Your information and data protection
What’s this policy about and when does it apply?
Your privacy is important to us and we’re proud to be aware of and committed to all relevant laws and regulations relating to the collection, storage and use of data (including GDPR). In this policy we want to explain to you how we:
- use your personal data
- comply with the data protection legal obligations which apply to us and this Website
so that you understand and have a choice about how your personal data is collected, used and stored (processed).
The policy applies when you use our Website and is part of our terms and conditions which you can find here. This policy was last updated on 3/9/19.
We may make changes to the policy (for example to keep up with changes in the law) so we advise you to check the policy as you use the Website and our services, although we will let you know about material changes.
Who are you?
We are education.co.uk, a project of The Education Company Limited;
a company registered in England and Wales, Company Registration number 02651241, whose Registered Office is at Denne Court, Oad Street, Hengist Field, Borden, Sittingbourne, Kent, ME9 8LT.
Our email address is firstname.lastname@example.org and our website is https://www.educationcompany.co.uk
Our Data Protection Act Registration Number is Z4930758
Who do I contact about personal data or change my mind about how you can use it?
Our data protection representative is Mr Andrew Atkins who you can email at email@example.com if you need any help or information about this policy or about how we collect and use personal data. You can also write to us if you prefer – see Who are you? above
What personal data and information do you collect?
Personal data is any information which could identify you, including your name, address and email address and IP address. Special category data is more sensitive, such as information about your health or ethnic origin. We do not process any special category data, nor any data relating to payment.
Depending on how you use the Website and what we provide to you, we collect a range of personal data from you, including your name and contact information (such as your business address, telephone number and email) as well as other information which you choose to give us as you use the Website and our services. We collect only the minimum possible data to provide access to our procurement service. This includes your name, business email address, place of work, and job role. As you can see, though it is ‘personal data’, this is non-sensitive information that is simply used to link schools with suppliers that may be able to supply their purchasing requirements. We ask for this data directly from you when you create an account with us; you can update this at any time.
If you choose not to provide us with personal data, we may be unable to provide some services to you. For example, without your email address we will not be able to email you.
How do you collect personal data?
We may collect your personal data from you in the following ways
- Forms you complete on the Website, such as when you register with us
- Information you provide to us or when you ask us to provide services to you
- The information you provide when you communicate with us such as by email
- Any surveys or feedback requests which you choose to complete or competitions which you choose to enter
- Information about your visits to our Website which will include (but are not limited to) your IP address, online tracking such as location, browser and type of device you use
It is therefore very important that you consider what data/information that you wish to share with us and other Website Users. For example, if
- you are a School and do not wish to share personal data, such as the name of an appointed representative/person, please do not include it in your Procurement Project OR
- you are a Supplier and do not wish to share data/information with any School, please do not include it in a Proposal.
How do you use personal information?
We use personal data so that we can
- Set up your account and for administration related to your use of the Website
- Send you any information via your business email address that you provide, such as updates on the status and progress of any Procurement Projects you are involved with or relevant messages received. You may also receive updates on new informative content with regard to the Website that may be of interest to the education sector
- Deal with any request for help or answer your queries and support generally
- Give you the best user experience and to enable you to participate in interactive features of our Website
- To analyse and monitor how our Website is used and to help us to administer it (including security and fraud detection) and to run our business generally
Since we only link schools with suppliers and do not carry out any financial transactions on the Website, we do not take any further details nor payment details at any point. Via your business email address that you provide, you will receive updates on the status and progress of any procurement projects you have created.
What is the lawful basis for processing my personal data?
The law says that we cannot process (collect, use or store) your information unless we have a lawful basis for doing so. There are several lawful bases which we rely on, including
- consent – when you agree that we can use your personal data in a particular way
- contract – to fulfil our contractual obligations to you or because you have asked us to do something before we enter into a contract together
- legal obligation – when the law says that we must, such as for tax reasons
- legitimate interests – when we use your personal data in ways you would reasonably expect, and which have a minimal privacy impact, or where there is a compelling justification
- We have conducted a thorough Legitimate Interest Assessment and balancing test (both of which are regularly reviewed) and concluded that data can be processed and stored based on the Legitimate Interests option under GDPR. This means that we have identified that the Legitimate Interests of ourselves as suppliers of the Website, and those of the Website users who provide their data in order to utilise the procurement service we provide, do not negatively impact on the rights of the data subjects (yourselves, the Website users).
Simply put: we cannot run our service of connecting schools and suppliers without collecting this minimal information from you to create your account – and you cannot use our service without providing the data to create an account. Since you’re here because you want to use our service, you would reasonably expect this data to be gathered. You will gain a valuable amenity via this data processing, and there will be no negative impact on your rights or freedoms as a result.
Who do you share personal data with?
There may be times when we must share your personal data with others, for example, where the law requires us or to enforce our rights or protect others, such as for fraud prevention. We may also
- Allow authorised third parties (see table below) to track and store information about visitors to our Website (including IP addresses)
- Disclose your personal data to those who are providing services to us if they have appropriate processes to protect it
Who we share with
Why we share it
We require all these third parties to respect your personal data, to process it on our instructions and comply with current law in relation to data protection.
