Privacy Notice
Summary:
IDL is committed to protecting your privacy and safeguarding your personal information. We will use your personal information in accordance with Data Protection Legislation. Such as the UK GDPR, The Privacy, and electronic communications regulations (PECR), The Data Protection Act 2018, and the General Data Protection Regulation.
It is important to read and understand this Privacy Notice and any other Privacy Notice or fair processing notice we may provide on specific occasions carefully, as it is meant to help you understand what information we collect, why we collect it, and how you can update, manage, export, and delete your information. This privacy notice supplements the Children’s Privacy Notice and does not supersede it. IDL will review and update this Privacy Notice to reflect company and customer feedback and changes to laws and regulations.
Does this notice apply to you?
This Privacy Notice is for anyone who contacts us in connection with our products or services:
- Current, past, and prospective schools who use our product.
- Current, past, and prospective academy staff, and guardians or parents of users
- Current, past, prospective learners (inclusive of home users)
- Current, past, and prospective visitors.
- Users of our website.
- Current, past, and prospective third parties that provide services to us.
Other relevant policies and pages:
- Cookies policy
- Terms and conditions
- Contact us
- Employee Privacy Policy (For attention of IDL staff)
- Recruitment Privacy Notice (For Ascentis and IDL)
- End User License Agreement (For customers only)
SECTION 1: WHO ARE IDL?
‘We’/’IDL’ means International Dyslexia Learning Solutions Limited, we are the processors for the purposes of the Data Protection Act 2018 (as may be updated, amended, and superseded) and the UK General Data Protection Regulation (together with the “Data Protection Legislation”). A data controller is a person or organisation who alone or jointly determines the purposes and means of the processing of personal data, this would be the school that register to use our application. A data processor is a person or organisation who alone or jointly processes personal data on the controller’s behalf. Personal data is any information that relates to you, and you can be identified from.
IDL have voluntarily appointed ‘The DPO Centre Ltd’ as our external Data Protection Officer (DPO), they can be contacted at hello@dpocentre.com should you require their assistance following contact or communications with our Legal, Risk & Data Protection department.
IDL have appointed IT Governance Europe Limited as our EU representative; If you are a data subject within the EU, and you wish to exercise your rights under the EU General Data Protection Regulation (EU GDPR) or have any queries in relation to your rights or general privacy matters, please email our Representative at: eurep@itgovernance.eu
SECTION 2: Collecting your data
We collect, use, store and/or transfer various kinds of personal data about you depending on our relationship with you:
IDL software user information:
| Types of data: | Data collection point: | Category of data: | Purpose: | Primary Lawful basis: | Retention period: |
| Pupil full name, DOB, gender, username, address, IP address | Registering onto IDL software. | Personal, may include child data if provided by the school | Provision of services (Inclusive of issuing progress reports) | Contractual obligation | Upon receipt of deletion request from license administrator or individual data subject or 30 days following the due date of your latest renewal invoice (if we are in receipt of a cancellation request from yourselves from our services) |
Reporting Update:
As part of IDL’s software, we are aware that teachers need to produce reports for both individual and groups of pupils. These reports chart the progress of pupils through their enrolled programs and highlight improvements in ability by interpreting the results of periodic tests.
This update provides a mechanism for reports to be generated and saved on a cloud-based server.
Teachers will be able to download any reports they have generated for a period of 30 days from the generation date, after which time they will be automatically deleted.
What personal information is included in this update?
The full name and date of birth of each learner will be included in these reports.
This will be linked to test results that could potentially highlight a specific learning difficulty.
