Welcome to Geography.Academy
What is GDPR?
On May 25th 2018 the General Data Protection Regulation (GDPR) (EU) 2016/679 came into force. The GDPR is a regulation in EU law on data protection and privacy for all individuals within the European Union and is intended to unify the policies and strengthen the safety and security of all data held within an organisation.
This legislation replaced the Data Protection Act (DPA) and is considered the most significant data protection legislation of the last 20 years. There is a plethora of information about the new legislation available online. The Information Commissioner’s Office (ICO) provides a good starting point with its Overview of GDPR.
Geography.Academy (operating under Cre8tive IT Solutions Ltd) is committed to helping deliver outstanding educational support. We have standardised policies and procedures to manage and protect the data that we process on behalf of our schools. Our policies are driven by our significant experience in the education sector and our existing data protection compliance through our ICO registration.
Cre8tive IT Solutions has taken the following actions to ensure compliance:
- Improved office security and infrastructure
- Completed GDPR and security audit for Cre8tive IT Solutions products
- Updated Documentation of policies and procedures
Some of the changes we made to help schools become GDPR compliant include:
- An updated GPDR-compliant contract
We have introduced a new contract which outlines both the school’s and Geography.Academy’s responsibilities in terms of legislation. This includes an updated GDPR compliant data sharing agreement.
Data controllers and Data processors
The new laws require both Data controllers (such as Schools) and Data processors (such as Cre8tive IT Solutions) to update their processes and technology to meet the specified requirements.
Schools are the data controllers of staff and pupil-related data. The data controller is the person or organisation who determines what data is extracted, what purpose it is used for and who is allowed to process the data. GDPR increases the responsibility schools have to inform students and parents about how their data is being used and by whom.
Cre8tive IT Solutions is the Data processor of the staff and pupil data as the school’s learning platform. This is data we are trusted with but do not control.
How does Cre8tive IT Solutions protect personal data and where is it processed?
Our platform and customer data are stored on approved and compliant cloud infrastructure. Our servers are hosted by One and One Ionos in Germany to ensure customer data is retained within the European Economic Area (EEA). We use multiple protective layers within the platform to protect our services, including encryption and firewalling.
We store business data within selected cloud platforms, including services like Google Drive. We will only use platforms whose information security practices we approve. These are tools we use to operate our business, for purposes such as billing and invoice information, support cases, and marketing engagement.
All data transfers use SHA256 with RSA (RSA 2048 bits for key exchange) between client browsers and our servers.
In the unlikely event of a data breach details will be made available to the Data Controller through the contact provided to the Data Processor e.g. in the case of an educational provider being the Data Controller, first contact will be made with the teacher responsible for liaising with the Data Processor.
Who can access personal data?
Where it is necessary to access customer data, for example to investigate a support case, only approved Cre8tive IT Solutions support and technical staff can access it. Cre8tive IT Solutions carries out DBS checking on staff who have personal data access and staff are subject to contractual data access policies.
The Data Processor makes available to the controller all information necessary to demonstrate compliance with the obligations laid down in this Article and allow for and contribute to audits, including inspections, conducted by the controller or another auditor mandated by the controller.
With regard to point of the point above, the processor shall immediately inform the controller if, in its opinion, an instruction infringes this Regulation or other Union or Member State data protection provisions.
How are errors in data corrected?
Staff and student personal data is obtained from the Data controller (the School). In the event of an error, school administrators can correct user data such as names and emails by contacting our support team. Staff and parents can also change their personal details directly on the platform or contact our support team.
How do I make a Subject Access Request or implement the Right to be Forgotten?
If you wish to make a Subject Access Request and/or Right to be Forgotten request, where applicable, please contact firstname.lastname@example.org
If your school would like further information on GDPR compliance in Cre8tive IT Solutions products then please contact us.
The Data Processor is obliged to allow the Data Controller to carry out their responsibilities around security, DPIA, etc.