Bedrock Learning Privacy Statement

Being an online organisation and with digital technology at the heart of everything we do, online safety for our customers is paramount, especially as the majority of our users are students of primary and secondary school age. This privacy statement explains what personal data Bedrock Learning collects from you, through our interactions with you and through our products, and how we use that data. Bedrock Learning Ltd acts as the data processor for all data processed by us to deliver our service and as such, complies with the General Data Protection Regulation (GDPR) and is registered with the Information Commissioner’s Office.

Any questions about our privacy policy or the way we use data should be directed to data@bedrocklearning.org or our postal address Bedrock Learning, Kiln House, Pottergate, Norwich, NR2 1BZ.

Our named Data Protection Officer is Olivia Sumpter, Director. She can be contacted using the contact details at the end of this document.

Contents
1. Product Data Collection and Use
2. How to update your information
3. How will we use the information about you?
4. Subject Access Requests
5. How long will we keep information about you?
6. Who has access to my/my students’ data?
7. Cookies
8. Bedrock Learning Working Practices
9. What happens in the event of a data breach?
10. How to contact us

1. Product Data Collection and Use
By signing the Bedrock Learning terms and conditions, teachers acknowledge that they are primarily responsible for providing consent from the applicable parent/guardian and will ensure that all information is accurate and correct in relation to obtaining such consent.

Bedrock Learning provides a personalised experience for its users. Account information for our e-learning products including teachers and students are password-protected so that only the user and account administrators have access to this personal information. By requiring users to log in, Bedrock Learning students can access the relevant content and their progress can be monitored.

We recommend that you do not divulge your password to anyone. Bedrock Learning will never ask you for your password in an unsolicited phone call or in an unsolicited email. If you have finished using the resource, we recommend that you sign out.
Students’ user accounts do not include any information that identifies them with their educational institution. Students’ email addresses are not displayed on the site.

Bedrock Learning collects the following data and stores it securely:

Teachers

• Bedrock Learning creates teacher accounts which allows teachers to manage their own classes and monitor progress with added security. We ask teachers for their title, first name, last name, organisation and email address.

Students

• When creating a new student account, we require a first name, last name and class name. You can provide students’ school email addresses for password retrieval purposes, but this is not essential for student account creation. Schools may also provide us with information including Unique Pupil Numbers, gender, ethnicity, first language, SEN status and reading age. We also keep records of the marks students score in the various learning exercises. We use this information to monitor progress and analyse learning needs. We will also use this personal data for the purposes of administration and operation of the service. We will disclose learning scores to parents/guardians, teachers and school as part of the service.
• We aggregate the marks scored by students for the purpose of our internal statistical analysis and research. When this analysis is performed, it may be used for marketing purposes. In this case, all data is anonymised.

2. Updating your Information

You can update your account information by calling the team on +44 (0) 203 325 9345 or by emailing data@bedrocklearning.org. In any case, we will confirm your identity via email before we make any changes.

3. How will we use your personal information?

Teachers: Personal information which you supply to us will only ever be used in the following ways:
• To update you on student progress
• To update you on product developments relevant to your usage of Bedrock Vocabulary
• To troubleshoot any technical issues
• To send you teaching and learning updates

Students: Personal information which is supplied to us will only ever be used in the following ways:

• To track student progress
• To troubleshoot any technical issues
• To generate conclusions about the impact of the programme. (When producing large scale analytics, all data is anonymised. Any conclusions drawn from these analyses will only be used to develop the product and for marketing purposes, thus the impact on the individual will be limited.)
• We may disclose student marks to parents/guardians, teachers and school as part of the service.
• We aggregate the marks scored by students for the purpose of our internal statistical analysis and research. This data is anonymised.

Parents: Personal information is supplied to us will only ever be used in the following ways:

• To update you on student progress
• To update you on product developments relevant to your usage of Bedrock Vocabulary
• To troubleshoot any technical issues

4. Subject Access Requests

If you wish to make a request for ‘personal data’ under the GDPR guidelines, you can either email us at data@bedrocklearning.org or by contacting us via our postal address: SAR, Bedrock Learning Ltd, Kiln House, Pottergate, NR2 1BZ. If you make the request electronically, we will provide the data electronically. Please supply as much detail as possible in order that we provide the most relevant information in relation to your request. There is no fee to access your personal data and we will respond within 30 days from the receipt of the request.

5. How Long Does Bedrock Learning Keep Data?

Why we Delete Data

Bedrock Learning stores data for its users. To ensure that Bedrock Learning does not hold user information in perpetuity, it has set criteria for the deletion of un-used data.

