1.About this document
If you are a teacher or other member of staff at an educational establishment
1.2. We will collect and process the following data about teachers (which include any staff engaged by the educational establishment who utilise the Software) in connection with registration for the Software:
1.2.1. The information which may be collected includes name, e-mail address, password, educational establishment name and location details, together with other optional information such as a contact number.
1.3. The information will be collected from:
1.3.1. the person granted administrative rights on behalf of the educational establishment at which you work (if the educational establishment has registered); or
1.3.2. you, the individual teacher (where the individual teacher has registered).
The information we use is collected from inbound calls which we receive and/or manually completed paper forms which are completed by you or the educational establishment at which you work in connection with the registration for the Software or in connection with any correspondence with us by phone, e-mail or otherwise in respect of assistance with and maintenance we provide for the Software.
1.4. We will also collect and process personal data about teachers (or other staff engaged by the educational establishment who utilise the Software) if that educational establishment opts to receive our training and assistance in respect of the Software (the “Services“). The information is collected from forms which are completed online in connection with the registration for the Services or in connection with any correspondence with us by phone, e-mail or otherwise. The information which may be collected includes name, e-mail address, password, educational establishment name and location details, together with other optional information such as a contact number.
If you are a student using the Software or another user of the Software:
- If you are a student using the Software or another user of the Software:
1.5.1. The Software enables the educational establishments, teachers and / or teaching assistants to make the Software available to specific students. Students or other users will only be able to access the Software if the educational establishment/teacher has provided the student or other user with the appropriate access. Personal information about students can only be entered into the Software by personnel of the educational establishment or by Lexia US or us, under the instruction of the educational establishment.
1.5.2. The Software collects and stores personal data created by users of the Software (e.g., reading performance and progress data) which is linked to each user’s respective personal information.
1.5.3. The information which will be collected from users of the Software in connection with registering to use the Software includes:
18.104.22.168. Full name;
22.214.171.124. User ID / name;
126.96.36.199. Education establishment; and
188.8.131.52. Year / class.
When information is inputted (either by personnel of the educational establishment or by us, if we are instructed to do so by the educational establishment), that information can be anonymised. A user’s full name is not required to access the Software. If we input a user’s information, we shall input the information which we are asked to by the educational establishment.
1.5.4. If the educational establishment elects to do so, additional optional data (including special category data) about a user of the Software may be provided, including:
184.108.40.206. Date of birth;
220.127.116.11. Any educational requirements (e.g. instructional language).
1.5.5. When using the Software, Lexia US will automatically connect additional information including the type of mobile device that is being used (if relevant), operating system version and the device identifier. The Software does not ask a student user for or track any granular location-based information from a user’s mobile device at any time when using the Software.
1.6. Student accounts are usually created by teachers or school administrators, or by us if we are asked by the educational establishment to create accounts for students.
By creating an account on the Software, the educational establishment is providing consent and authorisation for Lexia US and/or us to store and process personal data about those students for the purposes of providing the Software and/or the Services.
1.7. Certain data generated through the use of the Software may be de-identified so that it is no longer classed as personal data. We and/or Lexia US may use this de-identified data for lawful purposes, including product and service improvement, product and service analysis, educational research and/or statistical assessment.
We may send Lexia US personal data for purposes relating to the Software and Services, for example, in order to:
1.8.1. setup a trial account for the Software for an educational establishment;
1.8.2. to process and progress a sale of the Software and/or Services that we have made with an educational establishment;
1.8.3. to address technical or services-related support to our educational establishment customers, prospects and users.
1.9. In using the Software and/or accessing and using our Services, we will process personal data (which may be held on paper, electronically, or otherwise) about you and we recognise the need to treat your personal data in an appropriate and lawful manner, in accordance with data protection legislation, including the General Data Protection Regulation (“GDPR“) and the Data Protection Act 2018 (the “DPA“). The purpose of this Policy is to make you aware of how we will handle your personal data.
1.11. Our Data Protection Representative is Norman Robinson, Chief Operating Officer, who can be contacted at LexiaUK, Level 8 Trinity Gate, 32 West Street, Gateshead, Tyne & Wear, NE8 1AD or at firstname.lastname@example.org.