Supplier information:
| Types of data: | Data collection point: | Category of data: | Purpose: | Primary Lawful basis: | Retention period: |
| Business contact name, email, phone number | CRM Software | Personal | Provision of business | Contractual obligation/Publicly available information | 6 years following termination of contract |
Centre Tutor/Teacher information:
| Types of data: | Data collection point: | Category of data: | Purpose: | Primary Lawful basis: | Retention period: |
| Staff members’ full name, username, , email, phone number | Registering on IDL software | Personal | Provision of services | Contractual obligation | Upon receipt of deletion request from license administrator or individual data subject or 30 days following the due date of your latest renewal invoice (if we are in receipt of a cancellation request from yourselves from our services) |
Job applicants:
| Types of data: | Data collection point: | Category of data: | Purpose: | Primary Lawful basis: | Retention period: |
| Upon receipt of CV/job application | Personal | Contractual obligation |
IDL premises visitor information:
| Types of data: | Data collection point: | Category of data: | Purpose: | Primary Lawful basis: | Retention period: |
| CCTV recording | Arrival on IDL company premises | Personal | Security – Maintains log of entrances and exits of the IDL building | Legitimate interests | 2 weeks
|
| Full name, workplace, contact number, address, face photograph | Upon registering arrival on tablet in reception | Personal | Security – Maintains log of entrances and exits of the IDL building – Logged on software ‘Inventry’ | Legitimate interests | Deleted 90 days after visit
|
SECTION 3: Where do you get my personal information from?
You may give us information when you.
- Contact us via telephone, letter, or email
- Use our website, online forms, applications, surveys, or reports
- Book any training
- Provide data concerning your marketing preferences
- Enquire about, or apply for job vacancies
- Enquire about, search, apply for, or purchase our products or services
- Take part in discussion boards or other forms of social media
- Give us feedback or contact us
- Provide us with identification
- Contact us via live chat
- Network with us
- To provide you with details and updates about our products and services, and products and services from our partners and other relevant third parties.
- To provide you with important services communications, including communications in relation to any information on products and services you are contracted with us to provide
- We use your information for market research and identify trends. Market research agencies acting on our behalf may contact you by post, telephone, email, or other methods of communication to invite you to take part in the research.
Information we receive from others:
- Information we receive from vetted and approved third-party agencies
- Information we gather from publicly available sources in the public domain
Do you use Cookies?
IDL does collect data via the use of cookies. This data will be used by IDL to deliver customised content and advertising to customers whose behaviour indicates that they are interested in a particular subject area. The IDL website also uses cookies to help you personalise your online experience.
For more information, see our Cookies Policy here.
What are cookies?
A cookie is a piece of information that is held on the hard drive of your computer which records how you have used a website. Cookies allow website operators to accumulate useful information, such as whether the computer (and sometimes its user) has visited the site before. This is done on a repeat visit by checking to see, and finding, the cookie left there on the last visit.
For general enquires about cookies, see All About Cookies | Online Privacy and Digital Security
What happens if I do not give you my personal information?
Where we need to collect personal data because of law or a contract we have with you, if you aren’t able or do not want to provide the data when we need it, we may not be able to perform the contract we have or are trying to enter with you (for example, to provide the application or the service). In this case, we may have to cancel a service you have with us, but we will notify you if this is the case at the time.
SECTION 4: LAWFUL PURPOSES FOR PROCESSING YOUR DATA
Under data protection law, we can only use your personal information if we have a proper reason (lawful purpose) for doing so:
Legitimate interests.
‘Legitimate interests’ is different to the other lawful bases as it is not centred around a particular purpose (e.g., performing a contract with the individual, complying with a legal obligation, protecting vital interests, or carrying out a public task), and it is not processing that the individual has specifically agreed to (consent). ‘Legitimate interests’ is more flexible and could in principle apply to any type of processing for any reasonable purpose.
We process your personal data for our legitimate business purposes:
- to conduct and manage our business, such as improving quality control and training
- For the use of CCTV on the IDL site.
- to ensure our website gives the user a pleasant experience and our systems are secure, this may include troubleshooting problems, conducting tests, and analysing statistics.
