GDPR Factsheet for Schools

Who is responsible for what?

When purchasing any of our products, your School remains the Data Controller.

  • This is because you have chosen to use Nessy’s products to support and aid the delivery of your educational functions.

 

Nessy is the Data Processor when it provides its products and services to you.

  • We are being asked by your school to run and deliver the products and services you have purchased.

 

Your School is responsible for how its staff use our products and services – for how they

  • look after passwords generated by the system,
  • ensure the personal information added to the system is accurate, i.e. the teacher and pupil details,
  • ensure that permission to access the system are removed when a teacher no longer requires access (e.g. they have left their role or changed role),
  • handle any reports or data extracted from the system.

 

Nessy is responsible for ensuring that

  • the systems used to deliver the products and services operate securely,
  • it meets and maintains its own security obligations,
  • it processes personal data as defined in the contract between us.

 

Do we need consent from parents and teachers?

You should ensure that teachers and parents are made aware of why their data (and that of the pupil) is needed and how it will be used to deliver our products and service. You may wish to seek their agreement on this.

For Schools located in the EU/UK, you are not required to collect consent in order to process the personal data required to our products and services: if teachers and pupils agree to, or wish to, use our products and services we will need their personal data.

This is because the personal data of your teachers and your pupils needs to be entered into our systems, and the systems needs to use their information, in order that your school can perform a task (educational provision) which is carried out in the public interest or in the exercise of official authority vested in your School. This is provided by Article 6(1)(e) of the GDPR.

For Schools outside the EU/UK, please consult your own local data protection legislation to confirm the appropriate lawful basis for processing the personal data we need to provide our products and services. If you need to obtain consent, this remains your responsibility.

We do ask that the teachers and pupils consent to cookies being placed; without this the services and functions will not operate and this will reduce or negatively affected the users’ experience of the services. The website will seek this consent.

 

What personal data does Nessy need to deliver the products and services?

See Table of Data Sources and Uses

 

What third parties does Nessy use to deliver the products and services?

See Table of Data Sources and Uses

 

Does Nessy use any data for its own business purposes?

Yes.

Outside of running and delivering the products and services you have purchased, Nessy uses data to undertake scientific or historical research and/or for statistical purposes. This data comes from the data generated by students and their use of the system.

However, we take measures to ensure the personal data is rendered anonymous before it is used for our research purposes.

Nessy is the Data Controller responsible for the process of rendering the personal data anonymous and using the data for research purposes.

For the avoidance of doubt, the research and/or statistics

  • purposes will not be likely to cause substantial damage or substantial distress to a data subject.
  • processing will not be used for the purposes of measures or decisions with respect to a particular data subject.

This use of data is outlined in the contract between us.

 

Further reading

See our full Privacy Policy for more details about our collection and use of personal data.

See our Data Protection Agreement for the proposed clauses we would use to address our data protection obligations.

Also see our standard Terms and Conditions.

 

Table of Data Sources and Uses

Cookies and the Personal Data they generate

We ask you to agree that we can place cookies on your device.

If you agree, we will then be able to collect the following personal data and use it to deliver the following services or functions.

Personal data Service and/or function this lets us deliver
Information about the devices you are accessing the website: IP address, your operating system, your browser ID, your location, and other information about your system and connection.

Show you the correct version of the site for where you are based e.g. if you are in the UK, we will redirect you to our UK version of the site.

See viewing patterns such as whether multiple page visits are from an individual computer or from lots of different computers. That helps us understand what content visitors want to see and therefore gives us an idea of what we should make more of, both for this information website and the Nessy platform.

Statistical information about which pages you visit and how you interact with the site.
Password, when you check the log in option 'Remember me' The cookies store encrypted log in credentials, so you don't have to enter them each time.

Information about a student's progress through the Nessy Platform collected whenever a student interacts with the program.

This includes game scores, learning items the student has found difficult, when they logged in and how much time was using the platform.

The information Nessy collects about students is used to build a profile of their educational requirements and used within the Nessy platform to direct their learning and maximise the effectiveness of the program, as well as generate reports for teachers / parents to review progress of the students.

