This document underpins the policies, promises and contracts we make with schools and colleges relating to the education data that Alps processes. We are committed to protecting and respecting your privacy.
Our Site Terms and Conditions provide a full explanation of how we process and protect data, as well as what we require from schools and colleges to agree to before deciding to use our service.
Who are Alps?
We are Alkemygold Limited (trading as “Alps”) a company registered in England and Wales (Company No. 04258920) with its office at Kevin Conway House, Longbow Close, Bradley, Huddersfield, HD2 1GQ (hereinafter referred to as “We”, “Us” or “Our”).
What is this policy and who does it apply to?
Privacy and security are at the heart of everything we do at Alps. This statement explains the key measures we’ve put in place to ensure that data is kept secure and processed appropriately at all times. It also covers our commitments to you, and what we expect from schools and colleges in terms of privacy and data protection.
Our Legal Status
Alps may be either a data controller or a data processor, depending on the circumstances.
We are a “data processor” for the purposes of the Data Protection Act 2018 and the General Data Protection Regulation ((EU) 2016/679) (“GDPR”) whilst conducting activities such as the preparation of Reports or Analysis (as defined below) on behalf of a school, college or local authority or where passing information to other bodies (e.g. Local Authority or DfE) when requested to do so by a school or college.
The school or college using our services (or the organisation of which it forms part) will be the “data controller” because it decides whether and when to send any information to Alps and what we should do with it as well as retaining responsibility for assessing and applying Reports and Analysis. Any questions that you may have relating to your personal information and your rights under data protection law should therefore be directed to the school or college, not to Alps.
Privacy and Data Protection Statement
Our Data Protection Principles
- Adhere strictly to the terms of the Data Protection Act 2018, the General Data Protection Regulation, and any future amendments or applicable legislation
- Process the data received from schools or colleges for the purposes of education and school improvement only, and only for those purposes necessary to provide the service explicitly offered to schools or colleges
- Collect data only for purposes that we have clearly explained to you and limited only to those purposes
- Only store and process the minimum data required to provide our services, and to inform you in advance of using any of our services what data that service requires.
- Transport and store all personal data originating from schools or colleges using modern and best practice encryption technologies. This includes Secure Socket Layers (SSL/TLS) for encrypted data transfer over the internet, encryption of all data at rest, field-level encryption for personally identifiable data and password-protected identities for all end users
- Report all requests made by individuals under data protection legislation including Subject Access Requests relating to the data we store to the data controller, or where we are the data controller, comply with all requests made by individuals under data protection legislation.
- Only retain data for as long as required, and delete all your data if you ask us to do so, or if your account becomes inactive for a certain period of time
- Ensure that all data is held securely by taking steps so that data is not corrupted or lost
- Ensure data is accurate and kept up to date
- Always maintain adequate liability insurance
- Maintain ISO 27001 and Cyber Essentials Security Compliance
- Audit our services against this policy every 12 months and provide evidence of compliance to the other party whenever requested
- Report any breaches of security to the data controller, the Information Commissioner’s Office (ICO) and other authorities if required by law, and, in co-operation with the data controller, to data subjects
We will not:
- Store or transport personal data outside of the UK, the EU or outside of countries which are granted to have Adequate Levels of Protection as defined by the European Commission
- Share your data with any third parties except where we have the legal basis for doing so, or where required by law
- Use your data for the purposes of advertising or marketing, or for any purpose other than the service explicitly provided to you, unless we have your explicit consent
- Transport personal data originating from schools or colleges in an unencrypted format
- Share information with other third parties except where specifically agreed by the Data Controller or where required by law
- Change any applicable terms of service without giving you the opportunity to opt-out of such changes
Information we may collect
In our capacity as data controller, we collect and process the following personal information about users of the Site:
- information that you provide by registering to use certain parts of the Site. This includes information such as name, email, address, and other identification details provided at the time of registering to use the Site, subscribing to our services, payment details, posting material or requesting further services;
- records of your correspondence with us if you contact us;
- any information you provided when completing surveys that we use for statistical purposes;
- details of your visits to the Site including, but not limited to, cookies, traffic data, location data, weblogs and other communication data, whether this is required for our own billing purposes or otherwise and the resources that you access; and/or
- details about you from other sources (such as your school, local authority or MAT), which we will add to the information we already hold about you in order to help us provide services to our clients / customers.
In our capacity as a data processor, we collect and process any information uploaded into the Site, including pupil data, which is governed by Paragraph 11 (Uploading Data to the Site) and the Data Protection Schedule of the Site Terms and Conditions.
