Edudek - GDPR & Privacy Policy
Edudek: We, Us, Our.
Client: School, College, Academy.
Background
We process data on behalf of our clients to support students' personal and academic development. Given the nature of the data we process, GDPR principles are at the heart of what we do.
Roles
From a GDPR perspective, in all cases encompassed by the Edudek Software, the client is the Data Controller and Edudek is the Data Processor.
Edudek is only the Data Controller when maintaining basic contact details for customers, prospective customers and website/sales enquiries.
Data Collection
Our solutions get the majority of data from the client’s source systems, via regular secure encrypted and automated file transfers (SFTP), or encrypted API web services.
Administrators can also add names to configuration tables to allow those names to be anonymised to end users.
Our website has a webform that allows users to request further information.
For more information regarding the personal data we store and process, see the What Personal Information We Collect section below.
Storage
All client’s data is stored in a ISO27001 certified UK data centre. This is physically and logically isolated from our corporate systems such as email.
Delivery
All our solutions are accessed via the internet and all connections are encrypted using RSA 2048 bit, commonly known as SSL/HTTPS.
Lawfulness, fairness and transparency
We only store and process the data of clients where there is a contractual obligation.
To ensure clients and the data subjects get the best out of the services available, we:
provide training, support and advanced consultancy by highly experienced individuals around the use of our solutions.
ensure clients fully understand how configuration options can be utilised and how such changes will impact the way the system processes the data.
Purpose limitation
Our purpose is to help our clients support the personal and academic development of their students.
Where the client agrees to participate/opt-in; we use data in an anonymised format to help schools with benchmarking.
Data minimisation
We receive data from our clients from their management systems. We only store and process data the client has sent us. The data is processed daily, if a client chooses to minimise the data we process within the system, the client can edit the data they pass to us, and the minimisation will be reflected in our systems within 24 hours.
Accuracy
Although we are not a Data Controller in the vast majority of cases, our solution supports the client to audit their data and identify inconsistencies and missing statutory information. We also support our clients in maintaining accurate data and highlight how this is critical to ensure they get the most value out of our solutions. Corrections to data are always completed in the schools’ source systems.
Where we are a Data Controller, we maintain accurate records in order to service our clients and potential clients effectively. The majority of the information we are a Data Controller for is in the public domain. Where we find any discrepancies in our data we amend them immediately.
Storage limitation
The client has full autonomy over the length of time we store their data. Removal of data beyond the specified date will be processed within 24 hours by our automated process.
We retain existing data to protect against system issues arising from a client’s data transfer failing. The longest we would retain this data, in any circumstance, is until the end of the academic year.
Where we store historical data; this data is only stored and processed for as long as is defined in the contractual agreement. This historical data can be requested to be removed at any time by the Client.
Client administrators can update configuration data at any time. This data will be stored in the form of backups until it passes the retention period defined by the client.
Integrity and confidentiality (security)
Integrity and Availability
We have numerous layers of failover protection to ensure system availability. The Data Centre has two mains power sources and a generator on standby, it also has two internet connections. Within this facility we have a number of physical servers each running virtual machines for our solutions, each of our physical machines have various failsafe measures:
Power inputs, one from each of the data centre sources. Any can fail and the server will function as normal.
Hard drives, 2 drives can fail on each server at the same time and the server will still be fully functional. They are "hot plug", so any failed drive can be replaced while the server is still running and the newly added drive will immediately start to duplicate the data. For this we have standby drives at the data centre so any failed drive can be replaced immediately.
CPUs, if any one fails the server will continue to run. If this happens the server will be replaced within 48 hours.
RAM, the server will continue to function if any are lost. On failure, the RAM will be replaced within 48 hours.
Backups
Backups are available for a maximum of 14 days. The client can choose to reduce this period or retain no backup data within the data retention agreement. Where backups are kept, we can recover data from any point in time.
Backups are held on two separate physical servers, both owned by Edudek Ltd. and hosted in ISO27001 certified data centres in the United Kingdom.
Data Transfer
We support our clients to setup automated uploads to our server via SFTP (encrypted file transfer).
For SFTP services hosted by ourselves, we restrict all access, ensuring only the assigned user can deliver, access, and amend the data.
Where we connect to third party API’s, we do our utmost to ensure the connection is secure and encrypted by only working with accredited suppliers.
Application
Users are added to the system either on request of, or by the client administrators. Each user is assigned their own username and password to access the systems.
Passwords are:
long and complex containing upper and lower case characters, numbers and special characters.