This means we can tailor the learning experience to meet the needs of the individual and create a record of progress.

When a student plays an assessment game in one of the Nessy Platform applications, each question is related to a corresponding lesson, and answers result in the lesson pathways being automatically set for the student by the program.

Note: The automatic pathway feature can be turned off in the Admin area, teachers/parents can customise and set their own choice of lessons for the student.


The personal data generated by the cookies is processed under the following lawful basis:

School Customers: this is required to deliver the terms of the contract between us, and to order that your school can perform a task (educational provision) which is carried out in the public interest or in the exercise of official authority vested in your School. This is provided by Article 6(1)(e) of the GDPR.

Individual Customers: this is required to deliver the terms of the contract between us.

Full details of the cookies we use can be found here: https://www.nessy.com/uk/cookie-policy/

 

What if I don’t agree to cookies?

If you do not agree to cookies you will still be able to navigate around the website.

However, the services and functions listed above will not operate and this will reduce or negatively affected your experience of the services.

 

Personal data you enter into our system

Personal data Service and/or function this lets us deliver
Name and email address of employees (school accounts) To set up an administrative account and users.
Name and email address of customers (home accounts) To set up an administrative account and users.
Physical Address of School / Customer (home)

To set up the account.

To fulfil the delivery of physical shop purchases.

Name and date of birth of student To set up student profiles and provide age specific content
Payment details

A record of all purchases made through our website are stored in the WordPress platform.

We also use the accounting platform, Quickbooks by Inuit, to store a record of purchase orders and general financial records. Card Payments are not stored in this way.

Payments are facilitated by the secure digital payment platforms PayPal and Stripe.

No payment information is stored by Nessy Learning.

Name, country, region and email address of newsletter / marketing subscribers

To send our email newsletter. We use the Mailchimp marketing automation platform to deliver these emails.

Name, email address and query of help To assess the query and allow our support team to provide assistant.

School Customers: the personal data is required to deliver the terms of the contract between us, and to order that your school can perform a task (educational provision) which is carried out in the public interest or in the exercise of official authority vested in your School. This is provided by Article 6(1)(e) of the GDPR.

Individual Customers: the personal data is required to deliver the terms of the contract between us.

 

Data we derived from the data generate by students use of the system

Personal data Service and/or function this lets us deliver
Information about a student's progress through the Nessy Platform. We can provide you student progress results via reporting, and a means of getting weekly reports.
Anonymous data

Scientific or historical research purposes and/or statistical purposes.

Outside of running and delivering the products and services you have purchased, Nessy uses data to undertake scientific or historical research and/or for statistical purposes. This data comes from the data generated by students and their use of the system.

However, we take measures to ensure the personal data is rendered anonymous before it is used for our research purposes.

Nessy is the Data Controller responsible for the process of rendering the personal data anonymous and using the data for research purposes.

For the avoidance of doubt, the research and/or statistics

  • purposes will not be likely to cause substantial damage or substantial distress to a data subject.
  • processing will not be used for the purposes of measures or decisions with respect to a particular data subject.

This use of data is outlined in the contract between us.


School Customers: this data required to deliver the terms of the contract between us, and to order that your school can perform a task (educational provision) which is carried out in the public interest or in the exercise of official authority vested in your School. This is provided by Article 6(1)(e) of the GDPR.

Individual Customers: this is required to deliver the terms of the contract between us.

 

Where is my data?

We use Microsoft Azure to store information about student learning as well as the name and email of the account holder.

  • Customer data is stored in a Microsoft Azure data centre in Ireland and the UK.

A content delivery network detects customers in other areas of the world and uses local data centres to increase performance and loading speeds but no data is stored in these locations.

We use Google analytics to collect, analyse, and store the data gathered from cookies and other tracking technologies on nessy.com.

This may mean that the data is transferred outside of the country you are based in. In all cases Google analytics comply with legal frameworks relating to the transfer of data, such as the EU-US and Swiss -US Privacy Shield Frameworks. The data processed by Google Analytics will include statistical data for establishing patterns.