- to improve and update our services for the benefit of our clients, by gathering statistical analysis relating to performance, client base, and service and product range
- to let our clients, know about our products or services that we consider may be of interest to them
- to prevent and detect fraud against you or IDL Services, like preventing unauthorised access and modifications/ updates to the system and platform
- recruitment process activities if you apply for a job vacancy to assess your suitability
We also process your personal data for marketing purposes:
If you wish to opt-out of this type of processing, please contact us using the information below:
We can send you marketing messages by post, email, telephone, text, or through social media. You can change your mind on how you receive marketing messages or choose to stop receiving them at any time. If you think the personal information that we hold about you is inaccurate or incorrect, you can request that we correct this information (including your marketing preferences). To make that change, please email us at unsubscribe@idlsgroup.com describing your preferences or use the ‘unsubscribe’ functionality in the footer of email communications sent to you.
Any responses that you provide whilst participating in market research will be reported back to us anonymously unless you give us permission for your details to be shared. We may also use your information to invite you to participate in market research. If we do contact you about market research, you do not have to participate. If you tell us that you do not want to receive market-research communications, we will respect this.
For the above internal direct marketing purposes for school communications, we have performed a Legitimate Interests Assessment to ensure we are compliant with UK Data Protection Laws. This assessment has also been completed for International Dyslexia Learning Solutions to share data with Ascentis.
Contractual Obligation:
We use your personal data for the following purposes on the basis that it is necessary for us to provide our services to you:
- to identify you
- to respond to your enquiry if you contact us
- to support learning centres and tutors
- to provide pre-contractual information about our services
- to conduct our recruitment of employees
- to provide and customise our services to you
- to conduct billing and administration activities, like processing payments, issuing invoices and credit reference checks via external credit reference agencies
- conducting audits and checks to identify our clients and verify their identity.
- To deal with any issues or complaints you have
Accordingly, if you are unable to provide such personal data this may make it difficult or prevent us from providing our services to you.
Compliance with laws:
We use your personal data to comply with laws (for example, if we are required to co-operate with a police investigation after a court order ordered us to. This may include investigations by regulatory bodies, ensuring the confidentiality of sensitive information, maintaining personal data is accurate and up to date, or health and safety regulations.
Consent:
Normally, we do not use consent as the legal basis for processing your personal data; but should there ever come an instance where we do, we may have to get your consent to use your personal data such as when we collect and use sensitive information about you or when we want to send you third party direct marketing communications to you via email, letters, or phone calls.
You have the right to withdraw consent at any time.
SECTION 5: USAGE OF YOUR PERSONAL DATA
We use the information you provide when placing an order to complete that order and to service your account. We do not share this information with outside parties except: 1. to the extent necessary to complete that order or to provide you with services by way of our service providers or contracted partners (e.g., payment processing, customer support); or 2. to successors in title to our business; or 3. in accordance with legal and regulatory requirements or to respond to a government request; or 4. as necessary, in IDL’ sole discretion, to protect the perceived rights, safety and property of IDL, users of our websites or services, and the public.
Do you use personal information about Children?
We will only process personal information regarding children, such as names provided by the teacher so they can identify students, (although we recommend alias names are used), DOB for test results by age as required by teachers, and gender as required by schools to compare results and effectiveness between gender groups.
In the event we learn that we collected personal information from anyone under the age of sixteen beyond the above scope, and do not have a teacher, parent, or guardian's consent, we will delete that information as quickly as possible. This is because the school or parent/guardian function as the ‘controller’ of learner data, by providing the login details and access to the product. Please refer to the EULA for further details.
Will you share my personal information?
All personal data we acquire is saved on our servers in the UK and no personal, sensitive, or special category data is shared with third parties.
- Any data uploaded by the teacher/admin which is required to use the IDLS products are stored on our cloud server-based platform in the UK. The input of data includes school name and address, pupil/user ID (not name), pupil age/date of birth; and gender (if they wish). We may share some information, where it is lawful to do so, with the following organisations who provide us with assistance in delivering our products, applications, or services or where we are legally obliged to share information (including providing IT services and assisting us with carrying out marketing activities): other companies within our group and our employees, consultants and agents and our professional advisers, such as lawyers and accountants.
