This document underpins the policies, promises and contracts we make with schools and colleges relating to the education data that Alps processes. We are committed to protecting and respecting your privacy.
Our Site Terms and Conditions provide a full explanation of how we process and protect data, as well as what we require from schools and colleges to agree to before deciding to use our service.
Who are Alps?
We are Alkemygold Limited (trading as “Alps”) a company registered in England and Wales (Company No. 04258920) with its office at Kevin Conway House, Longbow Close, Bradley, Huddersfield, HD2 1GQ (hereinafter referred to as “We”, “Us” or “Our”).
What is this policy and who does it apply to?
Privacy and security are at the heart of everything we do at Alps. This statement explains the key measures we’ve put in place to ensure that data is kept secure and processed appropriately at all times. It also covers our commitments to you, and what we expect from schools and colleges in terms of privacy and data protection.
Privacy and Data Protection Statement
Our Data Protection Principles
- Adhere strictly to the terms of the Data Protection Act 1998, the General Data Protection Regulation, and any future amendments or applicable legislation
- Process the data received from schools or colleges for the purposes of education and school improvement only, and only for those purposes necessary to provide the service explicitly offered to schools or colleges
- Collect data only for purposes that we have clearly explained to you and limited only to those purposes
- Only store and process the minimum data required to provide our services, and to inform you in advance of using any of our services what data that service requires.
- Transport and store all personal data originating from schools or colleges using modern and best practice encryption technologies. This includes Secure Socket Layers (SSL/TLS) for encrypted data transfer over the internet, encryption of all data at rest, field-level encryption for personally identifiable data and password-protected identities for all end users
- Comply with all Subject Access Requests made relating to the data we store
- Only retain data for as long as required, and delete all your data if you ask us to do so, or if your account becomes inactive for a certain period of time
- Ensure that all data is held securely by taking steps so that data is not corrupted or lost
- Ensure data is accurate and kept up to date
- Always maintain adequate liability insurance
- Maintain ISO 27001 and Cyber Essentials Security Compliance
- Audit our services against this policy every 12 months and provide evidence of compliance to the other party whenever requested
- Report any breaches of security to the data controller, the Information Commissioner’s Office (ICO) and other authorities if required by law, and, in co-operation with the data controller, to data subjects
We will not:
- Store or transport personal or sensitive data outside of the EU or outside of countries which are granted to have Adequate Levels of Protection as defined by the European Commission
- Share your data with any third parties except where we have the legal basis for doing so, or where required by law
- Use Your data for the purposes of advertising or marketing, or for any purpose other than the service explicitly provided to You, unless we have your explicit consent
- Transport personal data originating from schools or colleges in an unencrypted format
- Share information with other third parties except where specifically agreed by the Data Controller or where required by law
- Change any applicable terms of service without giving You the opportunity to opt-out of such changes
Our Legal Status
We are a “data processor” for the purposes of the current Data Protection Act 1998 and we will remain so under the General Data Protection Regulation ((EU) 2016/679) (“GDPR”) and the legislation replacing the 1998 Act whilst conducting activity such as the preparation of Reports or Analysis (as defined below) on behalf of a school or college or where passing information to other bodies (e.g. Local Authority or DfE) when requested by a school or college.
The school or college using our services (or the organisation of which it forms part) will be the “data controller” because it decides whether and when to send any information to Alps and what we should do with it as well as retaining responsibility for assessing and applying Reports and Analysis. Any questions that you may have relating to your personal information and your rights under data protection law should therefore be directed to the school or college, not to Alps.
Information we may collect from you or third parties
We collect and process the following personal information about users of the Site:
- information that you provide by registering to use certain parts of the Site. This includes information such as name, email, address, and other identification details provided at the time of registering to use the Site, subscribing to our services, posting material or requesting further services;
- records of your correspondence with us if you contact us;
- any information you provided when completing surveys that we use for statistical purposes;
- details of your visits to the Site including, but not limited to, cookies, traffic data, location data, weblogs and other communication data, whether this is required for our own billing purposes or otherwise and the resources that you access; and/or
- details about you from other sources (such as your school, Local Authority or MAT), which we will add to the information we already hold about you in order to help us provide services to our clients / customers.
Any information you upload into the Site, including pupil data, will be governed by Paragraph 11 (Uploading Data to the Site) and the Data Protection Schedule of the Site Terms and Conditions.
How we collect your information
We will collect your personal information through different methods including:
- Direct interactions with you by telephone, e-mail, phone or otherwise;
- Through the service we provide to you;
- Automated technologies or interactions. As you interact with our website, we may automatically collect technical information about your equipment, browsing actions and patterns. We collect this personal information by using cookies, server logs and other similar technologies.
How we use your personal information
We will only use your personal information when the law allows us to. Most commonly, we will use your personal information in the following circumstances:
- Where we need to perform a contract we are about to enter into or have entered into with you;
- Where it is necessary for our legitimate interests (or those of a third party) and your interests and fundamental rights do not override those interests; or
- Where we need to comply with a legal or regulatory obligation.
Our marketing communications
Generally, we do not rely on consent as a legal basis for processing your personal information other than in relation to sending direct marketing communications to you via email or text message. You have the right to withdraw consent to such marketing at any time.
Why we collect your personal information
We collect information about you for the following purposes:
- to ensure that content from the Site is presented in the most effective manner for you and for your computers;
- where you agree, provide you with information, products or services that you request from us or which we feel may interest you;
- to carry out our obligations arising from any contracts, if applicable, entered into between us and you;
- to allow you to participate in interactive features of our service, when you choose to do so;
- to notify you about changes to our service or Site, which may affect you; and
- to operate and improve the Site.
