Data Processing.

Data Processing Clauses for the GEC Platform

1. Categories of Personal Data and Data Subjects

1.1. The Processor shall process the following categories of personal data on behalf of the Controller:

  • For Staff Users:

    • Verification Data: Staff email addresses (used only for authentication purposes and deleted immediately after verification).

    • Engagement Data: Responses to surveys and participation in platform activities, which remain fully anonymised and cannot be re-identified.

  • For Students:

    • Engagement Data: Anonymised survey responses collected via a magic link system, ensuring no personally identifiable information (PII) is retained.

1.2. The Processor shall process data relating to the following categories of Data Subjects:

  • Staff Users: Teachers, school leaders, and other education professionals.

  • Students: Survey participants engaging via magic link access (with no identifiable information collected).

1.3. Metadata Retention:

  • Survey metadata (e.g., timestamps and completion logs) may be retained for up to [X] months for reporting purposes before deletion.

2. Processing in Accordance with Controller Instructions

2.1. The Processor shall only process personal data on documented instructions from the Controller, including with regard to transfers of personal data to a third country or an international organisation, unless required to do so by UK law. If such processing is required by law, the Processor shall inform the Controller before processing unless prohibited from doing so.

3. Duty of Confidentiality

3.1. The Processor shall ensure that any person it authorises to process personal data on its behalf is subject to an obligation of confidentiality, either through contractual agreements or statutory obligations.

4. Assistance with Data Subject Rights

4.1. The Processor shall assist the Controller in responding to requests from data subjects to exercise their rights under the UK GDPR, to the extent applicable, including but not limited to:

  • Right of access

  • Right to rectification

  • Right to erasure

  • Right to restriction of processing

  • Right to data portability

  • Right to object

4.2. Given the anonymisation of survey data:

  • The Processor cannot re-identify individual responses once staff emails are deleted.

  • The Processor cannot retrieve or alter student responses, as no personal data is collected via the magic link system.

  • Any subject access request will be reviewed in collaboration with the Controller to confirm whether any identifiable data exists before responding.

5. Compliance with UK GDPR Obligations

5.1. The Processor shall assist the Controller in ensuring compliance with its obligations under the UK GDPR, including:

  • Implementing appropriate technical and organisational measures to ensure the security of processing, including:

    • Two-Factor Authentication (2FA) for setup and dashboard access.

    • Role-based access control, ensuring only authorised individuals can manage survey distribution and data.

    • Secure data transmission to prevent interception or tampering.

  • Schools retain full control over whom they share staff and student surveys with, aligning with their own safeguarding policies.

5.2. The Processor shall notify the Controller of any personal data breach within 24 hours of detection, providing all necessary information to support compliance with reporting obligations.

5.3. Breach Reporting Contact:

  • If the Controller suspects a data breach, they must report it immediately to:
    Email: office@thegec.education

5.4. The Processor shall assist with the completion of Data Protection Impact Assessments (DPIAs) and prior consultations with the Information Commissioner’s Office (ICO) where required.

6. Lawful Basis for Processing

6.1. The Processor and Controller confirm the lawful basis for processing as follows:

  • Staff email verification is processed under legitimate interest (for security purposes).

  • Survey responses are fully anonymised and do not constitute personal data.

  • Students provide digital consent before participation, in compliance with the ICO’s Digital Rights of the Child guidance.

7. Third-Party Processors and International Data Transfers

7.1. If any third-party services (e.g., hosting providers, analytics tools) process the data, the Processor shall ensure they comply with UK GDPR and implement equivalent security and confidentiality measures.

7.2. The Processor confirms that all data processing occurs within GDPR-compliant jurisdictions, ensuring data protection standards equivalent to those in the UK and EU.

Data Collection & Ethical Standards

The GEC Platform has been developed as part of founder Nic Ponsford’s doctoral research at Bournemouth University. This dual role means our work undergoes two layers of validation: one as part of the GEC Platform’s development as a company and another through Nic’s academic research, ensuring rigorous scrutiny at both levels. As we work with live data, it is always evolving.

Participant Data Protection

  • All staff and student data in the GEC Platform is anonymous, ensuring compliance with GDPR and ethical standards, including ICO’s Digital Rights of the Child.

  • When our members close their surveys, our technology automatically separates participant information from the results. This means that even we cannot align individuals with their responses—demonstrating our serious commitment to ethical, participatory user experiences and safeguarding.

  • Our GEC Platform Terms (Clause 13 of our terms) and GEC Privacy policy outline our ethical commitments.

Bournemouth University’s Ethical Approval

The research underpinning Nic’s thesis has been formally approved by her supervisor and adheres to Bournemouth University’s Code of Practice for Research Ethics. This ensures:

  • Strict ethical and safeguarding protocols to protect participant wellbeing and confidentiality.

  • Compliance with national standards on inclusion, diversity, and data protection.

  • Rigorous ethical oversight, including informed consent, risk mitigation, and the right to withdraw at any time.

  • A dual-layered safeguarding approach, integrating GEC’s policies with the university’s ethical framework.

Data Integrity & Expert Oversight

For any reports we generate, we are analysing responses from 26,000 students, teachers, and staff across 1.8 million data points. Given the scale and pioneering nature of this dataset, our Head of AI and Data Technology has overseen the extraction and validation process, ensuring accuracy and reliability.