Privacy Notice – GlowMay 2018

Name of Policy Glow Privacy Notice

Description of Policy

This Privacy Notice is an external document and is a requirement of the GDPR. This document has been tailored from SG’s privacy notice to reflect Glow’s use of personal information.

Policy Number

Policy Status ☐ New ☒ Revision of Existing Policy ☐ Withdrawal of Policy ☐ Scottish Government Adopted

Author Michael Moynihan, Information and Security Officer

Owner and business area Information and Security Officer, Education Scotland

Approver (Assistant director or above) SMT

Approval Date May 2018

Effective Date May 2018

Date of Next Policy Review* May 2019

Frequency of review Annual

Date of review

* Unless otherwise indicated, this policy will still apply beyond the review date.

Description of Amendment

Related Legislation, Strategies, Policies, Procedures, Guidelines and Local Protocols

Data Protection PolicyEducation Scotland Privacy Notice

2 | P a g e

Content1 Responsibilities..........................................................52 Privacy Information.....................................................53 Privacy Notice – How We Process Your Personal Information........................................................................5

3.1 Why Do We Process Personal Information?........63.2 Who Do We Process Information About?............63.3 Who Do We Share Information With?..................63.4 Information Sharing Principles.............................63.5 Definitions............................................................73.6 Name and Contact Details of the Controller........8

4 Contacting Us through Report a Concern Form.........85 How to Request Personal Information – Subject Access Requests..............................................................96 The Data Protection Officer for Education Scotland...9

6.1 Contact Details of the Lead Supervisory Authority9

7 Glow Services..........................................................107.1 User Profile Information.....................................107.2 User Generated Content....................................117.3 Glow Blogs.........................................................117.4 Glow Office 365 Forms Surveys........................12

8 Cookies....................................................................128.1 Where do I find information about controlling cookies through my browser?......................................138.2 Cookies used in Glow........................................13

8.2.1 RM Unify.....................................................138.2.2 Office 365....................................................138.2.3 Digital Learning Community (digilearn.scot)148.2.4 Glow Connect..............................................148.2.5 Glow Blogs..................................................148.2.6 Glow Report a Concern...............................16

9 Other Information We Collect...................................1610 Links to Other Websites........................................1611 Rights of the Data Subject....................................1712 Legal Basis for the Processing..............................17

3 | P a g e

12.1 The Legitimate Interests Pursued by the Controller or by a Third Party.......................................1812.2 Personal Data Retention Periods...................1812.3 Contractual Obligation of the Data Subject to Provide Personal Data and the Possible Consequences of Failure to Provide Such Data...................................1812.4 Data Protection for Employment & Recruitment Procedures..................................................................18

13 General.................................................................1914 Changes to This Notice.........................................1915 How to Contact Us................................................19Appendix A – Glow’s Abbreviated version of the Policy Notice for websites....................................................................................................20

4 | P a g e

1 ResponsibilitiesIn line with the HMG Security Framework requirements for appropriate security governance structure, Education Scotland has both a Senior Information Risk Owner (SIRO) and an Information Asset Owner (IAO). The SIRO role is to ensure information security policies and procedures are fit for purpose and are reviewed and implemented across all of Education Scotland’s business functions. These policies and procedures aim to ensure that the requirements of confidentiality, integrity and availability are maintained.The Information Asset Owner role is to understand what information is held by Education Scotland, what is added and who has access and why – providing assurance to the SIRO and ensuring that the information is fully used within the law for the public good.

All Education Scotland staff and contractors are trained in and are aware of their responsibilities as set out in these policies.

2 Privacy InformationWe will apply appropriate protection and management of any personally identifiable information you share with Education Scotland. Any personal information you do provide will be held and processed by Education Scotland in accordance with the Data Protection Act 1998 (DPA) and the EU General Data Protection Regulation (GDPR). We will not pass on your details to any third party unless you give Education Scotland permission to do so.

3 Privacy Notice – How We Process Your Personal Information

Any personal information provided to Education Scotland will only be used to discharge our statutory functions and other relevant legislation, maintain our accounts and records and to support and manage our staff. We will only use information for those purposes, but we will share it with others for other purposes where it is legal and justifiable.