- our business partners, clients, suppliers, and sub-contractors
- courts of law and government or regulatory authorities
- third parties to which we outsource certain services such as couriers, IT systems or software providers, IT support service providers, and document and information storage providers
- third-party service providers to assist us with client insight analytics.
- other organisations for the purposes of fraud/crime protection and investigation
- where it is required as part of any proposed sale, reorganisation, transfer, financial arrangement, asset disposal or other transaction relating to our business and/or business assets
- anyone else with your permission
We require all third parties to respect the security of your personal data and to treat it in accordance with the law. IDL will not sell, rent, or lease your personal data to any third party.
Third-party organisations that provide services to us (including providing IT services and assisting us with conducting marketing activities):
- Hilton Baird – Debt Collectors
- Lawyers (various)
- Royal Bank of Scotland – payments to suppliers
- Microsoft
- Inventry – visitor and employee record of visit
- Portico – learner systems
- Amazon Web Services
- FCS Protect – Backups and business continuity
- Eventbrite
- SurveyMonkey
- PayPal
- Stripe
- Click dimensions
- RBS Credit card services
- TNT
- Royal Mail
- Veremark – Right to work checks
It is important that the personal data we hold is accurate and current. Please keep us informed if your personal data changes during your relationship with us.
We will not sell or rent your data to third parties.
Do you share my personal data overseas?
Your information is not shared, transferred, or stored in locations outside the UK.
SECTION 6: How do you keep my personal data safe?
IDL have adopted the principle of Data Protection by Design and Default. This means that at the beginning and continuing through any new project or system, we keep the safety and security of everyone’s personal data at the forefront and implement whatever measures are necessary to comply with data protection laws.
We require our staff and any third parties who conduct any work on our behalf to comply with appropriate compliance standards including obligations to protect any information and applying appropriate measures for the use and transfer of information.
IDL has a range of other technical and organisational measures in place to protect your personal data including being Cyber Essentials certified, two-factor authentication, access controls to restrict access on a need-to-know basis, uniquely identifying users to monitor and review access attempts, and physical security. Personal data is never disclosed or shared with unauthorised people. IDL has internal policies and controls in place to protect personal data against loss, accidental destruction, misuse, or disclosure, and to ensure that data is not accessed, except by employees in the proper performance of their duties. All your information is stored on secure servers within the UK.
We have procedures in place to deal with any suspected data security breach. This applies to a security breach leading to the accidental loss, damage, destruction or unlawful access or disclosure to your personal data. We will notify you and any applicable regulator of a suspected data security breach where we are legally required to do so. If we discover that there has been a breach of personal data, it will be reported to the data controller (usually the school or teacher using our service) without undue delay. We will record all data breaches regardless of their effect. However, it would not be considered a breach if the personal data were received unknowingly or unintentionally and then erased in line with data minimisation policies. For example, if you sent us personal information that we did not require or request, we shall delete this as soon as possible and ask you to refrain from sending any unnecessary personal or special data again.
In certain circumstances, the GDPR allows personal data to be disclosed to law enforcement agencies without the consent of the data subject.
We will take all steps necessary to ensure that your data is treated securely and in accordance with this notice. We try to ensure that all information you provide to us is transferred securely via the website. We do not, however, have any control over what happens between your device and the boundary of our information infrastructure. You should be aware of the many information security risks that exist and take appropriate steps to safeguard your own information.
SECTION 7: Your rights
The right to be informed - We have a legal obligation to provide you with concise, transparent, intelligible, and easily accessible information about your personal information and our use of it. We have written this notice to do just that, but if you have any questions or require more specific information, you can get in touch using the information above.
