Privacy Laws Compliance


Nessy’s commitment to data privacy

At Nessy we are committed to enriching the lives of children through education and as part of that commitment we have always taken responsibility to carefully protect the privacy and rights of anyone who chooses to share their personal data. Nessy has never sold any personal data and never will do. The information Nessy collects about students is used to build a profile of their educational requirements and used within the Nessy platform to direct their learning and maximise the effectiveness of the program. Educational data is sometimes used for research purposes but no personal details released and the information is always completely anonymous with restrictions upon confidentiality.


What is GDPR?

The General Data Protection Regulation (GDPR) will become law in all countries across Europe from May 25, 2018. From that date, all EU residents will have greater control over their personal data with a much bigger say over what, how, why, where, and when their personal data is used, processed, or disposed.

Any organisation that works with EU residents’ personal data in any manner, irrespective of location, has obligations to protect the data of these residents.


How is Nessy complying with data protection regulations?

Nessy has a clear privacy policy which is displayed wherever personal data is captured. The privacy policy details the data collected and how it is used. The Nessy Parent Portal gives parents the choice of consenting and the option to remove that consent. A verifiable record of this consent is maintained. The steps that we have been taking to protect data and restrictions upon how that data is shared are outlined below:


How is personal data identified?

We have completed a full data audit to understand what personal data we hold and where it is held.


How is data integrity and security reviewed?

Once a year we conduct a full security review on the Nessy platform. This covers areas such as:

  • Reviewing and updating the encryption algorithms we use on customer data
  • Reviewing any third-party software we use on the site, working to reduce this list where possible
  • Conducting an internal audit of all IT equipment and software used within Nessy, making improvements where appropriate

We anonymise personally identifiable data where possible and appropriate.

We have upgraded our storage and backup systems and implemented total database encryption across our learning platform.


Updating our processes and policies

We have reviewed and updated our IT Acceptable Usage Policy for Nessy employees.

We have created a Data Breach Process document to follow in the unlikely event that the Nessy platform is compromised in any way.

We have updated our Privacy Policy.

We have reviewed and updated our Cookie Policy and will continue to reduce the number of third party cookies we use on the Nessy platform.

We have created a Data Retention Policy to outline how long we will store and hold any personal data.


Reviewing our providers

We are in the process of reviewing any services that we share personal data with to ensure they meet the standards set out by the GDPR.

We are in the process of reviewing any third-party software we use and will remove or replace any software that is no longer required or doesn’t meet the standards set out by the GDPR.


Deleting redundant data

We commit to removing any personal data from the Nessy platform that meets the criteria set out in our Data Retention Policy.

We take all appropriate steps to fully remove all data before disposing of redundant IT hardware.


Platform improvements

We are constantly developing the Nessy Learning platform to make our applications safer, easier to use and more effective. This includes introducing mechanisms to seek informed parental consent for students to use Nessy, as well as the ability to download and view all the data we hold about you and your students.


What happens if there is an unauthorised disclosure of data?

In the event of a security breach where we believe that the data protection rights of one or more individuals has been compromised, we will with undue delay inform the relevant authorities and make best efforts to inform the individuals affected. Our developer team will take immediate steps to fix any vulnerabilities to prevent further or future data loss.