2.Data protection principles
We will comply with the data protection principles in the GDPR, which say that personal data must be:
2.1.1. Processed fairly, lawfully and in a transparent manner.
2.1.2. Obtained for specified, explicit and lawful purposes and processed compatibly with those purposes.
2.1.3. Adequate, relevant and not excessive for the purpose(s) for which it is processed.
2.1.4. Accurate and up-to-date.
2.1.5. Kept in a form which enables identification of individuals no longer than necessary for the purposes for which it is processed.
2.1.6. Processed subject to appropriate security measures.
2.2. “Personal data” means recorded information we hold about you from which you can be identified. It may include contact details, other personal information, photographs, expressions of opinion about you or indications as to our intentions about you. “Processing” means doing anything with the data, such as accessing, disclosing, destroying, profiling or using the data in any way.
“Special category data” includes information about a person’s racial or ethnic origin, political opinions, religious or philosophical beliefs, trade union membership, genetic data (such as data relating to the inherited or acquired genetic characteristics of an individual), biometric data (for the purpose of uniquely identifying an individual), data concerning an individual’s health (including both physical and mental health), sex life or sexual orientation. Criminal data is not included within the definition of special categories of data but if we process criminal data we will use the same safeguards we operate in respect of special categories of data.
2.3. “Profiling” means any form of automated processing of personal data consisting of the use of personal data to evaluate certain personal aspects relating to a natural person, in particular to analyse or predict aspects concerning that natural person’s performance at work, economic situation, health, personal preferences, interests, reliability, behaviour, location or movement.
3.How we make sure processing of your personal data is fair and lawful
3.1. We will usually only process your personal data where you have given your consent or where the processing is necessary to comply with our legal obligations. In other cases, we may need to process your personal data for the protection of your vital interests, for our legitimate interests or the legitimate interests of third parties, or to comply with contractual requirements
3.2. We typically require the following personal data from you to enable us to comply with statutory or contractual requirements or obligations:
3.2.1. Name of educational establishment, contact name, position at the educational establishment, contact telephone number and email address.
If you fail to provide us with such personal data, there may be the following consequences:
- LexiaUK will be unable to provide the Services requested;
- you will be unable to use the Software
3.3. We will only process “special category data” where a further condition is also met. Usually this will mean that you have given your explicit consent to the processing of such data (although there are sometimes other processing conditions that we can rely on, for example if the processing is necessary for the establishment, exercise or defence of legal claims).
What are our legitimate interests or the legitimate interests of a third party?
3.4. We consider that in some circumstances the processing of your personal data is necessary for our, or a third party’s, legitimate interests, which include:
3.4.1. providing you with the Services that you have requested from us;
3.4.2. ensuring that the information you provide us with is accurate and up-to-date at all times;
3.4.3. ensuring that students can continue to access the Software;
3.4.4. ensuring that the correct students can access the Software;
3.4.5. ensuring that you receive the right training and Services from us;
3.4.6. ensuring that you are kept up-to-date with matters that relate to our services.
4.How and why we process your personal data
4.1. We will process data about you for the following purposes:
If you are a teacher or an employee at the educational establishment
4.1.1. to process the order that you have made for the purchase of the Software;
4.1.2. to discuss providing the Services to you, if this is something that you express an interest in;
4.1.3. to provide marketing information to you in respect of our Services;
4.1.4. to provide the Services, where requested by you;
4.1.5. to help support and maintain the Software and the Services;
4.1.6. to properly administer access rights to the Software;
4.1.7. data migration, where required;
4.1.8. to help keep the Software safe, accessible and secure; and
If you are a student using the Software
We will process your data:
4.1.9. by viewing and processing your personal data that is available via the Software. We will only process your personal data in such a way if we are asked or instructed to do so by your educational establishment, including according to the terms of our Contract with your educational establishment;
4.1.10. when the Software is being setup or at the start of a new academic year. Your educational establishment can either setup each student individually in the Software, or we can import each student’s data into the Software if we are asked to do so by your educational establishment. If we are asked to do so by the educational establishment, they will provide us, via a secure file transfer medium, with a spreadsheet containing each student’s name and we import the student data into the Software on the educational establishment’s behalf;
4.1.11. when a new version of the Software is released and your educational establishment is required to ‘migrate’ your data to the new version of the Software. This migration is under instruction from Lexia US whereby we use data from the Software and, from time to time, data we are provided by Lexia US which has been exported from the Software;
4.1.12. to help keep the Software safe, accessible and secure
4.2. Your personal data is likely to be processed by us in both paper and electronic form.
4.3. We may process special category data relating to you including in order to comply with legal requirements and obligations to third parties.
