Skip to main content
JuniperLogo

The Primarysite Help Centre has now moved! We're pleased to announce that our enhanced help centre is now available to improve your support experience. We kindly ask you to update any bookmarks you have. Please go to our new help centre where you can find the most up to date resources: help.junipereducation.org.

GDPR Information

  • Updated

Here’s our PrimarySite answers for your GDPR queries

Getting Started

Welcome to our guide for understanding those all-important GDPR questions.

GDPR answers for schools

  1. Can I have a copy your GDPR compliance statement?

    Juniper Education is committed to compliance with all relevant Data Protection Legislation.  The organisation will maintain a suite of policy documents setting out how it intends to implement management controls sufficient to ensure legal compliance with Data Protection Legislation and will ensure that these documents are reviewed periodically to a) test their adequacy in meeting the legal standards as they change over time, and b) to test the organisation’s compliance with them.  The organisation will ensure that all relevant personnel and/or other persons it commissions to process personal data on its behalf, either directly or indirectly, have received appropriate and sufficient training in the application of the organisation’s policies.

    The management will ensure that sufficient and appropriate resources are available to ensure that the organisation meets both its legal obligations in respect of Data Protection Legislation and the standards that it sets through its policies.

    The management will ensure that the organisation works within the 7 data protection principles and that it will implement sufficient controls to ensure that it is able to demonstrate compliance with the Data Protection Legislation including the keeping of sufficient records of data processing activities, risk assessments and relevant decisions relating to data processing activities.

    The organisation will uphold the rights and freedoms of people conferred on them by the Data Protection Legislation.  It will ensure that those rights and freedoms are appropriately taken into account in the decisions it takes which may affect people and will ensure that it has sufficient controls in place to assist people who wish to exercise their rights.

    The policy applies to all of the organisation’s activities or operations which involve the processing of personal data.

    The policy applies to anyone who is engaged to process personal data for or on behalf of the organisation including: employees, volunteers, casual and temporary staff, directors and officers, and third-parties such as sub-contractors and suppliers, and anyone who the organisation shares or discloses personal data with/to. 

  2. Where is your Privacy Notice?

    Privacy Policy | Juniper Education

  3. Is PrimarySite GDPR compliant?

    Yes

  4. Where is our website data stored?

    It is currently stored on secure servers in London and Dublin.

  5. Can we have photos of leavers on our website?

    There may be circumstances in which you wish to process a child’s personal data including photographs using consent as your lawful basis for processing. This may be appropriate if you are truly able to give children (or their parents) informed choice and control over how you use their personal data.

    The UK GDPR consent guidance provides details about the various requirements for valid consent, and you need to meet all of these. In addition, you need to consider the competence of the child (whether they have the capacity to understand the implications of the collection and processing of their personal data). If they do have this capacity then they are considered competent to give their own consent to the processing, unless it is evident that they are acting against their own best interests.

    You should also take into account any imbalance of power in your relationship with the child, to ensure that if you accept their consent it is freely given.

    Where the child is not competent then, in data protection terms, their consent is not ‘informed’ and it therefore isn’t valid. If you wish to rely upon consent in this situation, you need the consent of a person with parental authority over that child, unless it is evident that it would be against the best interests of the child to seek such parental consent.

    In England, Wales and Northern Ireland there is no set age at which a child is generally considered to be competent to provide their own consent to processing. In Scotland children aged 12 or over are presumed to be of sufficient age and maturity to provide their own consent for data protection purposes, unless the contrary is shown.

    In some contexts you may be able to make an individual assessment of the competence of a child. However, if you aren’t in a position to make this kind of assessment then you should at least take into account the age of the child and the complexity of what you are expecting them to understand.

    If you accept consent from a holder of parental responsibility over a child then you also need to think about how you let the child know that he or she has a right to withdraw that consent once they are competent to make such a decision. You should provide this information in any case as part of any privacy information directed at the child. We would also recommend that you include it as part of any regular reminders you send to data subjects about their privacy settings and how to update them. 

