Privacy Statement

This statement underpins the policies, promises and contracts we make with schools relating to the education data that Assembly processes.

In conjunction with this document, you should read the Glossary of Terms used within this statement, and also elsewhere on our site.

What is Assembly?

Assembly is a secure, cloud-based platform that connects to your school’s Management Information System (MIS) and extracts key elements of your school’s data and connects them to other applications. These applications allow you to extend, analyse and aggregate data you collect and store in school.

Privacy and Data Protection Statement

1. Introduction

Privacy and security are at the heart of everything we do at Assembly, and our approach incorporates data protection by design and default. This statement explains the key measures we’ve put in place to ensure that a school’s data is kept secure and processed appropriately at all times. It also covers our commitments to you, and what we expect from schools in terms of privacy and data protection.

For further detail, please refer to our full Platform Terms of Service, which provide a full explanation of how we process and protect data as well as what we require from schools to agree to before deciding to use our service.

2. Our Principles

We:

• Process the data received from schools for the purposes of education and school improvement only, and only for those purposes necessary to provide the service explicitly offered to schools
• Adhere strictly to the terms of the General Data Protection Regulation (GDPR) as it applies in the UK, tailored by the Data Protection Act 2018
• Only store and process the minimum data required to provide our services
• Transport and store all personal data originating from schools using modern and best practice encryption technologies. This includes Secure Socket Layers (SSL/TLS) for encrypted data transfer over the internet, encryption of all data at rest, field-level encryption for personally identifiable data and password-protected identities for all end users
• Comply with all Subject Access Requests made relating to the data We store
• Ensure the data We hold about you is correct
• Only retain data for as long as required, and delete all your data if you ask us to do so. We will delete all Your personal and sensitive data after a period of 12 months of inactivity
• Ensure that all data is held securely by taking steps so that data is not corrupted or lost
• Ensure that all staff having access to personal data hold a valid Disclosure and Barring Service certificate
• Always maintain adequate liability insurance
• Audit our services against this pledge every 12 months and provide evidence of compliance to the other party whenever requested
• Report any significant breaches of security to the Data Controller, the Information Commissioner’s Office (ICO) and other authorities, and, in co-operation with the Data Controller, to Data Subjects without undue delay and within 72 hours
• Always notify schools prior to connecting an Assembly application which data that Assembly application needs access to, and allow you to accept or reject that request
• Make the Terms of Service and this Privacy Policy clearly and publicly available on our website
• We may share certain personal information (for which we are a controller under applicable data protection laws) with our affiliates outside the UK including in the US where data protection laws are not deemed to have the same level of adequacy as in the UK or Europe in accordance with the lawful transfer mechanisms such as standard contractual clauses.

We DO NOT:

• Store or transport sensitive data outside of the EEA or outside of countries which are granted to have Adequate Levels of Protection as defined by the European Commission
• Share your data with any third parties except where explicitly requested by you or required by law.
• Use Your data, made available via the Assembly platform, for the purposes of advertising or marketing, or for any purpose other than the service explicitly provided to You
• Transport personal data originating from schools in an unencrypted format
• Claim ownership or exclusive rights over any of the data processed or created as part of services provided to You
• Share information with other third parties except where specifically agreed by the Data Controller or where required by law
• Change any applicable terms of service without giving You the opportunity to opt-out of such changes

3. Security and Encryption

We take every reasonable measure to ensure we store data securely. The Assembly platform is developed using secure technologies, which include, but are not limited to the following:

• All sensitive Assembly data is stored and transported within the EEA or countries which are granted to have Adequate Levels of Protection as defined by the European Commission
• All external data transmissions to and from the Assembly Platform are encrypted using modern SSL/TLS protocols and ciphers
• Encryption at rest i.e. when stored on a disk or laptop
• Pseudonymisation wherever appropriate
• Field level encryption in our database, where we feel it necessary to do so
• We use encrypted passwords with variable permissions according to the user’s role for access to all sensitive information
• All servers are situated in secure locations within the EEA, that comply with the General Data Protection Regulation (GDPR) and the Data Protection Act 2018

4. Staff access to data

Assembly does not look ‘under the hood’ or inspect any of the data we store. The only exceptions to this are where a school has explicitly given us permission to inspect their data; for example, to provide technical support to correct a technical problem. This permission is given on an ‘as needed’ basis and the ability to access the data is revoked once the technical problem is resolved.

All our staff are required to agree that they will abide by the Security and Data Protection Policy at all times and sign a Confidentiality and Non-Disclosure Agreement. All staff and contractors are required to undergo an enhanced Disclosure and Barring Service (DBS) check. From time to time we do use contractors who are not in the EU. Where we do this we ensure that no data is stored or transported outside of the EU using appropriate and secure technologies.

