The GL Education Group Data Privacy Notice

At GL Education Group Limited ("we", "us") we value the privacy of all our customers. We recognise that when you choose to provide us with information about yourself, you trust us to act in a responsible manner. We believe this information should only be used to help us provide you with a better service. We will only collect and use Personal Data in ways that are described in this Privacy Notice (“Notice”), and always in compliance with our obligations and your rights under the law.

This Notice sets out how we treat your Personal Data in the provision of our services, however that Personal Data in collected. We display separate privacy notices on each of the websites we operate and for each platform you may use (e.g Testwise privacy notice and GL-Ready privacy notice). We ask that you also read those other privacy notices when you make use of our services provided through those websites and platforms.

GL Education Group is a Limited Company registered in England and Wales under company number 02603456

Registered address: 1st Floor, Vantage London, Great West Road, Brentford, TW8 9AG

Telephone number: +44 (0)20 8996 3369

Data Protection officer: Karl Oertel

Email address: [email protected]

In this Notice, reference to Data Protection Legislation means the Data Protection Act 2018, the General Data Protection Regulation (“the GDPR”), and the Privacy and Electronic Communications Regulations 2003.

‘Personal Data’ is defined by the GDPR as: “any information relating to an identified or identifiable natural person (‘data subject’); an identifiable natural person is one who can be identified, directly or indirectly, in particular by reference to an identifier such as a name, an identification number, location data, an online identifier or to one or more factors specific to the physical, physiological, genetic, mental, economic, cultural or social identity of that natural person”.

In simpler terms, Personal Data is any information about you that enables you to be identified. For example, this could be your name or contact details.

The GL Education Group routinely receives both organisational and Personal data in order to provide the products, services and reporting required by our customers and partners. It also receives similar data to underpin a range of research and development activity conducted for commercial and non-commercial purposes at the GL Education Group.

This Notice is intended to give reassurance to those providing Personal Data to the GL Education Group, by explicitly stating how such data is collected, stored and accessed according to Data Protection Legislation. 

The GL Education Group complies fully with the ISO/IEC 27001 international standard regarding information security management, the highest standard in industry specifically for data security. At the GL Education Group, this standard is maintained for all online resources which includes Testwise, the GL Education Group’s online testing system, the Testwise Reporting System and our SEN testing platform (GL Ready).

The GL Education Group provides a rich collection of resources, including the ability to set up and administer various tests online, allow test takers to complete tests online and on paper, alongside associated marking and scoring services and to view reports on test performance and other relevant sets of data about tests and test takers (the “Service”). 

The Service is provided for those using our published products as well as those who have given explicit permission to participate in any research and development the GL Education Group is undertaking, including pre-published trial activity carried out as part of the development of our products (the “Research”). The latter is governed by our research code of practice (the “Code”) which is available on request. 

As part of the Service, organisations will choose and consent to the provision of organisational and Personal Data through the uploading of relevant information to the GL Education Group. In doing so, the GL Education Group acknowledges that the ownership of the Personal Data remains with the administrating organisation. All requests to share Personal Data with other non fee-paying organisations will only be done on receipt of a certified permission form, for example where a school explicitly requests the GL Education Group to facilitate sharing of the school's Personal Data with other schools or organisations.

The Service may include certain communications from the GL Education Group, such as service announcements and administrative messages, and these communications are considered part of the Service subscription and it will not be possible to opt out of receiving such notifications. The GL Education Group undertakes to limit such communications as much as possible.

The Personal Data provided by organisations helps to personalise and continually improve the Service offered. We use any Personal Data provided to help administer accounts, and to continuously refine the reliability and ease of use of the Service. We also use this information to help develop new services. We use the Personal Data provided to process an individual test and to process reports on tests. We also use this Personal Data to improve the platform, prevent or detect fraud or abuses of our website and enable third parties to securely carry out technical, logistical or other functions on our behalf.

• We maintain physical, electronic and procedural safeguards in connection with the collection, storage and disclosure of Personal Data. Our security procedures mean that we may occasionally request proof of identity before we disclose Personal Data to you.
• It is important for you to protect against unauthorised access to your password and to your computer. You should be sure to sign off when you finish using a shared computer.
• Organisations have access to a broad range of information about their accounts and interactions. On request, any user whose Personal Data we hold may request a copy of that information. In addition, on request, we will anonymise, amend or erase any Personal Data we hold in relation to a user. Students can typically not access their own personal details since this may include assessment results but on request a suitably qualified system Administrator (typically an administrator or teacher at their school) can access this information on their behalf.
• Data will be accessible for the duration of the current academic year, or the past six months, whichever is longest, at which stage all data is archived from live access.
• Archived data will be deleted at regular intervals (typically 24 months) so it will only be held for the minimum time required.

