Data Protection Statement
Who are we?
We (“This Is School Ltd”, “TIS” and/or “us” or “we”) ) are an EdTech company who provide online services (the “Services”) to clients who are schools and other educational establishments (“School” or “you”) to help them teach across the curriculum. This is School is a trading name of This Is Language Limited, a company registered in England and Wales whose registered office is at 6-7 Citibase - New Barclay House, 234 Botley Road, Oxford, OX2 0HP, United Kingdom with company number 07792177 .
What are our legal documents?
Terms and Conditions – For all of our School clients. These contain the legal terms and conditions on which we provide our Services to the Schools.
Data Protection Statement – For all of our School clients. It explains how we process the Personal Data that you hold within the School that you share with us.
Usage Policy – For all users of our Services and visitors to our website. It explains what standards we expect of you when you use our website, such as the copyright to our videos.
Privacy Policy –For everyone who visits our site. It explains how we control and protect your Personal Data.
You are currently reading our Data Protection Statement
Who should read this Data Protection Statement?
This Statement should be read by all of our School clients. It explains how we process the Personal Data that you hold that you share with us (“School Personal Data”).
Data Protection Statement
Introduction
In order to carry out our Services for our clients, TIS needs to process certain limited Personal Data about teachers and students which it obtains from its schools. This statement explains how we protect this Personal Data.
OUR Data Protection Managers
TIS has appointed two Data Protection Managers who will deal with all requests and enquiries concerning TIS's uses of School Personal Data and endeavour to make sure that all School Personal Data is processed in compliance with regulations such as the GDPR, FERPA, COPPA etc.
Requests and enquiries should be sent to the Data Protection Managers at gdpr@thisisschool.com
Types of Personal Data we process
- We only process Personal Data for the specific purpose of providing the Services to our clients.
- We only process the absolute minimum of Personal Data to provide the Services.
- As much as possible we keep Personal Data accurate and up-to-data (though we do expect teachers to let us know of name changes, spelling errors or class changes etc).
- We only keep Personal Data for as long as is necessary to perform the services of the contract.
- We make absolutely sure that all Personal Data collected and held is kept as secure as possible against any data breach.
- Because we are an innovative and fast-moving EdTech company it is very important that we apply the principles of GDPR to all future projects. As such the Data Protection Managers will carry out Data Protection Impact Assessments on any new project to check that it will be GDPR compliant.
The types of Personal Data processed by TIS will include:
- Names, email addresses, telephone numbers (where given) and passwords (cryptographically hashed) of teachers.
- Names or aliases, email addresses or usernames and passwords (cryptographically hashed) of students.
- Names, email addresses, telephone numbers, addresses, financial information and other personal details of TIS employees.
TIS is given this Personal Data by the School via its teachers and IT staff. We do not share Personal Data (either Student or Teacher) with any third parties. Some Personal Data may be hosted on third-party software services such as AWS (where we host the website), Xero (where we process accounts) and Campaign Monitor (from where we send out our newsletter). All such third-party software services have publicly available Data Protection statements.
TIS makes use of a number of publicly viewable leaderboards on our Website. We use these to encourage students, classes and teachers. All leaderboards are reset each week. Clients can choose to opt out of being displayed in any leaderboard.
Where Personal Data is kept
Our website is hosted in the EEA and as such School Personal Data is not normally transferred outside of the EEA. However, some of our third party software services (such as Xero where we process accounts and Campaign Monitor from where we send out our newsletter) are hosted outside the EEA. Where School Personal Data is transferred outside the EEA in these cases it is always to third party software services which are hosted in countries which have the sufficient level of data protection as is required by regulations such as the GDPR, FERPA and COPPA. Such third parties all have publicly available Data Protection statements.
Protecting your data
We take the protection of School Personal Data extremely seriously and we always have. In particular we have taken appropriate technical and organisational steps to ensure the security of School Personal Data, including company policies around the use of technology and devices and access to third party management software. All TIS employees and contractors have a copy of this policy, have been made aware of their duties under the GDPR and have received relevant training in how to protect your Personal Data. Such duties include but are not limited to:
- Email – as much as possible we avoid transferring any Personal Data over email.
- Printouts – we make every effort not to print out any Personal Data. If we do for the purposes of carrying out the services we will shred such data once it is no longer needed.
- Storage – any Personal Data the company holds is stored on secure local devices or in third-party cloud services which have the sufficient level of data protection as is required by regulations such as the GDPR, FERPA and COPPA.
- Backups – TIS carries out backups of our Database on a daily basis. These backups are automated.
- Disposal – when Personal Data is no longer needed for the purposes of carrying out the contract such Personal Data will be securely deleted and disposed of.
- Sharing Personal Data – no Personal Data may be shared informally and only those employees or contractors who need access to Personal Data will be given access to it.
- IT Security – we have a comprehensive internal Information Security Policy which all TIS employees and contractors must abide by.
Our organisation
We are a small company and all of our employees are appropriately trained up in this policy. TIS is committed not only to the letter of the law, but also to the spirit of the law and places high importance on the correct, lawful and fair handling of all Personal Data, respecting the legal rights, privacy and trust of individuals with whom we deal.
Data breaches
All Personal Data breaches must be reported immediately to TIS's Data Protection Managers. If a Personal Data breach occurs that is likely to result in a risk to the rights and freedoms of our clients, the Data Protection Managers will liaise with the School to ensure that the Information Commissioner’s Office is informed of the breach without delay and, in any event, within 72 hours after having become aware of it.
Implementation policy
This Policy shall be deemed effective as of 16 May 2018. No part of this Policy shall have retroactive effect and shall thus apply only to matters occurring on or after this date.