Data Processing Policy for the GEC Platform

Definitions for Data Processing Clauses

Data Processor: The entity responsible for processing personal data on behalf of the Controller. In this agreement, the GEC Platform serves as the Data Processor.

Data Controller: The entity that determines the purposes and means of processing personal data. In this case, the Client or GEC Member is the Data Controller.

Personal Data: Any information that relates to an identified or identifiable natural person ('data subject'). This includes, but is not limited to, names, email addresses, or any other data that could directly or indirectly identify an individual.

Processor: Refers to the Data Processor, responsible for processing data under the instructions of the Data Controller.

Controller: Refers to the Data Controller, who determines the purpose and means of processing personal data.

Data Subject: The individual to whom the personal data pertains. In this case, Data Subjects include staff and students whose data is processed via the GEC Platform.

Engagement Data: Data generated from the participation or interaction of users on the GEC Platform, such as survey responses and involvement in activities, which is anonymised to prevent identification.

Verification Data: Information used solely for authentication purposes, such as staff email addresses, that are not linked to any other data in the Platform.

Anonymised Data: Data that has been processed in such a way that it cannot be re-identified, ensuring no personally identifiable information (PII) is retained.

Pseudonymised Data: Data where identifiable information is replaced with pseudonyms or codes. While it is possible to re-link the data to an individual with additional information, it remains subject to data protection laws.

Metadata: Information that describes other data, such as survey timestamps or completion logs, which is not personally identifiable.

Data Subject Rights: Rights provided to individuals under data protection laws, such as the right to access, rectify, erase, restrict processing, or object to data processing.

Data Protection Impact Assessment (DPIA): A process designed to help identify and minimise risks to data protection when processing personal data, particularly where high risks to individuals' rights and freedoms are involved.

Personal Data Breach: An incident where personal data is destroyed, lost, altered, disclosed, or accessed without authorisation, compromising the security of the data.

International Data Transfers: The movement of personal data outside the UK or EU to jurisdictions that may not have the same level of data protection.

Survey Metadata: Information associated with survey activities, including timestamps and response patterns, which is not identifiable.

ICO: The Information Commissioner’s Office, the UK’s independent authority responsible for enforcing data protection laws.

Introduction

The purpose of this Data Policy is to outline how the GEC Platform manages and processes personal data in accordance with applicable data protection laws, including the UK General Data Protection Regulation (UK GDPR). As part of our commitment to maintaining transparency and safeguarding the privacy of staff, students, and other stakeholders, this policy provides clear guidelines on the collection, use, storage, and protection of personal data processed through the GEC Platform.

The GEC Platform is dedicated to ensuring that all personal data is handled responsibly and ethically, in line with both our mission to promote inclusion and equity in education and our founder Nicole Ponsford's academic research. This policy sets out the roles and responsibilities of both the GEC Platform as the data processor and our clients (the controllers) in managing personal data. It also clarifies the rights of data subjects, the measures in place to secure data, and the actions we take in the event of a data breach.

In particular, we focus on protecting the privacy of the data provided by staff and students using the Platform, with strong safeguards in place to ensure anonymity and confidentiality. This policy is designed to provide confidence in our practices and ensure compliance with relevant data protection standards, while also supporting the educational goals of the GEC Platform.

1. Categories of Personal Data and Data Subjects

1.1. The Processor shall process the following categories of personal data on behalf of the Controller:

• For Staff Users:

• Verification Data: Staff email addresses (used only for authentication purposes, and is not connected to any other data in the Platform).

• Engagement Data: Responses to surveys and participation in Platform activities, which remain fully anonymised and cannot be re-identified.

• For Students:

• Engagement Data: Anonymised survey responses collected via a magic link system, ensuring no personally identifiable information (PII) is retained.

1.2. The Processor shall process data relating to the following categories of Data Subjects:

• Staff Users: Teachers, school leaders, and other education professionals.

• Students: Survey participants engaging via magic link access (with no identifiable information collected).

1.3. Metadata Retention:

• Survey metadata (e.g., timestamps and completion logs) may be retained for up to [X] months for reporting purposes before deletion.

2. Processing in Accordance with Controller Instructions

2.1. The Processor shall process personal data only on documented instructions from the Controller, including regarding transfers to a third country or international organisation, unless required by UK law. Where processing is required by law, the Processor shall inform the Controller beforehand unless legally prohibited.

If the data is pseudonymised (i.e., it can still be linked back to an individual with additional information), it remains subject to data protection laws, and all transfer restrictions apply. However, if the data is fully anonymised and cannot be re-identified by any party, it is no longer considered personal data under GDPR and UK data protection law (Recital 26 GDPR). In such cases, the restrictions on data transfers may not apply.

