GDPR Compliance

GDPR Compliance Statement for Schools and Colleges

 

Alps was developed to support schools and colleges, and groups of schools to drive improvement through good use of data. Protecting the sensitive data schools and colleges choose to send to us is a top priority.

At Alps we ensure our systems and terms and conditions are in line with the General Data Protection Regulation (“GDPR”) to support schools, colleges and Groups.

Our data protection compliance is continuous and is regularly reviewed. We will keep you informed of any updates to our data protection documents or systems, if the Government guidance on how to apply GDPR, which is regularly reviewed, or case law requires us to change these further.

 

Alps Terms and Conditions

In the following paragraphs “you” means school or college or other educational body to who we provide analytical services and “Alps” or “we” means Alps.

Alps’ services under GDPR

The GDPR and the Data Protection Act 2018 make a distinction between “data controllers” and “data processors”. Alps will be a “data processor” in carrying out our services that have been requested by You. You will be the “data controller” as you decide whether to send us data, what data to send us and instruct Alps as to what we will do with it. Our terms and conditions reflect this.

Alps Terms and Conditions – the GDPR Data Processing Agreement

As a data controller you are required under the GDPR to have a written contract with us, as a data processor, which fulfils certain requirements set out in the GDPR.

Our Terms and Conditions reflect these requirements and also serves as a GDPR data processing agreement. The necessary elements that are covered include:

  • Alps will only use your data in accordance with your documented instructions;
  • Confidentiality;
  • Data security;
  • Assisting the controller with any exercise by individuals of their rights under GDPR; and
  • Returning or deleting data at the end of the services.

These provisions are mainly included in the Data Processing Schedule.

How do Alps’ services work under GDPR?

We are a ‘data processor’ for the purposes of the GDPR whilst conducting activity such as the preparation of reports or analysis on behalf of a school, college or Group where passing on information to other bodies (e.g. Local Authority or DfE) when requested by a school or college.

The school, college or Group using our services will be the ‘data controller’ because it decides whether and when to send any information to Alps and what we should do with it.

Please see our Privacy Policy which sets out how we deal with data collected to enable us to provide our services, and expands on some of the statements set out here.

On what basis can a school or college work with us under GDPR?

A school or college, as a data controller, should only process personal data if it can do so for one of the reasons allowed in the GDPR.  Which lawful basis for processing applies depends on the circumstances.

Maintained Schools, Colleges and Academies can be considered together as public bodies.  These schools and colleges can seek to rely on the “public interest” reason allowed.  Using Alps services for the purpose of providing state-funded education and school improvement is in the public interest because it is a way of fulfilling obligations that schools and colleges have.

Private Schools or Colleges can rely on the “legitimate interests” instead of the “public interest” reason because using Alps services is a way of running their businesses.  This could also apply to any fee-paying elements of colleges. Some Alps services could also fall under the “performance of a contract with the data subject” reason because we assist you in doing something you are required to do by such an agreement.

Either type of school or college could rely on “consent” in some cases. The GDPR sets a high standard for consent, it requires a positive opt-in, must be explicit and can be withdrawn at any time. In line with ICO guidance, if consent is difficult, schools and colleges are recommended to consider other lawful bases under the GDPR before considering “consent”. For example, where dealing with information under the other lawful bases is practically more achievable and reliable.

 

On what basis can a school or college share ‘special categories’ of information with Alps?

Special category data is personal data which the GDPR says is more sensitive, and so needs more protection, for example ethnicity data. In order to lawfully process special category data, you must identify both a lawful basis and a separate condition. Potential conditions for schools or colleges to share this type of information with Alps are:

  • Necessary for compliance with social protection law (such as the Equality Act and Public Sector Equality Duty);
  • Necessary for compliance with a task carried out in the public interest (such as school census returns or other reporting requirements as well as administration of a maintained school or college); or
  • Explicit consent (note the same ICO guidance about using other bases before using “consent” also applies here).

 

Terms and Conditions

A school or college, as a data controller is required to have a written contract with us which fulfils certain requirements set out in the GDPR.  The contract must cover a list of elements including:

  • Only allowing use of the data within the controller’s documented instructions;
  • Confidentiality;
  • Data security;
  • Assisting the controller with any exercise by individuals of their rights under GDPR; and
  • Returning or deleting data at the end of the services.

Our Site Terms and Conditions comply as a GDPR data processing agreement by including all the necessary elements.