For the purposes of the Data Protection Legislation:

• where we process personal data on behalf of a school, LEA, hospital or similar organisation (e.g. student or parent data), the relevant school, LEA, hospital or similar organisation is the data controller and GL Education Group Limited is the data processor
• where we process the personal data of someone who uses or orders our products or services for or on behalf of a school, LEA, hospital or similar organisation or for some other professional purposes (e.g. home based specialist teacher/tutor or clinical psychologist), GL Education Group Limited is the data controller.

Information you give us: We collect Personal Data from you when you create an account on our platform, when you make a purchase with us or in any other way that you chose to provide us with your Personal Data. 

The Personal Data you give us includes (but is not limited to):

• contact details: your name, email address, telephone number and address
• Financial and payment details: We will collect details of your bank account and other data necessary for processing payments including credit/debit card numbers, security code numbers and other related billing information.
• Other Personal Data: We may collect further Personal Data such as (if you are purchasing on behalf of a school or other organisation) your job title, your role in the organisation and your qualifications. There are occasions when we will ask for additional information. We do this to be able to better understand your needs, and to provide you with services that we believe may be valuable to you. (It is important that your Personal Data is kept accurate and up to date. If any of the Personal Data we hold about you changes, please keep us informed)

Information collected automatically: 

We receive and store certain types of information whenever you interact with us. For example, like many websites, we use “cookies” and we obtain certain types of information when your Web browser accesses our websites. We also collect the Internet protocol (IP) address used to connect your computer to the Internet, login, email address, password, computer and connection information such as browser type and version, your operating system and platform. We also analyse other aspects of your system like plugins and plugin version that may affect how our platforms performs. This data helps us to support you with any problems or issues you might experience when using our platforms.

Email communications: to help us make emails more useful and interesting, we often receive a confirmation when you open email from www.gl-assessment.co.uk if your computer supports such capabilities.

We collect Student Personal Data from you and process this under your instructions. The Personal Data you provide on the platforms relating to Students includes (but is not limited to): Name, age, gender, unique pupil number, assessment results, observations about students’ performance in tests, the environment during tests and any other relevant information, for example, any illness of a student prior to or during the testing, ethnic and socio-economic information – this data can be provided to us by schools as part of the assessment setup and our platforms can analyse ethnic and socio-economic information enabling schools to understand particular needs and focus among specific ethnic or socio-economic groups.

As part of its wider research focus and to improve future products The GL Education Group may use historic results data as part of its further analysis of historic trends and changing Assessment requirements.

• The processing of your Personal Data is necessary for the performance of a contract with you or to take steps prior to entering into a contract with you
• By providing your contact details, you provide your consent for us to contact you in relation to the goods or services you have requested or in relation to your registration on our websites
• The processing of your Personal Data is necessary for the purpose of our legitimate interest – in this case, the proper operation and functionality of our websites, platforms and related services.

• to communicate with you in order to provide the service or goods you have requested under a contract or to take steps at your request prior to entering into a contract
• to enable us to process, validate and verify your GL Education Group registration 
• to deliver the requested goods to you
• to help us develop new products and services for you 
• to send you emails to provide customer support
• to maintain our own accounts and records
• to comply with a legal obligation or in legal proceedings
• to inform you, with your consent and/or where permitted by law, about news, offers and changes to our services. We will always comply with our obligations under the Data Protection Legislation and you have the right to ask us to stop contacting you for marketing purposes at any time.

We may use your Personal Data in any other way where you have given your consent for that particular purpose.

The Personal Data that we hold will not be stored at a destination outside the United Kingdom or the European Economic Area. In the event that we transfer data to a country outside the UK, we will take suitable steps in order to ensure that it is treated just as safely and securely as it would be within the UK and under Data Protection Legislation.

Information about our users is an important part of our business and we maintain our business integrity by not selling Personal Data to other parties.

• Agents: we employ other companies and individuals to perform functions on our behalf. They have access to the Personal Data needed to perform those functions, but are not permitted to use it for other purposes. Furthermore, they must process the Personal Data in accordance with this Notice and the contractual provisions we have put in place with them as permitted by the Data Protection Legislation or indeed the equivalent data protection laws if operating in another country.
• Business transfers: as we continue to develop our business, we might sell or buy subsidiaries or business units. In such transactions, Personal Data of customers is generally one of the transferred business assets but remains subject to the promises made in any pre-existing arrangements. Also, in the event that the GL Education Group or substantially all of its assets are acquired, customer Personal Data will be one of the transferred assets.
• In some limited circumstances we may be required to share certain Personal Data in order to comply with a legal obligation, in legal proceedings or in order to enforce or apply our terms of use and other agreements, or to protect the rights, property, or safety of GL Education Group Limited, our customers, or others. This includes exchanging information with other companies and organisations for the purposes of fraud protection and credit risk reduction. This does not include selling, renting, sharing or otherwise disclosing personally identifiable information from customers for commercial purposes in a way that is contrary to the commitments made in this Notice.

