The GL Education Group Data Policy

Scope

The GL Education Group routinely receives both organisational and personal data in order to provide the products, services and reporting required by our customers and partners. It also receives similar data to underpin a range of research and development activity conducted for commercial and non-commercial purposes at the GL Education Group.

The Data Policy (“the Policy”) set out herein is intended to give reassurance to those providing data to the GL Education Group, by explicitly stating how such data is collected, stored and accessed via the strict industry standards on data security employed.

Furthermore, it also specifies the ethical principles on which such data is used and the length of time that it remains accessible. As such, the Policy supports GL Education Group staff as they carry out all activity, since it defines the attitudes expected of them and the strict approaches they must take when handling any data.

The Policy is an overarching policy and is provided in addition to other policies and/or statements for specific services that remain governed by the individual policies relevant to those services and the general information in this Policy is subject to those specific policies. Examples of such policies include the Privacy Policies or Cookie Policies of our Websites and systems.

Furthermore, where relevant, the GL Education Group's activity will be subject to the provisions set out in all relevant legislation such as the Data Protection Act (2018)1, the General Data Protection Regulation (EU) 2016/679 (GDPR) and any subsequent UK data protection legislation (Data Protection Legislation), the Communications Act (2003) and the requirements as stipulated by the ISO/IEC 270012 certification for information security management.

Introduction

The GL Education Group provides a rich collection of resources, including the ability to set up and administer various tests online, allow test takers to complete tests online and on paper, alongside associated marking and scoring services and to view reports on test performance and other relevant sets of data about tests and test takers (the “Service”).

The Service is provided for those using our published products as well as those who have given explicit permission to participate in any research and development the GL Education Group is undertaking, including pre-published trial activity carried out as part of the development of our products (the “Research”). The latter is governed by our research code of practice (the “Code”).

As part of the Service, organisations will choose and consent to the provision of organisational and personal information (the “Data”) through the uploading of relevant information to the GL Education Group. In doing so, the GL Education Group acknowledges that the ownership of the data remains with the administrating organisation. All requests to share data with other non-fee paying organisations will only be done on receipt of a certified permission form, for example where a school explicitly requests the GL Education Group to facilitate sharing of the school's data with other schools or organisations.

The Service may include certain communications from the GL Education Group, such as service announcements and administrative messages, and these communications are considered part of the Service subscription and it will not be possible to opt out of receiving such notifications. The GL Education Group undertakes to limit such communications as much as possible.

Data privacy

The GL Education Group cares about how organisational and personal data is used and it is appreciative of the trust placed by organisations using the Service or participating in the Research to use such Data carefully and sensibly.

Collection and use of data

The information provided by organisations helps to personalise and continually improve the Service offered. We use any organisational information provided to help administer accounts, and to continuously refine the reliability and ease of use of the Service. We also use this information to help develop new services. We use the personal information provided to process an individual test and to process reports on tests. We also use this information to improve the platform, prevent or detect fraud or abuses of our website and enable third parties to securely carry out technical, logistical or other functions on our behalf.

  • We maintain physical, electronic and procedural safeguards in connection with the collection, storage and disclosure of personally identifiable customer information. Our security procedures mean that we may occasionally request proof of identity before we disclose personal information to you.
  • It is important for you to protect against unauthorised access to your password and to your computer. You should be sure to sign off when you finish using a shared computer.
  • Organisations have access to a broad range of information about their accounts and interactions. On request, any user whose personal information we hold may request a copy of that information. In addition, on request, we will anonymise, amend or erase any personal information we hold in relation to a user. Students can typically not access their own personal details since this may include assessment results but on request a suitably qualified system Administrator (typically an administrator or teacher at their school) can access this information on their behalf.
  • Data will be accessible for the duration of the current academic year, or the past six months, whichever is longest, at which stage all data is archived from live access.
  • Archived data will be deleted at regular intervals (typically 24 months) so it will only be held for the minimum time required.