5.Only processing the personal data that we need to
6.Ensuring your personal data is accurate
We will keep the personal data we store about you accurate and up to date by enabling the designated account administrator(s) from your educational establishment to update personal data through self-service features within the Software, and by providing our support to those individuals throughout the contracted services period. We will take every reasonable step to erase or rectify inaccurate data without delay. Please tell us, or contact the designated account administrator from your educational establishment to contact us, if your personal details change or if you become aware of any inaccuracies in the personal data we hold about you or anyone else. We will contact you or the designated account administrator from your educational establishment if we become aware of any event which is likely to result in a change to your personal data.
7.Retaining your personal data
We will not keep your personal data for longer than is necessary for the purpose(s) for which we process it. This means that data will be destroyed or erased from our systems when it is no longer required. We review all personal data which we process at the end of each school year. This includes personal data relating to users of the Software and that of teachers / staff at educational establishments. During these annual reviews, the following criteria is used on the personal data stored on our systems, to determine whether this should be retained:
7.1. Dormant prospective customer data: This personal data will be deleted if more than 3 years and one day has elapsed since our last activity using the data, if they did not enter into a contract with us. We keep this personal data for this time period to allow us to re-visit historic leads, opportunities and pricing information supplied to align with School Improvement Plans which are typically run on a 3 year cycle;
7.2. Current customer data: This personal data is kept throughout the life-cycle of an active contract to assist with delivery of the Services; and
7.3. Customers who held a contract with us but decided not to renew: This personal data will be kept for a minimum of 6 years from the end of the last company financial year for Lexia which that contract relates to.
Usually this personal data review exercise is conducted during school summer holidays by Lexia employees. However, if this review cannot be undertaken or fully completed during this period, this process will be resumed and completed as soon as reasonably practicable.
8.What rights do you have in respect of your personal data?
You have the right to:
8.1.1. Request access to any personal data we hold about you.
8.1.2. Have any personal data which we hold about you which is inaccurate rectified.
8.1.3. Have incomplete personal data completed.
8.2. In certain circumstances you also have the right to:
8.2.1. Have the processing of your personal data restricted.
8.2.2. Have personal data erased.
8.2.3. Be provided with the personal data that you have supplied to us, in a portable format that can be transmitted to another data controller without hindrance.
8.2.4. Object to certain types of processing, including automated processing (which includes profiling) and processing for direct-marketing purposes.
8.2.5. Not to be subject to a decision that is based solely on automated processing which produces a legal effect or which has a similar significant effect for you.
If you wish to exercise any of the rights set out above in paragraph 8.1 or 8.2, you must make the request in writing to Norman Robinson, Chief Operating Officer, who can be contacted at LexiaUK, Level 8 Trinity Gate, 32 West Street, Gateshead, Tyne & Wear, NE8 1AD or at email@example.com
If you provided your consent to any of the processing of your personal data, you have the right to withdraw your consent to that processing at any time, where relevant. Please contact Norman Robinson, Chief Operating Officer, who can be contacted at LexiaUK, Level 8 Trinity Gate, 32 West Street, Gateshead, Tyne & Wear, NE8 1AD or at firstname.lastname@example.org if you wish to do so.
8.3. You have the right to object, at any time:
8.3.1. to the processing of your personal data which:
18.104.22.168. is necessary for the performance of a task carried out in the public interest or in the exercise of official authority vested in the controller; or
22.214.171.124. which is necessary for the purposes of the legitimate interests pursued by us or a third party, including profiling.
If you object to the processing set out in 8.3.1 above, we must no longer process that personal data unless we can demonstrate compelling legitimate grounds for the processing which override your interests, rights and freedoms or that the processing is required for the establishment, exercise or defence of legal claims.
9.How we keep your data secure
9.1. We will ensure that appropriate measures are taken against unlawful or unauthorised processing of personal data, and against the accidental loss of, or damage to, personal data.