At Education Scotland, we manage, maintain and protect all information according to the requirements of the DPA and other legislation. We also adhere to our own information policies and government best practice.

In certain circumstances, we may process your personal information without your consent, and/or we may restrict your access to the information we hold about you. Such circumstances would only arise in relation to our statutory obligations. In these circumstances, there are exemptions from the DPA.

Education Scotland takes your privacy seriously and is committed to responsible handling of personal information in accordance with our Information Charter, which is as follows.

We will:

5 | P a g e

make sure you know why we need it. ask only for what we need and not to collect too much or irrelevant

information. protect it and make sure nobody has access to it who should not. let you know if we share it with other organisations to give you better public

services - and if you can say no. make sure we do not keep it longer than necessary. Not make your personal information available for commercial use without

your permission.

3.1 Why Do We Process Personal Information?

We process personal information to: enable Education Scotland to improve the quality of the country's education system; maintain our accounts and records; and to support and manage our staff.

3.2 Who Do We Process Information About?

We process a range of personal information concerning: Local Authority schools, Independent Schools, Early Years Establishments, Higher and Further Education Establishments, Scottish Education Partners, our employees; suppliers; and service providers.

3.3 Who Do We Share Information With?

We may sometimes share your personal information with other organisations. This includes our suppliers and service providers as well as public sector bodies. We can be ordered to share data by some of these bodies, such as Police Scotland and the Crown Office and Procurator Fiscal Service. In other cases, the requirement or permission to share data is specified in legislation.

All sharing occurs only in clearly defined circumstances and within the legislative bounds set by the DPA.  Information disclosed will be proportionate, relevant and appropriate for the purpose it is being shared for and will be transferred in a secure manner, making it available to authorised users only.

It may sometimes be necessary to transfer personal information overseas, for example if our IT provider is based out with the UK.  Any transfers made will be in full compliance with all aspects of the DPA.

3.4 Information Sharing Principles

The following key principles are applied in respect of all information shared on our internal systems.

6 | P a g e

All information sharing must occur within the bounds of the DPA, Privacy and Electronic Communications Regulation (PECR), the GDPR and the European Convention on Human Rights (ECHR), in that it should be proportionate, relevant and appropriate for the purpose it is being shared.

All sharing must be evidenced, accounted for and recorded. All sharing should take place within the bounds of any agreed Data Sharing

Agreements. Each undertaking of sharing requires a decision to be made – so it is

expected that information will not follow the data subject unless completely necessary.

Information about a data subject which is required for the purposes of gaining access to Glow will not be shared by Glow services for any other purpose unless it is necessary to safeguard, support and promote the data subject’s wellbeing.

Confidentiality and respecting a data subject’s right to privacy will be the default position in respect of any decision to share information with others.

3.5 Definitions

The data protection notice of Education Scotland is based on the terms used by the European legislator for the adoption of the GDPR but for ease of understanding, the following definitions apply.

Controller: The natural or legal person, public authority, agency or other body which, alone or jointly with others, determines the purposes and means of the processing of personal data; where the purposes and means of such processing are determined by Union or Member State law, the controller or the specific criteria for its nomination may be provided for by Union or Member State law.

Personal data: Any information relating to an identified or identifiable natural person ("Data Subject"). An identifiable natural person is one who can be identified, directly or indirectly, in particular by reference to an identifier such as a name, an identification number, location data, an online identifier or to one or more factors specific to the physical, physiological, genetic, mental, economic, cultural or social identity of that natural person.

Data subject: Any identified or identifiable natural person, whose personal data is processed by the controller responsible for the processing.

Processor: A natural or legal person, public authority, agency or other body that processes personal data on behalf of the controller.

Recipient: A natural or legal person, public authority, agency or another body, to which the personal data are disclosed, whether a third party or not. However, public authorities that may receive personal data in the framework of a particular inquiry in accordance with Union or Member State law shall not be regarded as recipients; the

7 | P a g e

processing of those data by those public authorities shall comply with the applicable data protection rules according to the purposes of the processing.

Third Party: A natural or legal person, public authority, agency or body other than the data subject, controller, processor and persons who, under the direct authority of the controller or processor, are authorised to process personal data.

