Assembly: Data Privacy FAQs

Scope

Answers to some of the questions schools ask before deciding to use Assembly Platform.
For further information about your responsibilities, please read the ICO guidance for education providers and the ICO data protection guidance for schools.

Yes, we only ever work with MIS vendors using their official partnership programmes.

Capita SIMS: we are a SIMS Technical Partner. You can find us listed under Ark UK Programmes on the Capita website. This means we have been checked and verified to read data from SIMS.
Progresso: we are an Advanced Learning Technical Integration Partner.
Bromcom: we are a Bromcom partner.
ScholarPack: we are software partners with ScholarPack.
RM Integris: we are a registered partner on RM Integris Datashare.
Arbor: we are official partners with Arbor.

The Assembly Platform helps you share specific scopes of data with applications of your choice in a secure manner.
We never extract personal data from your MIS unless you have explicitly granted us authorisation to do so through a Data Access Request. Read our guide for more information: Assembly: Controlling access to your school’s data.
Each education application’s Data Access Request will tell you exactly what data will be shared before you choose to authorise it.

We never rent or sell your data for marketing purposes, and only share sensitive information with third parties in instances where we are specifically requested to do so by you.
For example, some services on Platform allow the sharing of your data with third parties (e.g. school improvement charities and curriculum providers). In such circumstances, information is only shared if you give permission, and you control these permission settings through your Platform account.
Access to data is managed via bearer tokens. These can be revoked at any time and must be refreshed frequently to remain active.
Third-party applications on the platform are subject to the Terms of Service and Privacy Policy of the relevant third party, and it is important you read and understand these before engaging with any third-party services through our Platform.

We are fully GDPR compliant.

Consent to access your data requires a positive opt-in and we already make it possible, and clear, to withdraw that consent at any time via the Platform. For more information, consult our terms.

We take privacy and security very seriously.

When thinking about whether to use the Assembly Platform to share data with third-party applications, we encourage you to consider the security of your school’s current data sharing practices, and how you would fulfil the task for which you wish to use Assembly if you did not adopt our Platform.
Given the wide range of security features built into the Assembly Platform, compared to most other data sharing methods, the Assembly Platform will be a security upgrade rather than a security concern.
If you or a colleague have any concerns that remained unanswered after reading this guide, please get in touch and we can help to field any questions you may have.

Our servers are hosted in the Amazon eu-west-1 region (in Ireland).
All personal and sensitive data is kept and transported within the EU or countries which are granted to have Adequate Levels of Protection as defined by the European Commission.
As well as this, all external data transmissions to and from the Assembly Platform are encrypted using modern SSL/TLS protocols and ciphers.
We also encrypt data at rest (when it is stored on a laptop or disk) and have field-level encryption in our database of personally identifiable student-level fields such as name and UPN, as well as the names and contact details of related parents/ guardians.

You have the right to have all your data removed from the Assembly platform at any point in time.
If you wish to do this then you should give us notice by raising a support case with the relevant details, including the subject: Data Removal Request.
We will delete the requested data within 5 working days.

Please let us know as soon as possible by raising a support case with us.
Whilst we are confident that our Platform is highly secure, any potential weakness will be taken seriously and addressed urgently.

We do not look at the data that you choose to store or transport via Platform. The only exception to this is if it is necessary to do so for support or debugging purposes.
If we need to look at your school’s data in Platform, we will ask you explicitly to grant authorisation before doing so. We will revoke this permission once we have finished investigating on your behalf. You can also revoke access yourself at any time from your Platform account.
The only insight gathering we do is by using software such as Google Analytics, but this only tracks non-sensitive metadata (such as what type of user you are, or how long you stayed on a page).
Third parties may look at your data or an anonymised version of it, for example, to assess the impact of an intervention programme. Where this is the case, they should tell you through their privacy policy. We will provide a link to their privacy policy before you authorise the Data Access Request for the application.
If you think anything is unclear, always ask the relevant organisation.
It is your duty as the data controller to make sure you know what data sharing entails.

As the data controller, it is your responsibility to inform parents about your school’s approach to data protection.
If you have a policy in place that covers this, it may already explain your school’s approach to data sharing in a way that covers your use of Assembly.
If you are unsure about whether your current policies cover your use of Assembly, you should consult the ICO or further legal advice.

Our ODP registration number is Z9683573.

We use the following third-party services to collect data in the following ways:

Google Analytics for website analytics. The service collects masked IP addresses.
Convox for IP address whitelisting to prevent DDoS attacks. The service collects IP addresses.
Sentry for monitoring exceptions and errors. IP addresses are collected only when exceptions and errors are generated, and the process is handled entirely in AWS, so there is no external data transfer.
Papertrail for logging. No personal data or IP addresses are recorded.
Full Story to track browser sessions for bugs and issues. Full Story collects IP addresses so that it can associate browser sessions with users. However, we do not send any personal or sensitive data to Full Story. We explicitly block such data from being transferred to the service. Users may also opt-out of Full Story being able to track their sessions using this opt-out link.