How we collect information
We will collect personal information through different methods including:
- Direct interactions with you by telephone, e-mail, phone or otherwise;
- Through the service we provide to you;
- Automated technologies or interactions. As you interact with our website, we may automatically collect technical information about your equipment, browsing actions and patterns. We collect this personal information by using cookies, server logs and other similar technologies.
How we use personal information
We will only use personal information when the law allows us to. Most commonly, we will use personal information in the following circumstances:
- Where we need to perform a contract we are about to enter into or have entered into with you;
- Where it is necessary for our legitimate interests (or those of a third party) and your interests and fundamental rights do not override those interests; or
- Where we need to comply with a legal or regulatory obligation.
Our marketing communications
In our capacity as data controller, we may use the personal information of users of the Site to contact you to inform you about services and/or events we believe might be of interest to you via email or text message (we call this marketing communications). Users of the site who have signed up to our services may receive marketing communications from us unless you have opted out or unsubscribed to receiving that marketing.
You can ask us to stop sending you marketing communications at any by following the unsubscribe links on any marketing communications sent to you or by contacting us at any time.
Where you opt out of receiving these marketing communications, this will not apply to personal information provided to us as a result of the purchase of our services and we will still be required to contact you in relation to the services we provide.
Why we collect personal information
In our capacity of data controller, we collect personal information for the following purposes:
- to ensure that content from the Site is presented in the most effective manner for you and for your computers;
- where you agree, provide you with information, products or services that you request from us or which we feel may interest you;
- to carry out our obligations arising from any contracts, if applicable, entered into between us and you;
- to allow you to participate in interactive features of our service, when you choose to do so;
- to notify you about changes to our service or Site, which may affect you; and
- to operate and improve the Site.
Any use of the information you load into our myAlps or Connect web applications is bound by our Site Terms and Conditions
We will only use personal information for the purposes for which we collect it, unless we reasonably consider that we need to use it for another reason and that reason is compatible with the original purpose. If we need to use personal information for an unrelated purpose, we will notify you and we will explain the legal basis which allows us to do so.
Sharing personal information
Where we are acting in our capacity as data controller, we may share personal information with third parties where required by law, where it is necessary to administer the working relationship with you or where we have another legitimate interest in doing so. Third party providers we may share your information with include:
- Our accountants;
- Local Authorities or Multi-Academy Trusts;
- Google analytics;
Where we are acting as a data processor (e.g. when preparing reports and analysis for schools), we will only disclose information to third parties under the following circumstances:
- if we or a substantial part or all of our assets are acquired by a third party; and/or
- if we have been legitimately asked to provide information for legal or regulatory purposes or as part of legal proceedings or prospective legal proceedings, or to protect the rights, property, or safety of us, our users or others.
- where you have expressly consented to us doing so, we may share information with other entities such as Local Authorities or Multi-Academy Trusts
We require all third parties to respect the security of personal information and to treat it in accordance with the law. We do not allow any third party service provider to use personal information for their own purposes and only permit them to process personal information for specified purposes and in accordance with our instructions. Our Site Terms and Conditions set out our obligations in relation to employing any third party service provider.
How we store personal information
We have adopted the technical and organisational measures necessary to ensure the security of the personal information we collect, use and maintain, and prevent their alteration, loss, unauthorised processing or access, having regard to the state of the art, the nature of the data stored and the risks to which they are exposed by virtue of human action or physical or natural environment. The stringent security practices have been validated by our ISO27001 accreditation.
However, as effective as our security measures are, no security system is impenetrable. We cannot guarantee the security of our any of our data.
Unfortunately, the transmission of information via the internet is not completely secure. Although we will do our best to protect personal data, we cannot guarantee the security of data transmitted to our Site; any transmission is at your own risk. Once we have received your information, we will use procedures and security features to try to prevent unauthorised access.
Where we have given you (or where you have chosen) a password which enables you to access certain parts of our Site, you are responsible for keeping this password confidential. We ask you not to share your password with anyone.
International Data Transfers
Whenever we transfer personal data out of the UK or EEA, we ensure a similar degree of protection is afforded to it by ensuring at least one of the following safeguards is implemented:
- We will only transfer your personal data to countries that have been deemed to provide an adequate level of protection for personal data by the European Commission or the UK government;
- We may use specific contracts approved by the European Commission and the UK government which give personal data the same protection it has in Europe; or
- In certain circumstances, we may rely on exceptions set out in the GDPR to make an international data transfer (such as where the transfer is necessary for the performance of a contract or where it is for our compelling legitimate interests).