5. Deleting and Retaining Data

We retain personal data on our platform for as long as necessary to provide the Assembly service. If a school deletes our connector, we will delete their personal data within 5 working days. We will also delete personal data after a period of 12 months of inactivity. We will also delete all personal and sensitive data relating to former students automatically on their 25th birthday, regardless of whether a school has asked us to do so.

6. Assembly and Third Party applications

We engage with all Third Parties who wish to access the Assembly Platform and have strict privacy and security criteria. We ask all Third Party Application Developers to sign up to our Developer Agreement which is available here: Third Party Developer Agreement.

Schools are responsible for accepting the terms and conditions of third party applications, however, we make these clearly available through the Assembly platform.

Before we allow Assembly and Third Party Applications to access school data, schools must authorise the requests to connect to their data and review the scopes and groups of data that an application is requesting. These permissions can be revoked at any time by the school. Where an application is requesting personal or sensitive pupil data, this will be specifically highlighted and will require specific authorisation from the school. Schools are responsible for ensuring that personal and sensitive data is processed lawfully, fairly and in a transparent manner.

7. Privacy or Security Breaches

We take all reasonable and necessary precautions to ensure that your data is secure and to recognise and then mitigate the risks to security and privacy. However, it is not possible to 100% guarantee the security of any data transmitted or stored electronically. In the event that a significant breach of security or privacy did occur, Assembly will contact the Data Controller of the affected data, and inform the Information Commissioner’s Office (ICO), and other authorities without undue delay and within 72 hours.

Information for students and parents/guardian

Assembly, as the Data Processor, only has access to Personal Data or Sensitive Personal Data as requested by the school, as Data Controller, and only for the purposes of performing services on a school’s behalf.

Your child’s school remains the Data Controller of any pupil data we process. If you have questions about your or your child’s data or how your school is making use of our service, please contact the school directly. Any pupil or parent/guardian enquiries we receive will be directed to the relevant school as the Data Controller for that child’s or parent’s/guardian’s data.

General Website Privacy

8. Cookies

A cookie is a string of information that a website stores on a visitor’s computer. Assembly uses cookies for purposes such as helping us to identify and track visitors’ usage and preferences. You can disable cookies in your browser if you wish to, although this may mean that some features of our website do not work as they should.

9. Communication

If you are a registered user of the Assembly website, we may occasionally email you with important notices relating to your account. If you have expressed interest in Assembly on the Assembly website and have supplied your email address, we may occasionally send you an email to tell you about new features, ask for feedback or keep you up to date with our products. If you no longer wish to be included on these communications, then You can opt out using the links on those communications, or email [email protected] and we will remove you from the list.

10. Third Party Websites

We cannot be responsible for the privacy policies and practices of other sites even if you access them using links on our website. We recommend that you check the policy of each site you visit and contact the owner or operator if you have any questions or concerns.

If you access our Website from a third party site, we cannot be responsible for the privacy policy and practice of that third party site and recommend that you check the policy of that third party site and contact the owner or operator if you have any questions or concerns.

Cookies

Assembly may place “cookies” on the browser of your computer. Cookies are small pieces of information that are stored by your browser on your computer’s hard drive. Cookies may enhance the convenience and use of the website. For example, the information provided through cookies may be used to recognise you as a previous user of the website (so you do not have to enter your personal information every time), offer personalised information for your use, and otherwise, facilitate your experience using the website.

You may choose to decline cookies if your browser permits but doing so may affect your ability to access or use certain features of the website.

Most web browsers automatically accept cookies, but you can disable this function so that your browser will not accept cookies. Please be aware that disabling this function may impact your use and enjoyment of this Website.

We utilise usage tracking cookies, such as Google Analytics and to offer surveys to our customers for us to better understand how our websites are used and to help us improve our services.

This data does not include personal information other than the IP address of your device. We may link an IP address to information that is personally identifiable.

Cookies For Remarketing

This website collects data for the purposes of running online remarketing campaigns on website visitors. By agreeing to this privacy policy, you are giving permission to serve ads based on your browsing history on this website.

Third-party vendors, such as Google, show our ads on websites across the internet.

Data is collected using Cookies. Cookies are used to serve ads based on someone’s past visits to a website.

The type of data collected and used for remarketing includes items such as the URL and referrer URL for the website that triggers a tag hit, the custom parameters used in your tracking tag and any resulting remarketing list memberships.

Of course, any data collected will be used in accordance with our own privacy policy, as well as Google’s policies.

Information about how visitors disable Google’s cookies can be found by clicking here.

Questions and Grievances

If you have any questions or grievances in relation to security or privacy, please email us on [email protected].