Otherwise we will only share your personal information if you have consented to this - we do not share or sell it to third parties. Since we provide a primarily anonymous service, throughout the procurement process your details will not generally be disclosed unless
- you are a Supplier and have provided information (for example by completing a Proposal) which you agree to share with a School) as part of the procurement process or
- you are a School and you have directly invited another to join education.co.uk activities, including (but not limited to) signing up for an account, joining a group or participating in a Procurement Project.
We provide a facility for Schools to ask and answer questions via the Website without having to use your email address or other identifier, so the only details Suppliers receive will be any Schools provide explicitly to them through our direct and secure messaging system. The only time when any of the data which a School provides will be visible will be
- at the very end of the procurement process, when you have chosen the winning supplier who will deliver your new products or services. To this winning supplier only will we display your name and school, to allow better communication ahead of the sale or
- if a School expressly chooses to share data (for example)
What are my personal data rights?
The law gives you certain rights in relation to your personal data and to exercise or discuss these rights contact Andrew Atkins firstname.lastname@example.org or by post to
The Education Company Limited
The following rights apply to personal data we collect and process so that you can
- Access your personal data
- Rectify your personal data if it is inaccurate or incomplete
- Ask us to erase your personal data and prevent processing in specific circumstances
- Restrict processing of your personal data in certain circumstances
- Obtain and reuse your personal data for your own purposes across different services
- Object to processing your personal data in certain circumstances
You can also see the personal information we hold on you at any time on the My Account page of the Website, and correct or change this information freely – except for the original email address you provided on sign-up, which is your consistent username that we hold all your data against.
You also have the right to lodge any data protection complaints with the Information Commissioner's Office (ICO), the UK’s supervisory authority. Visit www.ico.org.uk for more information including how to access their helpline.
What about using, storing and transferring personal data?
Access to all data held by The Education Company is restricted to those employees who need it. All employees’ access is based on individual user accounts that are password restricted, with monthly password changes in place. Passwords are set for high security. The data itself is stored on dedicated servers which have restricted access both physically (housed in a security-controlled server room) and limited network access based on role and permission groups. All systems are protected with an industry-standard firewall.
We keep your personal data only for as long as it is reasonably required and then it will be deleted or destroyed or anonymised.
All data held is reviewed regularly with regard to the age of the data, its benefit and its accuracy, and we hold it for as long as each user may reasonably be expected to want access to their account. We do not delete data after a set period of time as this would result in the entire deletion of the user’s account, meaning all of their records on any past procurement (the retention of which forms a valuable part of our service and may be vital in the event of a legal challenge or audit, for example) would be lost, and furthermore the user would no longer have access to the service. We will therefore delete data held when an individual requests that we do so, because they no longer want access to the procurement service or any of their previous records.
Our Data Retention Policy:
How long is personal data kept?
We will retain personal data for 2 years from the date that you ceased to be a Website User.
We will retain personal data for 12 months from the date of our last contact.
We will retain personal data for 12 months from the date of the last time you contacted us.
We will retain personal data for 2 years from the date that you ceased to be a supplier.
Your data may be transferred or stored outside the EU to countries which may not have the same data protection as the EU but, if we do this, we will have an agreement with the third party who will be using an approved mechanism to keep personal data secure.
Data security and our data protection policy
To protect your personal data, we have put the following measures in place:
- security measures to prevent your personal data from being accidentally lost, used or accessed in an unauthorised way, altered or disclosed (including SSL, encryption and restricted access)
- internal policies and procedures (including our data protection policy) to deal with any issues, including notifying you where applicable of any breach.
Data is stored in a SQL database, and the site uses HTTPS Protocol so when data is transferred it is encrypted. Access to all data held by The Education Company is restricted to those employees who need it. All employees’ access is based on individual user accounts that are password restricted, with monthly password changes in place. Passwords are set for high security. The data itself is stored on dedicated servers which have restricted access both physically (housed in a security-controlled server room) and limited network access based on role and permission groups. All systems are protected with an industry-standard firewall.
Our data protection policy forms part of all employees’ contracts of employment and includes rules relating to the collection, storage and use of personal data held by the company. We aim to review our data processing at least once every 12 months to ensure we are holding as little data as possible, storing it securely, and processing it with minimal impact to the data subjects/Website Users.
Do you collect and process non-personal information?
When you use the Website we may also collect non-personal information or aggregated information – that is any information about more than one individual where the individual’s identity is unknown and cannot be inferred from that information. This helps us run our Website and business effectively.
What about third parties and social media?
You may visit or leave our Website by clicking a link to or from another website or platform operated by a third party – for example, you may use social media icons (such as Twitter). If you do this, please also take the time to read the relevant privacy information provided by other websites/platforms because they may be different. Your information will only be shared where you have agreed to permit this.