GL READY PRIVACY NOTICE
At GL Assessment Limited (“we”, “us”) we value the privacy of all our customers and users. We recognise that when you choose to provide us with information, you trust us to act in a responsible manner. We believe this information should only be used to help us provide you with a better service. We will only collect and use Personal Data in ways that are described in this notice, and always in compliance with our obligations and your rights under applicable privacy law.
This Privacy Notice (“Notice”) applies to your use of our website and the services available at GLReady.com (GL Ready). Our website may provide links to third-party sites. Since we do not control those third-party sites and have no control over how your data is collected, stored, and used by them, we advise you to review the privacy notices of such sites before providing your data to them.
About us
GL Assessment Limited is a Limited Company registered in England and Wales under company number 01525617. We are part of the GL Education Group Limited.
Registered address: 1st Floor, Vantage London, Great West Road, Brentford, TW8 9AG
Telephone number: +44 (0)20 8996 3369
Data Protection officer: Karl Oertel
Email address: dpo@gl-education.com
In this Notice, reference to Data Protection Legislation means the Data Protection Act 2018, the General Data Protection Regulation (“the GDPR”), and the Privacy and Electronic Communications Regulations 2003.
We operate this website and its services for the benefit of schools, Local Education Authorities (LEAs) or similar organisations (each an “Education Institution”), their staff and students.
This Notice (together with our Terms of Use and any other documents referred to in it) sets out the basis on which any Personal Data we collect from Users, will be processed by us.
We have broken down the Notice below to cover the following different types of individuals whose Personal Data we collect and process:
Administrative Users(“you”, “your”) - someone who uses GL Ready for or on behalf of an Education Institution to administer a test and retrieve results - e.g., a member of staff of the school.
Student Users – students who access GL Ready to take a test.
What is Personal Data?
‘Personal Data’ is defined by the GDPR as: “any information relating to an identified or identifiable natural person (‘data subject’); an identifiable natural person is one who can be identified, directly or indirectly, in particular by reference to an identifier such as a name, an identification number, location data, an online identifier or to one or more factors specific to the physical, physiological, genetic, mental, economic, cultural or social identity of that natural person”.
In simpler terms, Personal Data is any information about you that enables you to be identified. For example, this could be your name or contact details.
Data Controller/Data Processor
Our products are predominantly used by Education Institutions.
For the purposes of the Data Protection Legislation:
- where we process Personal Data relating to Student Users as detailed below and we do this on behalf of an Education Institution, the relevant Education Institution is the data controller, and we are the data processor; and
- where we process the Personal Data of someone who uses or orders our products or services for or on behalf of an Education Institution or for some other professional purposes (e.g., Administrative Users), we are the data controller.
What Personal Data do we collect and how?
Administrative Users:
You may give us Personal Data when registering for or logging into GL Ready, using the services available via GL Ready, or by corresponding with us by phone, e-mail or otherwise in relation to your use of GL Ready and your account. Such Personal Data includes (but is not limited to) your name, address, e-mail address and phone number.
What is our lawful basis for using your Personal Data?
In respect of each of the purposes for which we use your Personal Data (described in the next section), the GDPR requires us to ensure that we have a ‘lawful basis’ for that use. Most commonly, we will rely on one of the following lawful bases:
- Where we need to use your Personal Data to deliver our service to you (including creating an account, accessing our website and mobile apps, or using our products) (“Contractual Necessity”).
- Where we need to use your Personal Data for our legitimate interests, and your interests and fundamental rights do not override those interests (“Legitimate Interest”).
- Where we need to use your Personal Data to comply with our legal or regulatory obligations (“Compliance with Law”).
- Where we have your consent to use your Personal Data for a specific purpose (“Consent”).
How do we use this Personal Data?
