OxEd and Assessment Limited – Privacy Statement
1. WHAT IS OXED, LANGUAGESCREEN, LANGUAGESCREEN EXTENDED, MATHSSCREEN or READINGSCREEN?
OxEd and Assessment Limited (Company number 12325592) is referred to in this document using its trading name, “OxEd”, “LanguageScreen”, “LanguageScreen Extended”, “MathsScreen” or “ReadingScreen”. OxEd is committed to protecting and respecting your privacy. For the purposes of applicable data protection legislation, the data controller of your personal information is LanguageScreen.
2. WHAT DOES THIS STATEMENT DO?
- OxEd has developed this privacy statement because you should feel confident about the privacy and security of your personal information. OxEd takes all reasonable care to prevent any unauthorised access to your personal information.
- When “personal information” is referred to in this privacy statement, it means information that relates to you in circumstances where you can be directly or indirectly identified. OxEd may hold and use personal information about you for various reasons.
- This privacy statement only applies to how OxEd deals with your personal information. It does not apply to your use of services, products or websites made available to you by third parties. Please review the applicable privacy policies of such third parties to understand how they use your personal information.
- Please note, if you are receiving a OxEd account after signing up to the provision of the NELI programme via the teachNELI.org website (funded by Nuffield Foundation Education Ltd), you should be aware that OxEd is working under a contract with Nuffield Education Ltd funded by the DfE and providing language assessment services for participating Schools using the LanguageScreen app. Under this contract Ox-Ed is the data processor with the DfE as data controller. You should also be aware that in this contract a clause exists specifying that Nuffield Foundation Education Ltd, at the direction of DfE, may require OxEd to delete the personal data held in your OxEd account at the end of the current contract (30 September 2022). If OxEd receives such a request from Nuffield Foundation Education Ltd we will write to any school affected to give them 2 weeks’ notice that all data will be deleted from their school accounts. Finally, for the duration of this contract (until 30 September 2022) OxEd will not market any other paid for products to any school participating in the Nuffield Education Ltd funded NELI rollout.
3. WHAT PERSONAL INFORMATION DOES OXED COLLECT FROM YOU AND HOW DOES IT GET USED?
OxEd may collect and process the following personal information about you:
- Personal information that you provide by filling in forms that OxEd provides on various websites from time to time. This includes personal information provided at the time of subscribing to OxEd’s services, posting material or requesting further services. OxEd may also ask you for personal information when you report a problem with a OxEd service. The lawful basis for processing personal information in this way is legitimate interests.
- Personal information about pupils is provided by schools so that the schools can make use of OxEd’s services to benefit the education of the pupils in question. The lawful basis for processing pupil’s personal information in this way is public task.
- OxEd also collects personal information about schools and other education professionals using its services for billing purposes. The lawful basis for processing personal information in this way is contract.
- OxEd collects personal information about your use of the OxEd services for the purpose of improving the services it delivers. The lawful basis for processing personal information in this way is legitimate interests.
- OxEd may also monitor and record communications with you, including e-mails and phone conversations which may then be used for training purposes, quality assurance, to record details about the products and services that you use, and in order to meet legal and regulatory obligations generally. The lawful basis for processing personal information in this way is legitimate interests.
4. HOW ELSE IS YOUR PERSONAL INFORMATION USED?
Marketing and Advertising
OxEd may use the personal information held about schools and education professionals using its services to send you marketing materials which you may be interested in. The lawful basis for processing personal information in this way is legitimate interests. Where appropriate, OxEd strives to obtain your consent if it is intended to use personal information about schools and education professionals using its services for certain other marketing purposes. Where you have provided consent, OxEd may use personal information that you provide for marketing purposes. Personal information about you, received from third party companies and organisations, may also be used. Where personal information about you is received from third parties, this is on the basis that such third parties have obtained your consent to such disclosure.
5. IS YOUR PERSONAL INFORMATION SHARED WITH ANYONE ELSE?
- OxEd may use other companies to provide the services that OxEd has agreed to supply to you. To enable them to do this, your personal information may be shared with them. When this occurs, these companies are required to act in accordance with the instructions that OxEd gives them, and they must meet the requirements of applicable data protection legislation when processing your personal information. The lawful basis for processing personal information in this way is legitimate interests.
- OxEd may provide your personal information, in response to lawful requests, for the purposes of the prevention and detection of crime, and the apprehension or prosecution of offenders. Information may also be provided for the purpose of safeguarding national security. In either case, it is done in accordance with applicable data protection legislation. Your personal information will be provided to third parties when it is required by law: for example, under a court order, or in response to lawful demands, under powers contained in the governing legislation. The lawful basis for processing personal information in this way is legal obligation.
6. FOR HOW LONG DOES OXED KEEP YOUR PERSONAL INFORMATION?
Unless there is a specific legal requirement to keep your personal information, it will be retained for no longer than is necessary for the purposes for which the data was collected or for which it is to be further processed: Further processing shall often include research*.
7. HOW IS YOUR DATA PROTECTED WHEN IT IS TRANSFERRED OUTSIDE THE EEA OR UK?
OxEd complies with the rules in applicable data protection legislation governing the transfer of your personal information from countries in the European Economic Area (EEA) or the UK to countries outside the EEA & UK. OxEd may sometimes transfer your personal information to a country outside the EEA & UK but before doing so steps will be taken to ensure that your personal information is only transferred in accordance with applicable data protection legislation.
8. HOW IS YOUR PERSONAL INFORMATION PROTECTED?
- OxEd is serious about keeping your personal information secure. Appropriate organisational and technical security measures are taken to protect your personal information against unauthorised disclosure or processing.
- Where you have been given or you have chosen a password which enables you to access certain parts of the OxEd system, you are responsible for keeping this password confidential. You are asked to not share such a password with anyone.