Here are the types of information gathered:

  • Information you give us: we receive and store any information you enter on our platform or give us in any other way. You can choose not to provide certain information however you may not be able to take advantage of many of our features.
  • Automatic information: we receive and store certain types of information whenever you interact with us. For example, like many websites, we use “cookies” and we obtain certain types of information when your Web browser accesses our websites. We also collect the Internet protocol (IP) address used to connect your computer to the Internet, login, e-mail address, password, computer and connection information such as browser type and version, your operating system and platform. We also analyse other aspects of your system like plugins and plugin version that may affect how our platforms performs. This data helps us to support you with any problems or issues you might experience when using our platforms.
  • E-mail communications: to help us make e-mails more useful and interesting, we often receive a confirmation when you open e-mail from www.gl-assessment.co.uk if your computer supports such capabilities.
  • Student information including gender and age – this data is provided to us from schools as part of the set-up process on our platforms. It is used to ensure our assessments are fair and to provide detailed analysis of performance.
  • Student information including observations about students’ performance in tests, the environment during tests and any other relevant information, for example, any illness of a student prior to or during the testing.
  • Student information including ethnic and socio-economic information – this data can be provided to us by schools as part of the assessment setup and our platforms can analyse ethnic and socio-economic information enabling schools to understand particular needs and focus among specific ethnic or socio-economic groups.

As part of its wider research focus and to improve future products The GL Education Group may use historic results data as part of its further analysis of historic trends and changing Assessment requirements.

Sharing of data

Information about our users is an important part of our business and we maintain our business integrity by not selling information about our users to other parties.

  • Agents: we employ other companies and individuals to perform functions on our behalf. They have access to personal information needed to perform those functions, but are not permitted to use it for other purposes. Furthermore, they must process the personal information in accordance with this Policy, our Privacy Policies and the contractual provisions we have put in place with them as permitted by the Data Protection Legislation or indeed the equivalent data protection laws if operating in another country.
  • Promotional offers: occasionally we may send offers to selected groups of customers about the GL Education Group products or product upgrades we feel may interest them. We do not sell your personal details to any third party under any circumstances.
  • Business transfers: as we continue to develop our business, we might sell or buy subsidiaries or business units. In such transactions, customer information generally is one of the transferred business assets but remains subject to the promises made in any pre-existing arrangements. Also, in the event that the GL Education Group or substantially all of its assets are acquired, customer information will, of course, be one of the transferred assets.
  • We release account and other personal information when we believe release is appropriate to comply with law, to enforce or apply our conditions of use and other agreements or to protect the rights, property or safety of www.testingforschools.com our users or others. This includes exchanging information with other companies and organisations for fraud protection and credit risk reduction. Obviously, this does not include selling, renting, sharing or otherwise disclosing personally identifiable information from customers for commercial purposes in a way that is contrary to the commitments made in this Policy.
  • Whenever we transfer personal information to countries outside of the European Economic Area in the course of sharing information as set out above, we will ensure that the information is transferred in accordance with this Policy and our Privacy Policies as permitted by the Data Protection Legislation or indeed the equivalent data protection laws if operating in another country.

Anonymised data

We process and store anonymised data about test takers. This data will, for example, spot trends in results. We may share the outcomes of any research carried out on this anonymised data with various third parties, for example, UK Government but never the underlying data set and it is never the case that test takers can be individually identified from such information.

Privacy policy

The GL Education Group understands that through the use of the Service and acceptance of the relevant privacy policies, organisations will consent to the collection and use of the Data for storage, processing, and use by the GL Education Group. Copies of our privacy policies are available on our websites.

Data controllers

For the purposes of the Data Protection Legislation:

  • where we process personal data on behalf of a school, LEA, hospital or similar organisation (e.g. student or parent data), the relevant school, LEA, hospital or similar organisation is the data controller and GL Education Group Limited of 1st Floor Vantage London, Great West Road, Brentford, TW8 9AG is a data processor.
  • where we process the personal data of someone who uses or orders our products or services for or on behalf of a school, LEA, hospital or similar organisation or for some other professional purposes (e.g. home based specialist teacher/tutor or clinical psychologist), GL Education Group Limited of 1st Floor Vantage London, Great West Road, Brentford, TW8 9AG is the data controller.