We may use information relating to Students and schools in anonymised format to produce reports that we produce and share with third parties. These reports would, for example, be comparable reports about the type of organisation (for example, type of school, % of students with different languages) and their performance. No Student User or school would be identifiable in such reports.

Under the Data Protection Legislation, you have the following rights:

• The right to be informed about our use of your Personal Data. This Notice should tell you everything you need to know, but you can contact us if you have any questions about your Personal Data and our use of it
• The right to be provided with a copy of the Personal Data we hold about you. Any requests should be made in writing to the email address provided
• The right to have your Personal Data rectified if it is inaccurate or incomplete
• The right to be forgotten, i.e. the right to ask us to delete or otherwise dispose of any of your Personal Data that we hold
• The right to restrict the processing of your Personal Data
• The right to object to us using your Personal Data for a particular purpose
• The right to withdraw consent. This means that, if we are relying on your consent as the legal basis for using your Personal Data, you are free to withdraw that consent at any time
• The right to receive your Personal Data in order to transmit it directly to another data controller (known as the right to data portability). This right only applies where we are processing your Personal Data with your consent or for the performance of a contract with you and in either case we are processing the data by automated means 
• Rights relating to automated decision-making and profiling
• The right to lodge a complaint with the Information Commissioner’s Office. We would welcome the opportunity to resolve your concerns ourselves however, so please contact us first.

Our platforms operate on the Microsoft Windows™ operating system and can only be accessed by a small number of approved staff members at the GL Education Group’s Technical Development site. This number can change but is usually limited to a small core maintenance team responsible for monitoring and ensuring systems are online at all required times. Access is only possible using an account login and password and all access attempted is logged in real time. Access from any other location other than the GL Education Group’s Technical Development office is only possible once senior management permission has been granted (via an authorisation process) and only then is it implemented by the GL Education Group’s Technical Development office.

Our platforms use Microsoft SQL Server™ databases, where all data pertaining to registered test takers to take the GL Education Group tests and their test results are stored. Like its operating system, the databases can only be accessed by a very small number of approved staff members at the GL Education Group’s Technical Development site. Access is only possible using an account login and password and all attempted access is logged in real time. Access from any location other than the GL Education Group’s Technical Development office is only possible once senior management permission has been granted (via an authorisation process) and only then is it implemented by the GL Education Group’s Technical Development office.

The platforms’ infrastructure is protected by multiple firewalls that can only be accessed from the GL Education Group’s Technical Development office using a secure login and password made available only to the network administrator and a very small technical team.

The servers hosting our platforms are located in either EEA based Microsoft Azure™ or Amazon Web Services (AWS) environments. Only a small number of the GL Education Group’s technical team are able to access the environments. Permission to access the environments must be gained in advance from company directors and all access is logged and recorded. All back up routines for data recovery are also hosted within the EEA based Microsoft Azure™ or Amazon Web Services (AWS) environments.

Access to each customer account is only possible using the administrator password that is set by the school administrator. Only once access has been successfully gained can test taker data be viewed, altered or added. It is the responsibility of the school to safeguard the administrator password which is not made known to the GL Education Group.

Administrator passwords can be changed by the administrator as often as required. However, in line with ISO 27001 requirements, administrators are encouraged to change passwords at least once every 6 months. Should an invalid administrator password be entered into a customer account three times in succession, the account will automatically be suspended for a configurable period of time, which is set to 5 minutes by default.

A test taker accessing the testing platforms will only be able to take any outstanding tests set for him or her. It is not possible for test takers to view their own test scores or the data and scores of any other test takers. Test taker access codes are created by the system and will be unique to each test taker.

No member of the GL Education Group staff can routinely log into an organisation’s or test taker’s account on our platforms. Only in very rare and exceptional circumstances is this allowed to happen on verification of received consent from an organisation, and the purpose of the access is purely to support that organisation with a technical query or data request. In this instance, any access to the data is tracked and a detailed audit log, together with the exceptional circumstances instigating the access, is shared with company directors at the GL Education Group.

If you have any further queries regarding this Notice please contact our Data Protection Officer at: [email protected].