  6. Are you GDPR compliant with requesting consent with cookies?

    Juniper Education use the following cookies:
    • Strictly necessary cookies. These are cookies that are required for the operation of our website. They include, for example, cookies that enable you to log into secure areas of our website, use a shopping cart or make use of e-billing services.
    • Analytical or performance cookies. These allow us to recognise and count the number of visitors and to see how visitors move around our website when they are using it. This helps us to improve the way our website works, for example, by ensuring that users are finding what they are looking for easily. These cookies and pixels are used to deliver relevant ads, track email marketing or ad campaign performance and efficiency. This includes Google Analytics and Google Tag Manager.
    • Functionality cookies. These are used to recognise you when you return to our website. This enables us to personalise our content for you, greet you by name and remember your preferences (for example, your choice of language or region).
    • Targeting cookies. These cookies record your visit to our website, the pages you have visited and the links you have followed. We will use this information to make our website and the advertising displayed on it more relevant to your interests. This includes Google AdsFacebook AdsTwitter Ads and Linkedln Ads.

  7. How does our school ensure contracts and data sharing agreements are compliant?

    It is the responsibility of the school to request a signed data sharing agreement from PrimarySite, known as the Data Controller/Data Processor Agreement.

    To help the schools we have created a template for them to use, they just need to fill this in and return to us.

    These templates can be sent to other data processors, should they need a copy

  8. What information does WONDE use?

    Wonde only pull MIS data that the application requires to function. (in our case the ‘PrimarySite’ application) Since GDPR they ONLY gather data that is required. If the school requests, they can block data that they do not wish to share however this may break functionality for the application that they wish to utilise.

  9. How will you manage any legal contract changes for GDPR compliance?

    The Data Protection Officer (DPO) will have responsibility for reviewing practices and procedures in line with any changes to GDPR and appropriate data protection legislation.

  10. I have had a http warning what does this mean?

    My web browser says my school's website is not secure.

    Some web browsers are notifying users when they visit a website over a HTTP connection that the site is “not secure”. HTTPS, the secured version of the HTTP connection, encrypts information between the browser and the server with credentials being verified by a third party.

    We use HTTPS on specific areas of your website site such as logging in, editing the site, accessing private pages with and posting messages via a contact form to ensure they are secure. For all other connections we use HTTP as visitors who are browsing the website are accessing content that the school deems should be publicly available.

    We are working towards encrypting all website traffic to simplify things for visitors

  11. What is the subject matter of the processing?

    Our clients transfer a variety of personal data to PrimarySite Limited such as names, emails, etc., and also special category data and child related data such photos and video, which enable us to fulfil our contractual obligations in delivering our products and services to our clients.

  12. What is the nature and purpose of processing? (Why do we process data?)

    The purpose we use all categories of personal data for is to enable the delivery and administration of our products and services. These include such ‘processing’ as:
    • Designing and delivering web-based solutions;
    • Designing and implementing bespoke websites;
    • Responding to enquiries and complaints;
    • Providing general support;
    • Administration of accounts;

  13. What type of data is held?

    See 8

  14. What are the categories of data subject?

    See 8

  15. For how long is the data held?

    2 years after leaving PrimarySite

    Formal written response;

    Personal Data processed by PrimarySite Limited (the Data Processor) ensuing from the contract will be retained in accordance with the instruction indicated in the contract with the school (the Data Controller) and will not be retained for a period longer than is necessary to fulfil the contract, and not retained for a period longer than 6 months after the termination or natural conclusion of the contract unless an overriding legal or further contractual obligation, or vital public interest dictates that the Personal Data must be processed for a longer period.

    The period of 6 months after the termination or natural conclusion of the contract is to allow a reasonable period to permit the secure return of all Personal Data to the school as the Data Controller. The means of returning the Personal Data will be agreed at the point of the termination or natural conclusion of the contract and will use a secure technological based and agreed solution.

    If required by the school (as the Data Controller) and a Data Subject instruction duly received from the Data Controller or higher legal authority to destroy or erase Personal Data, PrimarySite Limited as the Data Processor will carry out a properly presented and lawful request without undue delay and confirm the destruction or erasure in accordance with the obligations of Article 19.

    Other Personal Data not forming part of the contract but processed on a lawful and Legitimate Interest basis, belonging to a limited number of Data Subjects within the school, i.e., decision makers, contract managers, etc., may be held on PrimarySite Limited’s CRM (Customer Relationship Management) system for the purpose of delivering goods and services, providing information to the Data Subject and offering goods and services. This Personal Data may be held indefinitely but under regular review in accordance with PrimarySite Limited’s ‘Retention of Records Procedure’. Data Subjects of course have the Right of Access (Article 15-1) to their Personal Data and to exercise other Rights of which they will be made aware within PrimarySite Limited’s Privacy Notice.