3. Duty of Confidentiality

3.1. The Processor shall ensure that any person it authorises to process personal data on its behalf is subject to an obligation of confidentiality, either through contractual agreements or statutory obligations.

3.2  Any comments containing PII will be flagged for review and may be removed or anonymised as part of our commitment to safeguarding user data.

4. Assistance with Data Subject Rights

4.1. The Processor shall assist the Controller in responding to requests from data subjects to exercise their rights under the UK GDPR, to the extent applicable, including but not limited to:

• Right of access

• Right to rectification

• Right to erasure

• Right to restriction of processing

• Right to data portability

• Right to object

4.2. Given the anonymisation of survey data:

• The Processor cannot re-identify individual responses once staff emails are separated from the survey data.

• The Processor cannot directly link student responses to specific individuals, as personal data is collected via the magic link system. However, given the level of demographic data collected, there remains a potential for triangulation, meaning the data is more accurately classified as pseudonymised rather than fully anonymised. As such, it remains subject to data protection regulations regarding processing and transfers.

• Any subject access request will be reviewed in collaboration with the Controller to confirm whether any identifiable data exists before responding.

5. Compliance with UK GDPR Obligations

5.1. The Processor shall assist the Controller in ensuring compliance with its obligations under the UK GDPR, including:

• Implementing appropriate technical and organisational measures to ensure the security of processing, including:

• Two-Factor Authentication (2FA) for setup and dashboard access.

• Role-based access control, ensuring only authorised individuals can manage survey distribution and data.

• Secure data transmission to prevent interception or tampering.

• Schools retain full control over whom they share staff and student surveys with, aligning with their own safeguarding policies.

5.2. The Processor shall notify the Controller of any personal data breach within 24 hours of detection, providing all necessary information to support compliance with reporting obligations.

5.3. Breach Reporting Contact:

• If the Controller suspects a data breach, they must report it immediately to:
  Email: office@thegec.education

5.4. The Processor shall assist with the completion of Data Protection Impact Assessments (DPIAs) and prior consultations with the Information Commissioner’s Office (ICO) where required.

6. Lawful Basis for Processing

6.1. The Processor and Controller confirm the lawful basis for processing as follows:

• Staff email verification is processed under legitimate interest (for security purposes).

• Survey responses are fully anonymised and do not constitute personal data.

• Students provide digital consent before participation, in compliance with the ICO’s Digital Rights of the Child guidance.

7. Third-Party Processors and International Data Transfers

7.1. If any third-party services (e.g., hosting providers, analytics tools) process the data, the Processor shall ensure they comply with UK GDPR and implement equivalent security and confidentiality measures.

7.2. The Processor confirms that all data processing occurs within GDPR-compliant jurisdictions, ensuring data protection standards equivalent to those in the UK and EU.

Data Collection & Ethical Standards

The GEC Platform has been developed as part of founder Nic Ponsford’s doctoral research at Bournemouth University. This dual role means our work undergoes two layers of validation: one as part of the GEC Platform’s development as a company and another through Nic’s academic research, ensuring rigorous scrutiny at both levels. As we work with live data, it is always evolving.

Participant Data Protection

• All staff and student data in the GEC Platform is anonymous, ensuring compliance with GDPR and ethical standards, including ICO’s Digital Rights of the Child.

• When our members close their surveys, our technology automatically separates participant information from the results. This means that even we cannot align individuals with their responses—demonstrating our serious commitment to ethical, participatory user experiences and safeguarding.

• Our GEC Platform Terms (Clause 13 of our terms) and GEC Privacy policy outline our ethical commitments.

Bournemouth University’s Ethical Approval

 All research underpinning the Platform adheres to Bournemouth University's Code of Practice for Research Ethics. This ensures:

• Strict ethical and safeguarding protocols to protect participant wellbeing and confidentiality.

• Compliance with national standards on inclusion, diversity, and data protection.

• Rigorous ethical oversight, including informed consent, risk mitigation, and the right to withdraw at any time.

• A dual-layered safeguarding approach, integrating GEC’s policies with the university’s ethical framework.

Data Integrity & Expert Oversight

In each report we produce, we analyse responses from 26,000+ students, teachers, and staff, extracting valuable insights from over 1.8 million data points. Due to the scale and pioneering nature of this dataset, our Head of AI and Data Technology oversees the entire data extraction and validation process. This ensures that our findings are not only accurate and reliable but also grounded in a robust and methodologically sound approach.