GDPR, we will still explicitly ask for your agreement to be included in a Directory. When you instruct us to process reports or analysis for you, you will have the option of unticking a box that permits your data to be included in a Directory. You data will only be included in a Directory if you have agreed for this use by not unticking the box and if a Directory for your region is commissioned by the relevant RSC and school/college bodies. Not all regions will have a commissioned Directory. You can opt out and chose not to be included nor receive a copy of the Directory simply by unticking the relevant box on the Connect Data area of Alps Connect.
We will keep you informed on the updates that we are making. If you have any queries in the meantime please contact us on 01484 887 600 or email us at [email protected] or visit our website at www.alps.education
June 2024