  16. Who is your Data Protection Officer (DPO)? / who do I send a Subject Access Request (SAR) to?

    Gayle Richardson (Data Protection Officer)
    Email address: dpo@junipereducation.org
    Postal address: Juniper Education Services Limited, Boundary House, 4 County Place, Chelmsford, CM2 0RE
    Telephone number: 0345 200 8600

  17. Is Google Analytics GDPR Compliant?

    Google Analytics are only used for Statistical purposes, so is compliant with GDPR Article 89

    http://www.privacy-regulation.eu/en/article-89-safeguards-and-derogations-relating-to-processing-for-archiving-purposes-the-public-interest-scientific-or-hi-GDPR.htm

PrimarySite Statement of Compliance

Introduction

The EU General Data Protection Regulation (“GDPR”) came into force across the European Union on 25th May 2018 and brings with it the most significant changes to data protection law in two decades. Based on privacy by design and taking a risk-based approach, the GDPR has been designed to meet the requirements of the digital age.

The 21st Century brings with it broader use of technology, new definitions of what constitutes personal data, and a vast increase in cross-border processing. The new Regulation aims to standardise data protection laws and processing across the EU; affording individuals stronger, more consistent rights to access and control their personal information.

Following the UK’s exit from Europe the UK GDPR came into force in January 2021.

Our Commitment

PrimarySite Ltd (‘we’ or ‘us’ or ‘our’) are committed to ensuring the security and protection of the personal information that we process, and to provide a compliant and consistent approach to data protection. We have always had a robust and effective data protection program in place which complies with existing law and abides by the data protection principles. However, we recognise our obligations in updating and expanding this program to meet the demands of the GDPR and the UK Data Protection Act 1998. 

PrimarySite Ltd are dedicated to safeguarding the personal information under our remit and in developing a data protection regime that is effective, fit for purpose and demonstrates an understanding of, and appreciation for the new Regulation. Our preparation and objectives for GDPR compliance have been summarised in this statement and include the development and implementation of new data protection roles, policies, procedures, controls and measures to ensure maximum and ongoing compliance.

Measures taken to ensure GDPR compliance

PrimarySite Ltd already have a consistent level of data protection and security across our organisation, however we have taken measures to ensure we are GDPR compliant Our preparation includes: 