The right to access your personal data - You have the right to ask us to confirm whether we hold any of your personal information. If we do, you have the right to have a copy of your information and to be informed of the following:
- •Why we have been using your information
- •What categories of information we were using
- •Who we have shared the information with
- •How long we envisage holding your information
To maintain the security of your information, we will have to verify your identity before we provide you with a copy of the information we hold. We may ask for your date of birth, address and/or photo identification. If someone is obtaining this information on your behalf, we will need sufficient proof that they are authorised to make this request on your behalf. For example, if a solicitor is acquiring this information for you, we will need proof of a power of attorney letter or written consent.
We will respond to your request without undue delay or within one month of receiving it. We have the right to extend disclosure for a further two months as per UK GDPR allowances – please refer to the ICO website for more details. The first copy of the information that you request from us will be provided free of charge. If you require further copies or make multiple requests, we may charge an administrative fee to cover our costs.
The right to correct any inaccurate or incomplete personal data - Where you have requested a copy of the information, we hold about you; you may notice that there are inaccuracies in the records, or that certain parts are incomplete. If this is the case, you can contact us so that we can correct our records.
The right to be forgotten - There may be times when it is no longer necessary for us to hold personal information about you. This could be if:
- The information is no longer needed for the original purpose that we collected it for
- You withdraw your consent for us to use the information (and we have no other lawful purpose to keep using it)
- You object to us using your information and we have no overriding reason to keep using it.
- We have used your information unlawfully, then we are subject to a legal requirement to delete your information
In those situations, you have the right to have your personal data deleted. If you believe one of these situations applies to you, please get in touch using the Contact Us section of the website. We can also refuse complete erasure if processing or holding your information is necessary to protect the right or freedom of expression and information or to exercise or defend legal claims.
The right to have a copy of your data transferred to you or a third party in a compatible format - Also known as Data Portability, you have the right to obtain a copy of your personal data for your own purposes. This right allows you to move, copy or transfer your personal data more easily from one IT system to another, in a safe and secure way. The right only applies if we are processing information based on your consent or for the performance of a contract (not legitimate interests or public task) and the processing is automated (does not include items like paper files).
If you would like us to transfer a copy of your data to you or another organisation in a structured, commonly used, and machine-readable format, please contact us. There is no charge for you to exercise this right.
The right to object to direct marketing - You can tell us at any time that you would prefer IDL not to use your information for direct marketing purposes. If you prefer not to receive any direct marketing from us, please contact us or use the links provided in any of our marketing communications, and we will stop sending direct marketing immediately.
The right to object to us using your information for our own legitimate interests - Sometimes, we use your personal information to achieve goals that will help us as well as you. This includes:
- When we tell you about products or services that are similar to ones that you have already bought
- When we use your information to help us make our business better
- When we contact you to interact, communicate or let you know about changes we are making
We aim to always ensure that your rights and information are properly protected. If you believe that the way we are using your data is not justified due to its impact on you or your rights, you have the right to object. We must stop using your personal data for these purposes unless we can prove legitimate and compelling grounds of the processing that overrides your interests, rights, and freedoms, or for the establishment or defence of legal claims.
You have the right to restrict how we use your personal data - You have the right to ask us to stop using your personal data in any way other than simply keeping a copy of it. This right is available where:
- You have informed us that the information we hold about you is inaccurate, and we have not yet been able to verify this
- You have objected to us using your information for our own legitimate interests and we are in the process of considering your objection
- We have used your information in an unlawful way, but you do not want us to delete your data
- We no longer need to use the information, but you need it for a legal claim
- -Guidance for this can be found on the ICO Website
If you restrict the processing of your personal data, IDL can store but not process that data, unless you consent to lift the restriction, the processing is necessary for legal claims, to protect the right of another person, or for the interests of the wider public.
You have rights related to automated decision making and profiling - Any automated decision-making or profiling we undertake is solely for the purpose of tailoring the information which we provide to you. We will not use automated decision-making or profiling to make any decisions that will have a legal effect upon you or otherwise significantly affect you, and you have the right not to be subject to such decisions.