- Various security measures are used to protect the information that OxEd collects, as appropriate to the type of information. These measures include encryption, firewalls, and access controls. OxEd company databases are accessible only by persons who have entered into and are bound by a confidentiality and nondisclosure agreements with OxEd.
- Unfortunately, the transmission of information via the internet is not completely secure. Although OxEd will do its best to protect your personal data, the security of your information transmitted to OxEd cannot be guaranteed: any transmission is at your own risk. Once your information has been received, strict procedures and security features will be used to try to prevent unauthorised access.
9. HOW TO ACCESS YOUR PERSONAL INFORMATION AND YOUR OTHER RIGHTS?
- You should be aware of the following rights in relation to the personal information that OxEd holds about you:
- Your right of access. Upon request, OxEd will confirm whether it is processing your personal information and, if so, provide you with a copy of that personal information (along with certain other details). If you require additional copies, a reasonable fee may be chargeable.
- Your right to rectification. If the personal information held about you is inaccurate or incomplete, you’re entitled to have it rectified. If OxEd has shared your personal information with others, it will let them know about the rectification where possible. If you ask, where it is possible and lawful to do so, you will be informed as to whom your personal information has been shared with so that you can contact them directly if you so wish.
- Your right to erasure. Depending upon which lawful basis is been used to process your data, you can ask to have your personal information deleted or removed. If your personal information has been shared with others, OxEd will let them know about the erasure where possible. If you ask, where it is possible and lawful to do so, OxEd will also tell you who your personal information has been shared with so that you can contact them directly if you so wish.
- Your right to restrict processing. Depending upon which lawful basis is been used to process your data, you can ask to have the processing of your personal information ‘blocked’ or suppressed in certain circumstances such as where you contest the accuracy of that personal information or object to it being processed. It won’t stop your personal information from being stored though. OxEd will tell you before any restriction is lifted. If we’ve shared your personal information with others, we’ll let them know about the restriction where possible. If you ask, where it is possible and lawful to do so, OxEd will also tell you who your personal information has been shared with so that you can contact them directly if you so wish.
- Your right to data portability. You have the right, in certain circumstances, to obtain personal information you’ve provided us with (in a structured, commonly used and machine-readable format) and to reuse it elsewhere or ask for it to be transferred to a third party of your choice.
- Your right to object. Depending upon which lawful basis is been used to process your data, you can ask OxEd to stop processing your personal information, and this will occur if OxEd is:
- relying on its own or someone else’s legitimate interests to process your personal information except if OxEd can demonstrate compelling legal grounds for the processing;
- processing your personal information for direct marketing; or
- processing your personal information for research unless such processing is necessary for the performance of a task carried out in the public interest.
- Your rights in relation to automated decision-making and profiling. Depending upon which lawful basis is been used to process your data, you have the right not to be subject to a decision when it’s based on automatic processing, including profiling, and it produces a legal effect, or it similarly significantly affects you.
- Your right to withdraw consent. If OxEd relies upon your consent as the legal basis for processing your personal information, you have the right to withdraw that consent at any time.
- Your right to lodge a complaint with the supervisory authority. If you have a concern about any aspect of OxEd’s privacy practices, including the way that your personal information has been handled, you can report it to the UK Information Commissioner’s Office (ICO). You can find details about how to do this on the ICO website at https://ico.org.uk/ or by calling the ICO helpline on 0303 123 1113.
10. CHANGES TO OXED’S PRIVACY STATEMENT
Any changes OxEd may make to the privacy statement in the future will be made available publicly and, where appropriate, you will be notified by e-mail.
- OxEd may collect information about your computer, including where available, your IP address, operating system and browser type, for system administration and to report aggregate information to advertisers. This is statistical data about users’ browsing actions and patterns and does not identify any individual.
- Cookies cannot be executed as code or used to deliver a virus. Cookies help to improve websites and to deliver a better and more personalised service. Cookies enable OxEd:
- To estimate its audience size and usage pattern;
- To store information about your preferences, and so allow the site to be customised according to your individual interests;
- To speed up your searches;
- To recognise you when you return to the site.
12. WHAT TYPE OF COOKIES DOES OXED USE?
- Mainly, two types of cookies may be used on OxEd websites: session cookies, which are temporary cookies that remain in the cookie file of your browser until you leave the site, and persistent cookies, which remain in the cookie file of your browser for much longer (though how long will depend on the lifetime of the specific cookie and your browser preferences).
- OxEd may use a third party to serve advertisements on its websites. Cookies may be associated with these advertisements to enable the advertiser to track the number of anonymous users responding to the campaign. OxEd does not have access to, or control of, cookies placed by third parties.
- Third party internet sites that you can link to from OxEd’s websites are not covered by this privacy statement, so you are urged to be careful when you enter any personal information online. OxEd accepts no responsibility or liability for your interactions with these sites.
- Other companies which advertise or offer their products or services on OxEd’s websites may also allocate cookies to your PC. The types of cookies they use and how they use the information generated by them will be governed by their own privacy policies and statements rather than OxEd’s.
Questions, comments and requests regarding this privacy statement are welcomed and should be addressed to [email protected] or OxEd and Assessment Ltd, c/o Botting & Co; 8 Clifton Moor Business Village, James Nicolson Link, York, YO30 4XG
* GDPR, CHAPTER II – Principles, Article 5 – Principles relating to processing of personal data. 1. Personal data shall be: (b) collected for specified, explicit and legitimate purposes and not further processed in a manner that is incompatible with those purposes; further processing for archiving purposes in the public interest, scientific or historical research purposes or statistical purposes shall, in accordance with Article 89(1), not be considered to be incompatible with the initial purposes (‘purpose limitation’);