Any use of the information you load into our myAlps or Connect web applications is bound by our Site Terms and Conditions
We will only use your personal information for the purposes for which we collect it, unless we reasonably consider that we need to use it for another reason and that reason is compatible with the original purpose. If we need to use your personal information for an unrelated purpose, we will notify you and we will explain the legal basis which allows us to do so.
Sharing your personal information
Where we are acting as a data processor we will only disclose information to third parties under the following circumstances:
- if we or a substantial part or all of our assets are acquired by a third party; and/or
- if we have been legitimately asked to provide information for legal or regulatory purposes or as part of legal proceedings or prospective legal proceedings, or to protect the rights, property, or safety of us, our users or others.
Third Parties we might share your personal information with
Where we are acting in our capacity as data controller we may share your personal information with third parties where required by law, where it is necessary to administer the working relationship with you or where we have another legitimate interest in doing so. Third party providers we may share your information with include:
- Our accountants;
- Local Authorities;
- Google analytics;
How we store your personal information
We have adopted the technical and organisational measures necessary to ensure the security of the personal information we collect, use and maintain, and prevent their alteration, loss, unauthorised processing or access, having regard to the state of the art, the nature of the data stored and the risks to which they are exposed by virtue of human action or physical or natural environment. The stringent security practices have been validated by our ISO27001 accreditation.
However, as effective as our security measures are, no security system is impenetrable. We cannot guarantee the security of any of our data.
Unfortunately, the transmission of information via the internet is not completely secure. Although we will do our best to protect your personal data, we cannot guarantee the security of your data transmitted to our Site; any transmission is at your own risk. Once we have received your information, we will use procedures and security features to try to prevent unauthorised access.
Where we have given you (or where you have chosen) a password which enables you to access certain parts of our Site, you are responsible for keeping this password confidential. We ask you not to share your password with anyone.
We will only retain your personal information for as long as is necessary to fulfil the purposes we collected it for, including for the purposes of satisfying any legal, accounting or reporting requirements.
To determine the appropriate retention period for personal information, we consider: the amount, nature and sensitivity of the personal information, the potential risk of harm from unauthorised use or disclosure of your personal information, the purposes for which we process your personal information and whether we can achieve those purposes through any other means, and the applicable legal requirements.
Details of retention periods for different aspects of personal information:
- Personal information will be deleted automatically after 5 years (Wales and Northern Ireland) or 4 years (England). This is how long the data is needed for continued services, the additional retention for Wales is due to the additional progression data contained in Wales.
- Personal information will be deleted within 28 days of a confirmed request for deletion from the school, college or termination of a contract
- Personal information will be deleted within 28 days if a school or college does not confirm a contract renewal within 3 months of the start of the academic year which shall be deemed to be 1 September each year.
- Anonymised data will be held for 6 academic years and automatically deleted afterwards.
Right to request a copy of your information
You can request a copy of your information which we hold (this is known as a subject access request).
Right to correct any mistakes in your information
You can require us to correct any incomplete or inaccurate information.
Right to request erasure of your personal information
This enables you to ask us to delete or remove personal information where there is no good reason for us to continue to process it.
Right to object to processing
You have the right to object to processing where we are relying on a legitimate interest (or those of a third party) and there is something about your particular situation which makes you want to object to processing on this ground.
You can ask us to stop contacting you for direct marketing purposes. If you would like to do this, please:
Right to request the restriction of processing
You have the right to ask us to suspend the processing of personal information about you, for example if you want us to establish its accuracy or the reason for processing it.
Right to request the transfer of your personal information to another party
If you want to review, verify, correct or request erasure of your personal information, object to the processing of your personal information, or request that we transfer a copy of your personal information to another party, please contact us using the contact details below. Please note, there are some specific circumstances where these rights do not apply and we can refuse to deal with your request.
We may need to request specific information from you to help us confirm your identity and ensure your right to access the information (or to exercise any of your other rights). This is another appropriate security measure to ensure that personal information is not disclosed to any person who has no right to receive it.
You will not have to pay a fee to access your personal information (or to exercise any of the other rights). However, we may charge a reasonable fee if your request for access is clearly unfounded or excessive. Alternatively, we may refuse to comply with the request in such circumstances.
There may be circumstances where we will refer your request to the school or college as a data controller and therefore the party responsible for the processing of personal information.
General Website Information
Linking and Framing
We may link to and embed content from a variety of other websites. We are not responsible for the content or privacy policies of these sites, nor for the way in which information about their users is treated. In particular, unless expressly stated, we are not agents for these sites, nor are we authorised to make representations on their behalf.
We take any complaints we receive about the collection and use of personal information very seriously. We would encourage you to bring it to our attention if you think that our collection or use of information is unfair, misleading or inappropriate. You can make a complaint at any time by contacting us (see contact details section below).
If you think our collection or use of personal information is unfair, misleading or inappropriate or if you have concerns about the security of your personal information, you also have the right to make a complaint to the Information Commissioner’s Office. You can contact the Information Commissioner’s Office at the following address: Information Commissioner’s Office, Wycliffe House, Water Lane, Wilmslow, Cheshire, SK9 5AF
How to contact us
If you have any questions or grievances in relation to security or privacy, please email us at firstname.lastname@example.org
Or contact Mary Ahern, Chief Executive Officer, Alkemygold Limited, Kevin Conway House, Longbow Close, Bradley, Huddersfield, HD2 1GQ.