  • Information Audit - carrying out a company-wide information audit to identify and assess what personal information we hold, where it comes from, how and why it is processed and if and to whom it is disclosed.
  • Policies & Procedures - revising data protection policies and procedures to meet the requirements and standards of the GDPR and any relevant data protection laws, including: -
  • Data Protection – our main policy and procedure document for data protection has been overhauled to meet the standards and requirements of the GDPR. Accountability and governance measures are in place to ensure that we understand and adequately disseminate and evidence our obligations and responsibilities; with a dedicated focus on privacy by design and the rights of individuals.
  • Data Retention & Erasure – we have updated our retention policy and schedule to ensure that we meet the ‘data minimisation’ and ‘storage limitation’ principles and that personal information is stored, archived and destroyed compliantly and ethically. We have dedicated erasure procedures in place to meet the new ‘Right to Erasure’ obligation and are aware of when this and other data subject’s rights apply; along with any exemptions, response timeframes and notification responsibilities
  • Data Breaches – our breach procedures ensure that we have safeguards and measures in place to identify, assess, investigate and report any personal data breach at the earliest possible time. Our procedures are robust and have been disseminated to all employees, making them aware of the reporting lines and steps to follow.
  • International Data Transfers & Third-Party Disclosures – where PrimarySite Ltd stores or transfers personal information outside the EU, we have robust procedures and safeguarding measures in place to secure, encrypt and maintain the integrity of the data. Our procedures include a continual review of the countries with sufficient adequacy decisions, as well as provisions for binding corporate rules; standard data protection clauses or approved codes of conduct for those countries without. We carry out strict due diligence checks with all recipients of personal data to assess and verify that they have appropriate safeguards in place to protect the information, ensure enforceable data subject rights and have effective legal remedies for data subjects where applicable.
  • Subject Access Request (SAR) – we have revised our SAR procedures to accommodate the revised 30-day timeframe for providing the requested information and for making this provision free of charge. Our new procedures detail how to verify the data subject, what steps to take for processing an access request, what exemptions apply and a suite of response templates to ensure that communications with data subjects are compliant, consistent and adequate.
  • Legal Basis for Processing - we are continually reviewing all processing activities to identify the legal basis for processing and ensuring that each basis is appropriate for the activity it relates to. Where applicable, we also maintain records of our processing activities, ensuring that our obligations under Article 30 of the GDPR and Schedule 1 of the Data Protection Bill are met.
  • Privacy Notice/Policy – we have revised our Privacy Notice(s) to comply with the GDPR, ensuring that all individuals whose personal information we process have been informed of why we need it, how it is used, what their rights are, who the information is disclosed to and what safeguarding measures are in place to protect their information.
  • Obtaining Consent - we are revising our consent mechanisms for obtaining personal data, ensuring that individuals understand what they are providing, why and how we use it and giving clear, defined ways to consent to us processing their information. We have developed stringent processes for recording consent, making sure that we can evidence an affirmative opt-in, along with time and date records; and an easy to see and access way to withdraw consent at any time.
  • Direct Marketing - we are revising the wording and processes for direct marketing, including clear opt-in mechanisms for marketing subscriptions; a clear notice and method for opting out and providing unsubscribe features on all subsequent marketing materials.
  • Data Protection Impact Assessments (DPIA) – where we process personal information that is considered high risk, involves large scale processing or includes special category/criminal conviction data; we have developed stringent procedures and assessment templates for carrying out impact assessments that comply fully with the GDPR’s Article 35 requirements. We have implemented documentation processes that record each assessment, allow us to rate the risk posed by the processing activity and implement mitigating measures to reduce the risk posed to the data subject(s).
  • Processor Agreements – where we use any third-party to process personal information on our behalf (i.e. Payroll, Recruitment, Hosting etc), we have drafted compliant Processor Agreements and due diligence procedures for ensuring that they (as well as we), meet and understand their/our GDPR obligations. These measures include initial and ongoing reviews of the service provided, the necessity of the processing activity, the technical and organisational measures in place and compliance with the GDPR.
  • Special Categories Data - where we obtain and process any special category information, we do so in complete compliance with the Article 9 requirements and have high-level encryptions and protections on all such data. Special category data is only processed where necessary and is only processed where we have first identified the appropriate Article 9(2) basis or the Data Protection Bill Schedule 1 condition. Where we rely on consent for processing, this is explicit and is verified by a signature, with the right to modify or remove consent being clearly signposted.

Data Subject Rights

In addition to the policies and procedures mentioned above that ensure individuals can enforce their data protection rights, we provide easy to access information via our website and in internal documents of an individual’s right to access any personal information that PrimarySite Ltd processes about them and to request information about: -

  • What personal data we hold about them
  • The purposes of the processing
  • The categories of personal data concerned
  • The recipients to whom the personal data has/will be disclosed
  • How long we intend to store your personal data for
  • If we did not collect the data directly from them, information about the source
  • The right to have incomplete or inaccurate data about them corrected or completed and the process for requesting this
  • The right to request erasure of personal data (where applicable) or to restrict processing in accordance with data protection laws, as well as to object to any direct marketing from us and to be informed about any automated decision-making that we use
  • The right to lodge a complaint or seek judicial remedy and who to contact in such instances

Information Security & Technical and Organisational Measures

PrimarySite Ltd takes the privacy and security of individuals and their personal information very seriously and take every reasonable measure and precaution to protect and secure the personal data that we process. We have robust information security policies and procedures in place to protect personal information from unauthorised access, alteration, disclosure or destruction and have several layers of security measures, including:

  • SSL
  • TLS
  • restricted access
  • IT authentication
  • Firewalls
  • anti-virus/malware

GDPR Roles and Employees

PrimarySite Ltd have designated Data Protection Officer and have appointed a data privacy team to develop and implement our roadmap for complying with the new data protection Regulation. The team are responsible for promoting awareness of the GDPR across the organisation, assessing our GDPR readiness, identifying any gap areas and implementing the new policies, procedures and measures.

PrimarySite Ltd understands that continuous employee awareness and understanding is vital to the continued compliance of the GDPR and have involved our employees in our preparation plans. We have implemented an employee training program, which was provided to all available employees prior to May 25th, 2018, and forms part of our induction and annual training program.

If you have any questions about our preparation for the GDPR, please contact our Data Protection Officer - dpo@junipereducation.org

Related articles