Data security

The GL Education Group complies fully with the ISO/IEC 27001 (ISO/IEC 27001 Certificate Number GB18430) international standard regarding information security management, the highest standard in industry specifically for data security. At the GL Education Group, this standard is maintained for all online resources which includes Testwise, the GL Education Group’s online testing system, the TestwiseReportingSystem (“Testwise”) and our SEN testing platform (“GLReady”).

Operating Systems

Our platforms operate on the Microsoft Windows™ operating system and can only be accessed by a small number of approved staff members at the GL Education Group’s Technical Development site. This number can change but is usually limited to a small core maintenance team responsible for monitoring and ensuring systems are online at all required times. Access is only possible using an account login and password and all access attempted is logged in real time. Access from any other location other than the GL Education Group’s Technical Development office is only possible once senior management permission has been granted (via an authorisation process) and only then is it implemented by the GL Education Group’s Technical Development office.

Databases

Our platforms use Microsoft SQL Server™ databases, where all data pertaining to registered test takers to take the GL Education Group tests and their test results are stored. Like its operating system, the databases can only be accessed by a very small number of approved staff members at the GL Education Group’s Technical Development site. Access is only possible using an account login and password and all attempted access is logged in real time. Access from any other location other than the GL Education Group’s Technical Development office is only possible once senior management permission has been granted (via an authorisation process) and only then is it implemented by the GL Education Group’s Technical Development office.

Infrastructure

The platforms’ infrastructure is protected by multiple firewalls that can only be accessed from the GL Education Group’s Technical Development office using a secure login and password made available only to the network administrator and a very small technical team.

The servers hosting our platforms are located in either EEA based Microsoft Azure™ or Amazon Web Services (AWS) environments. Only a small number of the GL Education Group’s technical team are able to access the environments. Permission to access the environments must be gained in advance from company directors and all access is logged and recorded. All back up routines for data recovery are also hosted within the EEA based Microsoft Azure™ or Amazon Web Services (AWS) environments.

User Interface - Organisations

Access to each customer account is only possible using the administrator password that is set by the school administrator. Only once access has been successfully gained can test taker data be viewed, altered or added. It is the responsibility of the school to safeguard the administrator password which is not made known to the GL Education Group.

Administrator passwords can be changed by the administrator as often as required. However, in line with ISO 27001 requirements, administrators are encouraged to change passwords at least once every 6 months. Should an invalid administrator password be entered into a customer account three times in succession, the account will automatically be suspended for a configurable period of time, which is set to 5 minutes by default.

User interface - test takers

A test taker accessing the testing platforms will only be able to take any outstanding tests set for him or her. It is not possible for test takers to view their own test scores or the data and scores of any other test takers. Test taker access codes are created by the system and will be unique to each test taker.

User interface - GL Education Group staff

No member of the GL Education Group staff can routinely log into an organisation’s or test taker’s account on our platforms. Only in very rare and exceptional circumstances is this allowed to happen on verification of received consent from an organisation, and the purpose of the access is purely to support that organisation with a technical query or data request. In this instance, any access to the data is tracked and a detailed audit log, together with the exceptional circumstances instigating the access, is shared with company directors at the GL Education Group.

Research code of practice

All GL Education Group research and development activity will adhere to the best practice guidelines defined below. At all times these strict research principles will be followed and, in practice, respect will be given to all participants (individuals and organisations) and the manner in which their data is collected and used. Staff at the GL Education Group will conduct all research and development with the utmost professionalism, adopting appropriate industry standards in the areas of data security, project management and research methodologies.