Restriction of processing: The marking of stored personal data with the aim of limiting their processing in the future.

Processing: Any operation or set of operations which is performed on personal data or on sets of personal data, whether or not by automated means, such as collection, recording, organisation, structuring, storage, adaptation or alteration, retrieval, consultation, use, disclosure by transmission, dissemination or otherwise making available alignment combination, restriction, erasure or destruction.

Profiling: Any form of automated processing of personal data consisting of the use of personal data to evaluate certain personal aspects relating to a natural person, in particular to analyse or predict aspects concerning that natural person’s performance at work, economic situation, health, personal preferences, interests, reliability, behaviour, location or movements.

Consent: Consent of the data subject is any freely given, specific, informed and unambiguous indication of the data subject's wishes by which he or she, by a statement or by a clear affirmative action, signifies agreement to the processing personal data relating to him or her.

3.6 Name and Contact Details of the Controller

Education Scotland Denholm House Almondvale Business Park Almondvale Way Livingston EH54 6GA

Tel: 0131 244 4330

4 Contacting Us through Report a Concern Form

We have a legal duty to protect any information we collect from you through our Report a Concern form. The information we compile and process relating to your concern will be treated in accordance with, and subject to, the provisions of statute and regulations currently in force including the DPA, Privacy and Electronic Communications Regulation (PECR), the GDPR, and the Freedom of Information (Scotland) Act 2002.

8 | P a g e

We will only use the information you provide for the purposes of processing your concern, and only allow access to those whom it is necessary for those purposes.

5 How to Request Personal Information – Subject Access Requests

The DPA gives you the right to know what information is held about you, and sets out rules to make sure that this information is handled properly.

All requests from members of the public, including Local Authorities and our staff, for access to their personal information held by Education Scotland should be made by sending a completed Subject Access Request form found on the Education Scotland corporate website   to:

Education Scotland Denholm House Almondvale Business Park Almondvale Way Livingston EH54 6GA

Alternatively by email, to: enquiries@glow.gov.uk

We will action your request without undue delay and at latest within 30 days of receiving the completed form along with proof of ID - original proof of your identity bearing your name i.e. passport, driving license, birth certificate (or certificated copy) or at least 2 official letters such as from a utility company.

Please note that you do not have to complete the form to make a Subject Access Request (SAR). You can make a request in writing; however, completion of the form can assist in gathering all necessary information to aid the processing of your request.

Each request will be considered on its own merits. If you have any issues or queries please contact Education Scotland at the above address/email.

6 The Data Protection Officer for Education Scotland

A Data Subject may contact our Data Protection Officer, Brian Taylor, Acting Strategic Director for Governance and Assurance directly with any enquiries relating to Data Protection.

6.1 Contact Details of the Lead Supervisory Authority

Information Commissioner's Office45 Melville Street

9 | P a g e

EdinburghEH3 7HL

Tel: 0303 123 1115

7 Glow ServicesDepending on which Glow services you use, we collect and use different kinds of information from or about you. This information may include:

User profile information; User generated content; General queries and concerns; and Site usage information (from session cookies, JavaScript and log files).

We also process sensitive classes of information that may include:

Offences and alleged offences

We process personal information about our:

Users and customers Clients and employees Complainants and enquirers Suppliers Advisers and other professional experts

We sometimes need to share the personal information we process with the individual themselves and with other organisations. Where this is necessary, we are required to comply with all aspects of the DPA, Privacy and Electronic Communications Regulation (PECR) and the GDPR as it applies. What follows is a description of the types of organisations we may need to share some of the personal information we process with for one or more reasons.

Where necessary or required we share information with:

Business associates and other professional advisers Current, past or prospective employers Educators and examining bodies Suppliers and services providers

7.1 User Profile Information

Glow receives user information from SEEMiS, the Management Information System used in Scottish Local Authority schools.

User personal information is necessary for Glow to deliver services to you and includes the following:

Forename

10 | P a g e

Surname Username Display Name (this can be different to Username if they are required to be

protected) Role School Glow email address Local authority Year of Entry (Pupils only) Group data – such as stage (P1-P7, S1-S6) and teaching groups.