We use Personal Data held about Administrative Users in the following ways:
PURPOSE: |
DESCRIPTION: |
LAWFUL BASIS: |
Account creation and service delivery |
To create and manage your account on our service and deliver our service to you. |
Contractual Necessity. |
Fraud prevention |
To keep our service and associated systems operational and secure. |
Legitimate Interest. We have a legitimate interest in ensuring the ongoing security of our service and associated systems. |
Analytics and service improvement |
To understand how our users use our service and improve it using that data. |
Legitimate Interest. We have a legitimate interest in monitoring the use of our service in order to improve it over time. |
Legal compliance |
To comply with our legal and regulatory obligations (for example, by ensuring that you are allowed to use our Service). |
Compliance with law. |
Marketing |
To send you information about our products and services from time to time. |
Consent. |
Student Users
The Personal Data of Student Users is provided to us (via the GL Ready system) by the relevant Education Institution (usually by an Administrative User). Personal Data relating to the Student User includes (but is not limited to), name, address, date of birth, unique pupil number.
An Administrative User may choose to upload further Personal Data relating to Student Users onto the GL Ready system in order to filter the results of assessments according to inputted criteria. Such Personal Data includes gender, ethnicity, socio-economic information (for example, whether or not qualifying for free school meals) school and year group.
We collect Personal Data of Student Users directly from them when they log in to take a test (name, date of birth and unique pupil number).
The GL Ready system collects and stores the results of the tests taken by each Student User.
The Personal Data of Student Users is processed by us on behalf of the relevant Education Institution in order to:
- provide GL Ready and the assessments and related services available via GL Ready to Student Users;
- carry out our obligations under a contract with the relevant Education Institution and to provide Users with the information, products and services requested from us; and
- link data for the same student across multiple products and systems where we are authorised or requested to do this.
Personal Data we receive from other sources.
We may receive Personal Data about a User from within the GL Education Group where a User has provided their data when using another website or service operated by us or a member of the group. In this case we will have informed a User when we collected that data that it may be shared internally and combined with data collected on this site.
Personal Data collected automatically.
With regard to each visit to GL Ready, we may automatically collect the following information:
- technical information, including the Internet protocol (IP) address used to connect a User’s computer to the Internet, login information, browser type and version, time zone setting, browser plug-in types and versions, operating system and platform
- information about a User’s visit, including the full Uniform Resource Locators (URL), clickstream to, through and from GL Ready (including date and time), pages viewed or searched for, page response times, download errors, length of visits to certain pages, page interaction information (such as scrolling, clicks, and mouse-overs), and methods used to browse away from the page.
Cookies
We use cookies to distinguish individual Users of GL Ready. This helps us to provide you with a good experience. A cookie is a small file of letters and numbers that we store on your browser, computer, or device.
Please see our Cookie Policy which details the cookies we use.
Do we share your Personal Data?
The table below describes who we share your Personal Data with, and why we share it.
RECIPIENTS: |
PURPOSE: |
Our affiliates |
GL Assessment is part of the Renaissance Learning group of companies. Other companies within our corporate group may help us provide our service to you. |
Our service providers |
Our service providers provide us with data hosting, IT, infrastructure, payments processing and other services that allow us to provide our service to you. |
Our advisers |
Our lawyers, bankers, auditors, insurers, and other advisers may need to access your Personal Data when providing their services to us. |
Public authorities |
Public authorities may require us to report our data processing activities in certain circumstances, which may involve disclosing some of your Personal Data. |
Potential acquirers |
We may disclose or transfer your Personal Data in the context of actual or prospective corporate events (for example the sale, transfer or merger of all or part of our business, assets, or equity interests). For example, we may need to share certain Personal Data with prospective counterparties and their advisers. |
Anonymised data
We may use information relating to Student Users and schools in anonymised format to produce reports that we produce and share with third parties. These reports would, for example, be comparable reports about the type of organisation (for example, type of school, % of students with different languages) and their performance. No Student User or school would be identifiable in such reports.
Where do we store Personal Data?
Personal Data that we collect from Users will not be stored at a destination outside the United Kingdom or the European Economic Area (“Europe”).
Nevertheless, your personal data may sometimes need to be shared with a third-party recipient located outside of Europe or may otherwise need to be accessed outside of Europe. For example, some of our affiliates, partners and external third-party suppliers are based outside Europe, so their processing of your personal data might involve transferring your personal data outside Europe.
Where we share your personal data with third parties who are based outside Europe, we try to ensure a similar degree of protection is afforded to it by making sure one of the following mechanisms is implemented:
- Transfers to territories with an adequacy decision. We may transfer your personal data to countries or territories whose laws have been deemed to provide an adequate level of protection for personal data by the relevant European authorities.