Governed by our policy that no Edudek passwords are used outside of Edudek systems.
Schools can assign varying roles to each user ensuring they only have access to dashboards and data that the school deem appropriate.
Technical Infrastructure
All systems that store and process personal information are stored in UK ISO27001 certified Data Centres. Protected by a firewall, once behind the firewall the servers are only accessible via encrypted communications with Multi-Factor Authentication using one-time codes and public keys that only allow specific computers to connect. We also ensure the Anti-Virus, Anti-Spyware, Intrusion Prevention and Application Intelligence technology remains up to date, via regular updates.
Operational
We ensure we minimise risk through the regular completion of Data Protection Impact Assessments (DPIAs), continually reviewing our solutions and infrastructure, upgrading our processes when new compatible solutions are available.
Servers running school’s services are on different physical infrastructure and only have the minimum services/software installed to run such services. Service such as email and productivity software (e.g. Excel, Word, PowerPoint) are hosted and run completely independently.
Encryption and data protection is always prioritised over operational efficiencies.
The Data Centre is covered by 24/7 physical security and technical support.
As a clause of our contractual agreement, we have physical supervised access to our Data Centre, ensuring any risk of extended downtime is minimised.
Cookies Policy
Our website offers a choice for consumers to “opt in”. We use website cookies to monitor traffic using google analytics and improve our website content. We do not use cookies to create personalised content or advertisements.
The Edudek system uses a small number of cookies to help measure usage, traffic and trends in order to help us improve the service performance.
We operate an "implied consent" policy for the Edudek customer systems which means that it is assumed you are happy with this usage. If you are not happy, then you should either not use the service, or you should delete the cookies having used the service.
Third parties
We will never disclose any personal information we collect about you to a third party without your consent.
Accountability
Accountability and responsibilities for GDPR and Data Protection starts and is enforced from the highest levels of management.
The appointed Data Protection Officer (DPO) is a director of the business.
Where at all possible there are technical measures to protect data. Additional to these measures, we enforce policies and procedures to follow for all staff.
To comply with the regulations we keep documentation and systems records on the data protection decisions taken, in addition to the contractual agreements in place.
In the unlikely event of a Data Breach, we would investigate the breach, in addition to reporting to the ICO, any other relevant regulatory or legal body, and all affected parties.
We maintain DPIAs and work with Clients when they are conducting assessments, updating our documents, and responding to queries raised.
We regularly review all data protection policies and DPIAs, considering/evaluating all aspects during any changes. This may even take place before scheduled reviewing periods.
What Personal Information We Collect
We have the ability to collect, and process the following information dependant on what a Client/Data Controller send us:
Students
Client’s system ids
Name
Starting and Leaving Dates
Gender
DOB
Ethnicity
Pupil Premium Identifier
Free School Meals Identifiers
EAL Identifier
SEND Identifier
Ability Identifier
CLA Identifier
Attendance
Interventions
Positive and Negative Behaviour
Conduct
Staff
Client’s system ids
Name
Staff Codes
Corporate Sales
Contact Name
Work Telephone Numbers
Work Emails
Work Addresses
Individual Data Protection Rights
Under data protection law, you have rights including:
Your right of access - You have the right to ask us for copies of your personal information.
Your right to rectification - You have the right to ask us to rectify personal information you think is inaccurate. You also have the right to ask us to complete information you think is incomplete.
Your right to erasure - You have the right to ask us to erase your personal information in certain circumstances.
Your right to restriction of processing - You have the right to ask us to restrict the processing of your personal information in certain circumstances.
Your right to object to processing - You have the right to object to the processing of your personal information in certain circumstances.
Your right to data portability - You have the right to ask that we transfer the personal information you gave us to another organisation, or to you, in certain circumstances.
You are not required to pay any charge for exercising your rights. If you make a request, we have one month to respond to you.
In almost all cases we are not the Data Controller and do not hold enough data in our systems to confirm the identity of an individual. Where a request is received, we will do our best to identify individuals and contact the relevant Data Controller.
Please contact us at DPO@Edudek.co.uk if you wish to make a request.
How to complain
If you have any concerns about our use of your personal information, you can make a complaint to us at DPO@edudek.co.uk.
You can also complain to the ICO if you are unhappy with how we have used your data.
The ICO’s address:
Information Commissioner’s Office
Wycliffe House
Water Lane
Wilmslow
Cheshire
SK9 5AF
Helpline number: 0303 123 1113
ICO website: https://www.ico.org.uk
The next review of this policy is to take place no later than 7th Sept 2025