The following additional personal information is used in the account management process and so, whilst held on Glow, is only visible to Education Scotland and its subcontracted system administrators (Administrators are bound by contracts and are background checked):

Date of birth Home email address Management Information System (MIS) SEEMiS Identifier Pupil/Teacher Identifiers Other establishment designators (e.g. HE/FE colleges, universities, etc.)

7.2 User Generated Content

Glow provides services such as Blogs, Microsoft Office 365 including Yammer, SharePoint and Google’s G Suite for Education etc. where it is possible for you to submit content. This content could be available to others who visit these services. Any personal information contained in User Generated Content you submit could be read, viewed, collected, or used by others within Glow or in some cases by users outside Glow. Therefore, you should have no expectation of privacy with respect to User Generated Content you submit on or through Glow services. You should not submit any user generated content you do not wish to make available to the public, and you must take special care to make sure your submissions comply with the Glow Community Rules.

In particular, your submissions must not violate the privacy or other rights of other users.

7.3 Glow Blogs

Education Scotland use Glow Blogs to gather feedback from Glow users. Only Education Scotland staff will have access to your personal details if you have chosen to share them with Education Scotland. Education Scotland staff will analyse the survey responses and might go back to the survey respondent for further discussions - but only if they have agreed to be contacted in their survey response. 

Survey responses will be anonymised (unless clearly stated and consent given) and shared with other Glow Blogs users in order to make the approach we are taking more collaborative and to make the requirements gathering process more efficient.

11 | P a g e

Education Scotland will provide analysis of survey responses to Glow suppliers in order to inform developments in functionality. No personally identifiable information will be included in the analysis. 

All survey responses you submit will be directly stored in Glow Blogs and all personal data Glow services collect will be processed according to the requirements of the DPA, Privacy and Electronic Communications Regulation (PECR) and the GDPR. Any personal data that you pass to Education Scotland, irrespective of format, will be processed in a way that is lawful and fair. It will only be used for the purposes for which you have provided this information and will only be held onto for as long as necessary for these purposes, which will be a maximum of 12 months.

7.4 Glow Office 365 Forms Surveys

Information about Glow users is collected through our Glow Office 365 Forms survey, which is one of the services provided by Microsoft through their Online Productivity Suite for Education. Only Education Scotland staff will have access to the results and they will analyse the survey responses. They might go back to the survey respondent for further discussions - but only if they have agreed to be contacted in their survey response.

Education Scotland will provide analysis to Glow suppliers in order to inform developments in functionality. No personally identifiable information will be included in the analysis.

All survey responses you submit will be directly stored in Glow and all personal data Glow services collect will be processed according to the requirements of the DPA, Privacy and Electronic Communications Regulation (PECR) and the GDPR. Any personal data that you pass to Education Scotland, irrespective of format, will be processed in a way that is lawful and fair. It will only be used for the purposes for which you have provided this information and will only be held onto for as long as necessary for these purposes, which will be a maximum of 12 months.

8 CookiesEducation Scotland websites use cookies. Cookies are text files that are stored in a computer system via an Internet browser. Many websites and servers use cookies. Many cookies contain a cookie ID. A cookie ID is a unique identifier of the cookie. It consists of a character string through which Internet pages and servers can be assigned to the specific Internet browser in which the cookie was stored. This allows visited websites and servers to differentiate the individual browser of the data subject from other Internet browsers that contain other cookies. A specific Internet browser can be recognised and identified using the unique cookie ID. With cookies, Education Scotland can provide the users of this website with more user-friendly services that would not be possible without the cookie setting. Please read our Cookies Policy for more information.

By means of a cookie, the information and offers on our website can be optimised with the user in mind. Cookies allow Education Scotland to recognise our website users. The purpose of this recognition is to make it easier for users to utilise our

12 | P a g e

website. The website user that uses cookies e.g. does not have to enter access data each time the website is accessed, because this is taken over by the website, and the cookie is thus stored on the user’s computer system. The data subject may, at any time, prevent the setting of cookies through our website by means of a corresponding setting of the Internet browser used, and may thus permanently deny the setting of cookies. Furthermore, already set cookies may be deleted at any time via an Internet browser or other software programs. This is possible in all popular Internet browsers. If the data subject deactivates the setting of cookies in the Internet browser used, not all functions of our website may be entirely usable.