- Transfers to territories without an adequacy decision. We may transfer your personal data to countries or territories whose laws have not been deemed to provide an adequate level of protection for personal data by European authorities. However, in these cases, we will use specific appropriate safeguards, approved by relevant European authorities, which are designed to give your personal data the same protection it has in Europe – for example, requiring the recipient to enter into the relevant form of the so-called ‘Standard Contractual Clauses’ or ‘International Data Transfer Agreement’ issued or approved from time to time.
Should you wish to find out more about these controls and safeguards, please contact us.
How to help us keep Personal Data secure
Where we have given you (or where you have chosen) a password which enables access to certain parts of GL Ready, you are responsible for keeping this password confidential. We ask you not to share a password with anyone.
In addition, we have put in place appropriate security measures to prevent your Personal Data from being accidentally lost, used, or accessed in an unauthorised way, altered, or disclosed. We limit access to your Personal Data to those employees and other staff who have a business need to have such access. All such people are subject to a contractual duty of confidentiality.
We have put in place procedures to deal with any actual or suspected Personal Data breach. In the event of any such breach, we have systems in place to work with applicable regulators. In addition, in certain circumstances (including where we are legally required to do so), we may notify you of breaches affecting your Personal Data.
How long do we keep Personal Data?
We keep Personal Data for as long as we need to for the purposes for which it was collected or (if longer) for any period for which we are required to keep Personal Data to comply with our legal and regulatory requirements.
To determine the appropriate retention period for your Personal Data, we consider the amount, nature and sensitivity of the relevant data, the potential risk of harm from unauthorised use or disclosure of your Personal Data, the purposes for which we process your Personal Data and whether we can achieve those purposes through other means, and the applicable legal requirements.
What are your rights?
Under the Data Protection Legislation, where we are acting as the data controller of your Personal Data, you have the following rights:
- Request access to your personal data. This enables you to receive a copy of the personal data we hold about you, and to check that we are lawfully processing it.
- Request the correction of your personal data. This enables you to have any incomplete or inaccurate information we hold about you corrected.
- Request the erasure of your personal data. This enables you to ask us to delete or remove personal data where there is no good reason for us continuing to process it. This may not always be available.
- Object to our processing of your personal data. This right exists where we are relying on Legitimate Interest as the legal basis for our processing, and there is something about your particular situation which makes you want to object to our processing on this ground.
- Request the restriction of our processing of your personal data. This enables you to ask us to temporarily suspend the processing of your personal data, for example if you want us to establish its accuracy or our reason for processing it.
- Request the transfer of your personal data. This enables you to ask us to provide to you, or a third-party you have chosen, your personal data in a structured, machine-readable format.
- Withdraw consent. This enables you to withdraw your consent. This right only exists where we are relying on Consent as our lawful basis to process your personal data.
If you want to exercise any of the rights described above, please contact us.
We may need to request specific information from you to help us confirm your identity and ensure your right to access your Personal Data. This is a security measure to ensure that your Personal Data is not disclosed to any person who has no right to receive it.
Typically, you will not have to pay a fee to exercise your rights. However, we may charge a reasonable fee if your request is clearly unfounded, repetitive, or excessive. We may also refuse to comply with your request in limited circumstances.
We try to respond to all legitimate requests within a month. It may take us longer than a month if your request is particularly complex or you have made a number of requests; in this case, we will notify you and keep you updated.
Please note that applicable law may require or permit us to decline your request. If we decline your request, we will tell you why, subject to legal restrictions.
Complaints
If you would like to make a complaint regarding this Notice or our practices in relation to your Personal Data, please contact us. We will reply to your complaint as soon as we can.
If you feel that your complaint has not been adequately resolved, please note that applicable privacy law gives you the right to contact your local data protection supervisory authority.
Changes to this Notice
We may change this Notice from time to time. This may be necessary, for example, if the law changes or if we change our business practices in a way that affects how we collect or use your Personal Data.
Any changes will be made available on our website.
Contact details
Questions, comments, and requests regarding this Notice are welcomed and should be addressed to dpo@gl-education.com.