Product Data

Users
Bedrock Learning holds data for Teacher and Student accounts. If these accounts are left inactive for two years they will be deleted. The definition of inactive is if the user has not logged in (via any route) for two years. Also, any empty classes and groups will be deleted after two years and any classes or groups that exist on an inactive account for two years will also be deleted.

Progress Tracker
Any saved score data will be deleted after 5 years on a rolling basis. Even if the student is still active, we will only hold 5 years’ worth of results per child; if more is required, the export data feature should be used. If a student is deleted as a result of being inactive for two years, all score data held for that student is also deleted.

6. Who has access to my/my students’ data?

To ensure that the user receives the best customer care, members of Bedrock Learning staff have access to user data. However, only the customer management team, the technical support team and the Directors have access to this information. In correspondence with schools, we clearly request that all personal data is sent directly to the customer management team, if for whatever reason it is sent to another member of staff, they will immediately delete the file and inform the sender. Bedrock Learning Ltd will not be liable for the error.

Sharing Data

Bedrock Learning has a strict policy of not sharing any information about students with anyone outside the organisation. Please note that the passwords can be controlled by the users themselves and may not be well-chosen, securely stored and may be shared by the whole school but we are not in control of that and strongly discourage such behaviours.
Bedrock Learning will not share data with third parties unless explicit instruction is given by the school in question, for example, to integrate with a VLE provider and we will never sell user information.

External Data Storage

Bedrock Learning stores data on our secure database servers. The servers are housed in secure data centres, trusted and used by many of the country’s leading organisations. Physical access to our servers is strictly limited to data centre staff, our own IT staff and accompanied external contractors when needed, in order to maintain the servers. Access to the servers in the data centre requires proof of identify (photo ID) and is controlled by magnetic card readers and keys to both the cages and individual cabinets that surround the server racks, all of which are monitored by the data centre security staff using CCTV. Remote access to the data is limited to the tools needed by the IT support staff to maintain and operate the servers and is restricted to known users (identified by usernames and secure keys) connecting from known locations (IP addresses). Bedrock Learning stores data on UK and EU servers only.

7. Bedrock Learning Cookies

A cookie is a small file which asks permission to be placed on your computer’s hard drive. Once you agree, the file is added, and the cookie helps analyse web traffic or lets you know when you visit a site.

We use cookies on Bedrock Learning to provide you with the best possible experience on our website and to identify critical details such as account, user and curriculum identification.

Additionally, we use cookies from Google Analytics to anonymously record your usage of the website. This helps us analyse data about webpage traffic and improve our service in order to tailor it to customer needs. We only use this information for statistical analysis purposes to influence our development plans.

Overall, cookies help us provide you with a better website, by enabling us to monitor which pages you find useful and which you do not. A cookie in no way gives us access to your computer or any information about you, other than the data you choose to share with us.

Before using our website, we ask you to give your consent to the use of cookies. At any point, you may withdraw this consent.
If you have any questions about the use of cookies please do not hesitate to contact us.

8. Bedrock Learning Working Practices

As part of our commitment to transparency, we have detailed our working practices with regards to data management and protection.

Data Use

● When working with personal data, Bedrock Learning Ltd employees should ensure the screens of their computers are always locked when left unattended.
● Data will be password protected before being transferred electronically. When sending data externally to schools or parents, a secure file transfer will be used, which encrypts all data in transit. For the purposes of sending other, non-sensitive personal data, files will be password protected.
● Employees should not save copies of personal data to their own computers. They will always access and update the central copy of any data.

Data Accuracy

Under law, we are obliged to take reasonable steps to ensure data is kept accurate and up to date. To ensure we fulfil this responsibility, we commit that:

● Data will be held in as few places as necessary. Staff should not create any unnecessary additional data sets.
● Staff should take every opportunity to ensure data is updated. For instance, by confirming a customer’s details when they call.
● Bedrock Learning Ltd will make it easy for individuals to update the information we hold about them. Any customer can do this by contacting data@bedrocklearning.org
● Data will be updated as soon as any inaccuracies are discovered.

9. Data Breaches

A personal data breach means a breach of security leading to the accidental or unlawful destruction, loss, alteration, unauthorised disclosure of, or access to, personal data. This includes breaches that are the result of both accidental and deliberate causes.

In the unlikely event of a data breach, Bedrock Learning will follow a strict protocol:

Employees are trained to immediately recognise a data breach and understand that a data breach is not only about loss or theft of personal data. As soon as a data breach is identified, the employee will escalate the incident to our data protection officer (DPO). The DPO will evaluate the risk to the individual(s) concerned and the size of the breach. If it is deemed that there is a risk to individuals or if the breach affects a large number of users, we will notify the ICO within 24 hours.

We will notify affected individuals about any breach within 24 hours and this will be documented in company records.