8.1 Where do I find information about controlling cookies through my browser?

Internet Explorer - Link to Microsoft help – How to delete cookie files in Internet ExplorerChrome - Link to Chrome help – Manage cookiesFirefox - Link to Firefox help – Give certain websites the ability to store passwords, set cookies and more Apple browsers including Safari - Support for cookies

8.2 Cookies used in Glow

Information on the cookies used in each of the Glow services can be found below:

8.2.1 RM Unify

RM Unify provides a launch pad to Glow services and resources. It is the authentication service used by Glow that allows users to access a number of online resources for education using a username and password.This service is provided by RM Education. Please see the RM Cookie Policy for more information on the cookies set by this service.

8.2.2 Office 365

Microsoft Office 365 is a cloud-based package that incorporates a number of Microsoft applications such as Outlook, Office Online, OneDrive, Yammer, Delve, SharePoint, etc.

Please see the Microsoft Online Services Privacy Statement for details and further information on the cookies set and used by these applications.

8.2.3 Digital Learning Community (digilearn.scot)

The Digital Learning Community brings together all those who have an interest in the ways in which digital technology can support, enhance and improve learning and teaching.

Digilearn Scot is hosted on WordPress.com, hence, please see their  cookie policy for more information on the cookies set.

13 | P a g e

8.2.4 Glow Connect

Glow Connect is for learners and educators across Scotland who want to get started with Scotland’s new Glow services and also provides news about Glow services and events and connect users to our other sites and content.Glow Connect is hosted on WordPress.com, hence, please see their cookie policy for more information on the cookies set.

8.2.5 Glow Blogs

Glow Blogs is a service based on WordPress and makes use of a number of third party plugins. The following is a list of cookies used by Glow Blogs which include those set by WordPress or the Jetpack plugin.

Sites hosted on Glow Blogs also make use of different third party applications and services to enhance the experience of website visitors. These include social media platforms such as Facebook and Twitter (through the use of sharing buttons), or embedded content from YouTube and Vimeo. As a result, cookies may be set by these third parties, and used by them to track your online activity. Glow or WordPress have no direct control over the information that is collected by these cookies.

Cookie Description

wordpress_logged_in Identifies that a user is logged in

wordpress_sec

Used for authentication of the user

wordress_test_cookie Checks if the user has cookies enabled

wp-settings Stores user’s admin preferences, for example whether the post editor opens with the ‘Visual’ or ‘Text’ tab, or whether the posts list table is

14 | P a g e

displayed in the normal or condensed view

wp-settings-time

Stores the time the above cookie was last changed

comment_author

Stores the name as entered by a non-logged-in user who leaves a comment

comment_author_emailStores the email as entered by a non-logged-in user who leaves a comment

comment_author_urlStores the url as entered by a non-logged-in user who leaves a comment

wp-postpass Used to authenticate a user to view a password protected post

wp-saving-post

Helps with the process of saving and auto saving of posts in a blog

jetpackStateSet by Jetpack plugin. Used to store actions/error messages for display

15 | P a g e

Comments Set by Jetpack plugin

Protect Set by Jetpack plugin to identify Maths anti-spam question

MinlevenSet by Jetpack plugin to identify whether a mobile or desktop version of the site has been requested

 

8.2.6 Glow Report a Concern

Cookie Description

PHPSESSID

Identifies the user’s session. This is done to store the spam captcha for validation.

9 Other Information We CollectLog files allow Education Scotland to capture and store information about your visit to our online services such as IP address from which you access Education Scotland websites, the type of browser that you use, date and time of your visit etc. Log files do not contain any personal information or information about which other sites you have visited.

10 Links to Other WebsitesThis privacy notice does not cover the links within Education Scotland that link to other third party websites. We encourage you to read the privacy statements on the other websites you visit.

16 | P a g e

11 Rights of the Data SubjectThe GDPR affords EU Data Subjects with rights. These rights are summarised below. In order to assert any of these rights, the Data Subject may contact the Data Protection Officer designated by Education Scotland or another employee at any time.