9.2. We have in place procedures and technologies to maintain the security of all personal data from the point of collection to the point of destruction. We will only transfer personal data to a third party if that third party agrees to comply with those procedures and policies, or if they put in place adequate measures themselves.
9.3. Maintaining data security means guaranteeing the confidentiality, integrity and availability (for authorised purposes) of the personal data.
10.Providing information to third parties
Our employees who need to access your personal data will view it in order that we can provide the Software and / or the Services and comply with our legal and statutory duties. All of our employees who may have access to your personal data have been trained in data protection and understand the need to keep your information confidential.
In addition to our employees, we also use service providers who may process personal data on our behalf (for example software providers for our IT systems). Apart from our employees and service providers, we will not disclose your personal data to a third party without your consent unless we are satisfied that they are legally entitled to the data. Where we do disclose your personal data to a third party, we will have regard to the data protection principles.
We may disclose your personal information to third parties:
- in the event that we sell or buy any business or assets, in which case we may disclose your personal data to the prospective seller or buyer of such business or assets;
- if we or substantially all of our assets are acquired by a third party, in which case personal data held by us will be one of the transferred assets; and
- if we are under a duty to disclose or share your personal data in order to comply with legal obligations or to protect our rights, property, or safety of customers / users, suppliers or employees. This includes exchanging information with other companies and organisations for the purposes of fraud protection and credit risk reduction.
If your personal data is provided to any third parties, you are entitled to request details of the recipients of your personal data or the categories of recipients of your personal data.
11.Transferring your personal data outside the European Economic Area (“EEA”)
We will not transfer your personal data outside the EEA unless such transfer is compliant with the GDPR. This means that we cannot transfer any of your personal data outside the EEA unless:
- The UK Government has decided that another country or international organisation ensures an adequate level of protection for your personal data; or
- The transfer of your personal data is subject to appropriate safeguards, which may include:
- Binding corporate rules; or
- Standard data protection clauses adopted by the EU Commission.
- One of the derogations in the GDPR applies (including if you explicitly consent to the proposed transfer).
We currently transfer personal data outside the EEA:
- To provide Lexia US with certain information in respect of the Software and/or the Services.
The Lexia Educational Application License Agreement (the “License”), available at http://lexialearning.com/privacy/eula, is incorporated into all of our Contracts with our educational establishment customers, and governs the access and use of all of the Software subscriptions provisioned and supported by Lexia US. The License automatically includes and incorporates Lexia US’ International Data Transfer and Processing Addendum, which incorporates the Standard Contractual Clauses for the Transfer of Personal Data to Data Processors Established In Third Countries pursuant to Commission Decision 2010/87/EU of 5 February 2010 (“Model Processor Clauses”), and addresses Lexia US’ data transfer and compliance obligations with respect to data received and processed from customers and users in the United Kingdom, European Union, European Economic Area and Switzerland, as well as those in other non-U.S. countries where the Model Processor Clauses are relevant and recognized. We (LexiaUK) act as a subprocessor to Lexia US with respect to your personal data received or processed through the Software and under our services contract with our educational establishment customers, and we have entered into written contract with Lexia US likewise incorporating the Model Processor Clauses and reflecting our obligations as subprocessor.
Personal data of our customers in the Republic of Ireland
Please note that if you are a customer from the Republic of Ireland from 1 January 2021, we do not have an EU representative in this country on the basis that our processing of your personal data is (i) only occasional, (ii) of low risk to your data protection rights and (iii) does not involve the large scale use of special category or criminal offence data.
We will continue to comply with our obligations under the UK GDPR in relation to your personal data and please continue to contact us if you have any queries or concerns in relation to our handling of your personal data.
We will keep this position under review.
12.Breaches of data protection principles
If you consider that the data protection principles have not been followed in respect of personal data about yourself or others please notify us as soon as possible after becoming aware.
We are obliged to notify the Information Commissioners Office without undue delay, and where feasible, no later than 72 hours of becoming aware of a data breach, unless we consider that the personal data breach is unlikely to result in a risk to the rights and freedoms of the affected data subjects.
13.Right to lodge a complaint
If you have any issues with our processing of your personal data and would like to make a complaint, you can contact the Information Commissioner’s Office on 0303 123 1113 or at Wycliffe House, Water Lane, Wilmslow, Cheshire, SK9 5AF.