Each school and college will need to agree to our terms and conditions in order for us to process their data, and for us to provide our products and services to them.


How is information provided to us by schools or colleges stored?

Secure storage of data is important under the current law and will remain so under GDPR. Alps processes data provided by its clients both on its own systems and provided by third-party infrastructure providers. We apply stringent security practices to our data systems, validated by our ISO27001 accreditation.

Alps stores all data within the UK or the EEA and ensures that all data it processes is encrypted in transit.

Information from international schools and colleges (based in the EEA)

Alps stores all data within the UK or the EEA.  Where a school or college is based outside of the UK but within the EEA, the transfer of pupil data to us will be an “international data transfer” for the purposes of the GDPR.

The UK government is currently in negotiations with the European Commission to agree an “Adequacy Decision” which would ensure the free flow of data to and from the UK and the EEA.  However until the UK is granted an Adequacy Decision, Alps must put other measures in place to ensure the transfer of pupil data to us from international schools or colleges complies with the GDPR.

The appropriate way to do this is to adopt the standard contractual clauses issued by the European Commission for use by controllers established in the EU when transferring data to processors in countries outside the EU.

Our terms and conditions have been updated to include the European Commission’s standard contractual clauses to ensure transfers from international schools and colleges based in the EEA to Alps (based in the UK) remain compliant with the GDPR.


How long will we keep information provided to us by schools and colleges?

The GDPR requires information to be kept and used for no longer than is needed for the purpose for which it was received in the first place. We will deal with information sent to us by schools and colleges in this way:

  • Analysis from Personal Data as provided by You will be deleted automatically after 8 years. Our online service will keep a record of your analysis for 8 years and our analysis tables show four year trends;
  • personal data will be deleted within 28 days of a confirmed request for deletion from the school or college;
  • personal data will be deleted within 28 days if a school or college does not confirm a contract renewal within one year and six months of the start of the academic year, which shall be deemed to be 1 September each year;
  • anonymised or de-identified data will be held for 6 academic years and automatically deleted afterwards.

 

Information shared with third parties

We will only share your data with third parties (such as your local authority or other body acting on your behalf) where we have your explicit agreement and instruction to do so. Our terms and conditions clarify this.

There are circumstances in which we share statistics with third parties such as the DfE or local authorities for data analysis purposes.  In these circumstances all data is properly anonymised and falls outside the definition of “personal data” and so is outside the remit of the DPA and the GDPR.  Similarly, our Directories of Curriculum Excellence are also prepared using anonymised statistics and fall outside the remit of the DPA and the GDPR.

Local Authorities

If you are part of a LA/Group contract, we will require you to explicitly agree as part of the upload process to authorise Alps to facilitate the sharing of your data with the local authority or group. Our terms and conditions set out how each party (the school/college, Alps and the LA/Group) should use the data that is shared, in accordance with the GDPR.

You will need to ensure that the appropriate staff members within your organisation are set up as Alps Connect Administrators who can authorise the sharing of data as part of your instruction on upload to us, if required.

Alps will also send an automated email to a specified contact of your choice which will confirm what data use and data sharing has been requested by you.

Alps Connect has an area available which will list what data use and data sharing has been requested by you, which can be amended at any time, to give you control of this.

Directories of Curricular Excellence (“Directory”)

We provide Directories of Curricular Excellence for Regional School Commissioners and groups of schools and colleges across the RSC regions in England. Schools and colleges who are included in these Directories also receive a copy of the Directory for their region. The purpose of the Directory is to enable the sharing of best practice. Data is only included in accordance with agreed criteria, and only for high performing providers and subjects. The data does not go to individual student level.

As the Directory of Curricular Excellence does not include student level analysis and is based on anonymised data there is no personal identifiable information included within it so it does not fall under GDPR.

Although the data does not fall under GDPR, we will still explicitly ask for your agreement to be included in a Directory. When you instruct us to process reports or analysis for you, you will have the option of unticking a box that permits your data to be included in a Directory. You data will only be included in a Directory if you have agreed for this use by not unticking the box and if a Directory for your region is commissioned by the relevant RSC and school/college bodies. Not all regions will have a commissioned Directory. You can opt out and chose not to be included nor receive a copy of the Directory simply by unticking the relevant box on the Connect Data area of Alps Connect.

 

We will keep you informed on the updates that we are making. If you have any queries in the meantime please contact us on 01484 887 600 or email us at [email protected] or visit our website at www.alps.education

May 2023