The right to be informed: Each data subject shall have the right to obtain from the controller the confirmation as to whether or not personal data concerning him or her are being processed.The right of access: Each data subject shall have the right to obtain from the controller, free information about his or her personal data stored at any time and a copy of this information. Furthermore, the data subject shall have a right to obtain information as to whether personal data are transferred to a third country or to an international organisation. Where this is the case, the data subject shall have the right to be informed of the appropriate safeguards relating to the transfer.

The right to rectification: Each data subject shall have the right granted by the European legislator to obtain from the controller without undue delay the rectification of inaccurate personal data concerning him or her. Taking into account the purposes of the processing, the data subject shall have the right to have incomplete personal data completed, including by means of providing a supplementary statement.

The right to erasure: Each data subject shall have the right to obtain from the controller the erasure of personal data concerning him or her without undue delay, and the controller shall have an obligation to erase personal data without undue delay where one of the statutory grounds applies, as long as the processing is not necessary.

The right to restrict processing: Each data subject shall have the right granted by the European legislator to obtain from the controller restriction of processing where a statutory reason applies.

The right of data portability: Each data subject shall have the right granted by the European legislator, to receive the personal data concerning him or her, which was provided to a controller, in a structured, commonly used and machine-readable format.

The right to object: Each data subject shall have the right to object, on grounds relating to his or her particular situation, at any time, to the processing of personal data concerning him or her.

12 Legal Basis for the ProcessingThe legal basis for processing shall be where:

The data subject has given consent to the processing of his or her personal data for one or more specific purposes;

17 | P a g e

Processing is necessary for the performance of a contract to which the data subject is party or in order to take steps at the request of the data subject prior to entering into a contract;

Processing is necessary for compliance with a legal obligation to which the controller is subject;

Processing is necessary in order to protect the vital interests of the data subject or of another natural person;

Processing is necessary for the performance of a task carried out in the public interest or in the exercise of official authority vested in the controller;

Processing is necessary for the purposes of the legitimate interests pursued by the controller or by a third party, except where such interests are overridden by the interests or fundamental rights and freedoms of the data subject, which require protection of personal data, in particular where the data subject is a child.

12.1The Legitimate Interests Pursued by the Controller or by a Third Party

Where the processing of personal data is based on our legitimate interest, it is to carry out our business in favour of the well-being of all our employees and stakeholders.

12.2Personal Data Retention Periods

The criteria used to determine the retention period of personal data is the respective statutory retention period within the Member State. After the expiration of that period, personal data shall be securely deleted, as long as it is no longer necessary for the fulfilment of the contract, the initiation of a contract or in relation to other legal proceedings.

12.3Contractual Obligation of the Data Subject to Provide Personal Data and the Possible Consequences of Failure to Provide Such Data

For clarity, the provision of personal data is partly required by law or can also result from contractual provisions. Sometimes it may be necessary to conclude a contract that the data subject provides Education Scotland with personal data, which must subsequently be processed by Education Scotland. The data subject is, for example, obliged to provide Education Scotland with personal data when Education Scotland signs a contract with him or her. The non-provision of the personal data would have the consequence that the contract with the data subject could not be included.

12.4Data Protection for Employment & Recruitment Procedures

The data controller shall collect and process the personal data of applicants for the processing of the application procedure. The processing may also be carried out

18 | P a g e

electronically. This is the case, in particular, if an applicant submits corresponding application documents by email or by means of a web form on the website to the controller. If the data controller concludes an employment contract with an applicant, the submitted data will be stored for processing the employment relationship in compliance with legal requirements. If the controller concludes no employment contract with the applicant, the application documents shall be automatically erased six months after notification of the refusal decision, if no other legitimate interests of the controller are opposed to the erasure. Other legitimate interests could be complying with country specific legislation, e.g. the UK Equality Act 2010.

13 GeneralYou may not transfer any of your rights under this privacy notice to any other person. We may transfer our rights under this privacy notice where we reasonably believe your rights will not be affected.

If any court or competent authority finds that any provision of this privacy notice (or part of any provision) is invalid, illegal or unenforceable, that provision or part-provision will, to the extent required, be deemed to be deleted, and the validity and enforceability of the other provisions of this privacy notice will not be affected.