Principles

All GL Education Group research activity will be based on the following principles to ensure:

  • Sensitive and helpful approaches are adopted towards those providing data.
  • The confidentiality of data is protected.
  • The planning, conducting and publication of research takes account of cultural, religious, racial, gender, age, socio economic and other relevant differences amongst those participating in research.
  • Rigorous and appropriate methodology is adopted to ensure the research data, findings and conclusions are fair, accurate, valid and reliable.
  • Clear procedures are in place for the effective management of projects.
  • Research findings are disseminated in keeping with the project brief and the conditions agreed as part of initial data supply.
  • Staff conduct themselves at all times in a professional manner.

Practice

All GL Education Group research activity will adhere to the following practices:

Respect for participants

  • Information will be given about the aims, purpose and outcomes of the research. All data gathering in institutions such as schools and businesses will take place only with the express agreement of authorised representatives of those institutions.
  • Staff will respect participants’ views.
  • Staff will be mindful of cultural, religious, race, gender, age, socio-economic, special needs and other relevant differences throughout the research process.
  • Information about the Code will be given to participants and copies made available if requested.

Professional approach to data collection

  • Data gathering activities will be carried out fairly and openly.
  • Data gathered will be used for the express purpose for which it was collected. Where an existing dataset could be used for another purpose, explicit permission will be sought again.
  • Adequate notice will be negotiated and given for the timing of data collection and there will be sufficient liaison about the most effective collection and supply methods, to minimise disruption.
  • Staff will ensure that any research instruments used (questionnaires, tests, etc.) will be as valid and reliable measures as possible, except where the purpose of the research is to obtain measures of these two features.
  • Staff will adhere to the copyright laws regarding the use and acknowledgement of published and unpublished materials.
  • Any use of digital recording devices during telephone interviews will be governed by the statutory requirements of the Communications Act (2003).
  • OFCOM guidelines for the use of digital recording devices for telephone interviewing will be adhered to. For example, participants’ prior permission will be obtained for the use of such a device and they will be reminded of the recording at intervals during the interview.
  • Staff will ensure that due regard has been taken of information available on the GL Education Group databases and via the Telephone Preference Registry before seeking to arrange telephone interviews as part of research activity.
  • Information on and obtained from a participant in a market research survey will not be passed for follow up through sales and/or marketing activity, unless specifically requested by the participant.

Storing, analysing and reporting information

  • The legal rights of the individual or institution will always be observed, regardless of commercial considerations.
  • The GL Education Group is registered under The Data Protection Act (1998)4 and staff will adhere to its provisions and those of the General Data Protection Regulation (GDPR) on the use of data.
  • The GL Education Group will ensure that information storage in any area of the company is subject to appropriate levels of security and confidentiality. Access will be restricted to authorised project staff only.
  • Information about the way data is stored and the security and confidentiality procedures in place will be made available to individuals and the authorised representatives of institutions upon request.
  • Data that identifies individuals or institutions is held in confidence by GL Education Group and will not be released to anyone unless the written consent of the relevant individuals or institutions is given. Where the data has been provided by a third party, such as a local authority or a business, the data will not be released to anyone other than that third party.
  • The GL Education Group will take all reasonable steps to ensure that the results of educational research both at the individual and institutional level, will not cause substantial damage and distress.
  • The purpose of educational research will not be such as to support decisions or other actions in respect of individuals.
  • The researcher will destroy all original raw data provided if requested by the participants.
  • Staff will base their findings and judgements on sound research evidence.
  • Monitoring procedures will be used to ensure that all staff will not fabricate, falsify or misrepresent evidence, findings or conclusions.
  • Dissemination of findings will be in appropriate, comprehensible forms for relevant audiences and subject to the principles and practice set out in the Code.
  • The GL Education Group staff should ensure that appropriate branding is routinely placed on research instruments, reports and materials generated by them, unless a contract clause prevents this.

Contacting The GL Education Group

If you have any further queries regarding this data policy please contact our Data Protection Officer at:

The Data Protection Officer
The GL Education Group
1st Floor Vantage London
Great West Road
Brentford
TW8 9AG

Alternatively you can email our Data Protection Officer at dpo@gl-education.com.