Please contact us by emailing firstname.lastname@example.org if you want further information on the specific mechanism used by us when transferring your personal data out of the UK or the EEA.
We will only retain your personal information for as long as is necessary to fulfil the purposes we collected it for, including for the purposes of satisfying any legal, accounting or reporting requirements.
To determine the appropriate retention period for personal information, we consider: the amount, nature and sensitivity of the personal information, the potential risk of harm from unauthorised use or disclosure of your personal information, the purposes for which we process your personal information and whether we can achieve those purposes through any other means, and the applicable legal requirements.
Details of retention periods for different aspects of personal information:
- Analysis from personal data will be deleted automatically after 8 years. Our online service will keep a record of your analysis for 8 years and our analysis tables show four-year trends.
- Personal information will be deleted within 28 days of a confirmed request for deletion from the school, college or termination of a contract.
- Personal information will be deleted within 28 days if a school or college does not confirm a contract renewal within 1 year and 6 months of the start of the academic year which shall be deemed to be 1 September each year.
- Anonymised or de-identified data will be held for 6 academic years and automatically deleted afterwards.
Alps may be either a data controller or a data processor, depending on the circumstances (see “Legal Status” above for further details). Where we are processing personal information on behalf of a school or college (e.g. to prepare reports or analysis), Alps is a data processor as we are simply providing a service for a school or college. Alps does not decide what information is provided to us nor are we responsible for the accuracy of the information provided. Any questions that you may have relating to your personal information and your rights under data protection legislation should be directed to the school or college as the data controller, not Alps.
Where Alps is a data controller (e.g. registration of customers or for our own employees), the following rights may apply:
Right to request a copy of your information
You can request a copy of your information which we hold (this is known as a subject access request).
Right to correct any mistakes in your information
You can require us to correct any incomplete or inaccurate information.
Right to request erasure of your personal information
This enables you to ask us to delete or remove personal information where there is no good reason for us to continue to process it.
Right to object to processing
You have the right to object to processing where we are relying on a legitimate interest (or those of a third party) and there is something about your particular situation which makes you want to object to processing on this ground.
You can ask us to stop contacting you for direct marketing purposes. If you would like to do this, please email us at email@example.com or contact us using the details below.
Right to request the restriction of processing
You have the right to ask us to suspend the processing of personal information about you, for example if you want us to establish its accuracy or the reason for processing it.
Right to request the transfer of your personal information to another party
If you want to review, verify, correct or request erasure of your personal information, object to the processing of your personal information, or request that we transfer a copy of your personal information to another party, please contact us using the contact details below.
Please note, there are some specific circumstances where these rights do not apply and we can refuse to deal with your request.
We may need to request specific information from you to help us confirm your identity and ensure your right to access the information (or to exercise any of your other rights). This is another appropriate security measure to ensure that personal information is not disclosed to any person who has no right to receive it.
You will not have to pay a fee to access your personal information (or to exercise any of the other rights). However, we may charge a reasonable fee if your request for access is clearly unfounded or excessive. Alternatively, we may refuse to comply with the request in such circumstances.
There may be circumstances where we will refer your request to the school or college as a data controller and therefore the party responsible for the processing of personal information.
General Website Information
Linking and Framing
We may link to and embed content from a variety of other websites. We are not responsible for the content or privacy policies of these sites, nor for the way in which information about their users is treated. In particular, unless expressly stated, we are not agents for these sites, nor are we authorised to make representations on their behalf.
We take any complaints we receive about the collection and use of personal information very seriously. We would encourage you to bring it to our attention if you think that our collection or use of information is unfair, misleading or inappropriate. You can make a complaint at any time by contacting us (see contact details section below).
If you think our collection or use of personal information is unfair, misleading or inappropriate or if you have concerns about the security of your personal information, you also have the right to make a complaint to the Information Commissioner’s Office. You can contact the Information Commissioner’s Office at the following address: Information Commissioner’s Office, Wycliffe House, Water Lane, Wilmslow, Cheshire, SK9 5AF
How to contact us
If you have any questions or grievances in relation to security or privacy, please email us at firstname.lastname@example.org
Or contact Mary Ahern, Chief Executive Officer, Alkemygold Limited, Kevin Conway House, Longbow Close, Bradley, Huddersfield, HD2 1GQ.