Unless otherwise agreed, no delay, act or omission by a party in exercising any right or remedy will be deemed a waiver of that, or any other, right or remedy.

This notice will be governed by and interpreted according to the law of Scotland. All disputes arising under the notice will be subject to the exclusive jurisdiction of the Scottish courts.

14 Changes to This NoticeThis notice was last updated on May 2018. We may change this policy by updating this page to reflect changes in the law or our privacy practices. However, we will not use your Personal Data in any new ways without your consent.

15 How to Contact UsIf you want to request information about our privacy policy, you can email Education Scotland on enquiries@glow.gov.uk

An abbreviated version of this policy notice can be found in Appendix A.

19 | P a g e

Appendix A – Glow’s Abbreviated version of the Policy Notice for websites

Education Scotland and GDPR - Our Commitment to Data Privacy

Education Scotland is committed to compliance with the EU General Data Protection Regulation (GDPR), which came into effect on May 25th 2018. The regulation contains the most significant changes to European data privacy legislation in the last 20 years. It is designed to give EU citizens more control over their data and seeks to unify a number of existing privacy and security laws under one comprehensive law.

What Are the Key GDPR Requirements

Education Scotland is committed to helping individuals fulfill their requirements under the GDPR.

The following are a few examples of the key GDPR requirements that apply to both individuals and ourselves:

Committing to security and privacy measures required under the GDPR. Assisting our customers with satisfying their GDPR data security and privacy

requirements as described in our full Glow Privacy Notice [insert hyperlink ] notifying regulators of personal data breaches on our systems and promptly communicating any such breaches to our stakeholders and end-users.

Ensuring when our staff that access and process our users’ personal data they are bound to maintain the confidentiality and security of that data.

Ensuring that all personal data is held to the applicable data management, security and privacy standards required under the GDPR.

Committing to carrying out data impact assessments and consulting with the Information Commissioner's Office where appropriate.

Privacy Information

We will apply appropriate protection and management of any personally identifiable information you share with Education Scotland. Any personal information you do provide will be held and processed by Education Scotland in accordance with the Data Protection Act 1998 (DPA) and the GDPR. We will not pass on your details to any third party unless you give Education Scotland permission to do so.

20 | P a g e

Privacy Notice – How We Process Your Personal Information

Any personal information provided to Education Scotland will only be used to discharge our statutory functions and other relevant legislation, maintain our accounts and records and to support and manage our staff. We will only use information for those purposes, but we will share it with others for other purposes where it is legal and justifiable.

At Education Scotland, we manage, maintain and protect all information according to the requirements of the DPA and other legislation. We also adhere to our own information policies and government best practice.

In certain circumstances, we may process your personal information without your consent, and/or we may restrict your access to the information we hold about you. Such circumstances would only arise in relation to our statutory obligations. In these circumstances, there are exemptions from the DPA.

Education Scotland takes your privacy seriously and is committed to responsible handling of personal information in accordance with our Information Charter, which is as follows.

We will:

make sure you know why we need it. ask only for what we need and not to collect too much or irrelevant

information. protect it and make sure nobody has access to it who should not. let you know if we share it with other organisations to give you better public

services - and if you can say no. make sure we do not keep it longer than necessary. not make your personal information available for commercial use without your

permission.

How to Contact Us – Glow

If you want to request information about our privacy policy, you can email Education Scotland on enquiries@glow.gov.uk

21 | P a g e

Education ScotlandDenholm HouseAlmondvale Business ParkAlmondvale WayLivingston EH54 6GA

T +44 (0)131 244 4330E enquiries@educationscotland.gsi.gov.uk

www.education.gov.scot

© Crown Copyright, 2017

You may re-use this information (excluding images and logos) free of charge in any format or medium, under the terms of the Open Government Licence providing that it is reproduced accurately and not in a misleading context. The material must be acknowledged as Education Scotland copyright and the document title specified.

To view this licence, visit http://nationalarchives.gov.uk/doc/open-government-licence or e-mail: psi@nationalarchives.gsi.gov.uk

Where we have identified any third party copyright information you will need to obtain permission from the copyright holders concerned.

22 | P a g e