IDL apps do not automatically profile learners, but they do use anonymised test result data for the purpose of ‘normalising’ scores to produce baselines for assessments as required by the schools. No personal data is used in these baselines. If you have any concerns or questions about this right, please contact us.
For more information on your rights under the GDPR, see https://ico.org.uk/for-the-pub...
How long do you keep my personal information?
We will keep your personal data in line with our data retention policy for no longer than is necessary to fulfil the purposes we collected it for, including for the purposes of satisfying any legal, accounting or reporting requirements.
To determine the appropriate retention period for personal data, we consider the amount, nature and sensitivity of the personal data, the risk of harm from unauthorised use or disclosure of your personal data, the purposes for which we process your personal data and whether we can achieve those purposes through other means, and the applicable legal requirements. Retention periods are displayed in the table in clause 2.
Regarding learners using the IDL application, if a teacher removes a learner from the application, all that learner's data is deleted. If a centre/user withdraws and no longer wishes to use IDL’ services, data will be removed 30 days after the termination of the contract, and data from the backups will be removed 2 months after termination of the contract.
If you apply for a job vacancy, we will collect some of your personal data (this includes sending us your CV, any interview notes or communications containing personal data, your work references, right to work in the UK documents and proof of qualifications). If you are unsuccessful for the role, your personal data will be removed 6 months after the recruitment process has been completed. If you are successful, this data will be retained for 6 years after you leave or retire from the company. For more information upon appointment, please refer to our employee privacy policy.
SECTION 8: ACCESS TO PERSONAL INFORMATION & REQUEST PROCESS
Upon request, IDL will provide you with information about whether we hold any of your personal information. You may access, correct, or request deletion of your personal information by contacting us. We will respond to your request within a reasonable period.
Where required by applicable law, and notably by the General Data Protection Regulation (GDPR) for residents of the UK and European Union, you have the right to obtain confirmation of the existence of certain personal data relating to you, to verify its content, origin, and accuracy, as well as the right to access, review, port, delete, or to block or withdraw consent to the processing of certain Personal Data (without affecting the lawfulness of processing based on consent before its withdrawal), by contacting us as detailed below. You have the right to object to our use of Personal Data for any direct marketing and in certain other situations at any time. Please note that certain Personal Data may be retained as required or permitted by applicable law.
We may charge the allowable fee under applicable law for provision of this information. We will respond to your request within a reasonable period. Please note that additional information may be required to confirm and enable us to assist with your request. The period to address the request may vary depending on the nature of the request, however, we will endeavour to address the request as promptly as possible, typically within thirty (30) days and as may be required by law
If you wish to submit a request, please do so using the relevant format of a DSAR (Data subject access request) and send it to our data mailbox: data@idlsgroup.com
SECTION 9: Changes to Privacy Notice
We reserve the right to amend this Privacy Notice from time to time. If you have any questions or queries about the changes that we make from time to time, please tell us via the contact details provided below in this Privacy Notice.
IDL will review and update this Privacy Notice to reflect company and customer feedback and changes to laws and regulations. IDL encourages you to periodically review this notice to be informed of how IDL is protecting your information.
Equally, it is important that the personal data we hold about you is accurate and up to date. Please keep us informed if your personal data changes during your relationship with us.
SECTION 10: Complaints
We hope that we can resolve any query or concern you raise about our use of your information. So please contact us first and we will try our best to deal with your concerns.
We have a query section on our website which can be utilised to streamline this process.
The supervisory authority in the UK is the Information Commissioner’s Office which may be contacted by clicking here or by calling 0303 123 1113. The ICO’s complaints page can be found here: https://ico.org.uk/make-a-complaint/
We would, however, appreciate the chance to deal with your concerns before you approach the ICO so please contact us in the first instance.
SECTION 11: How can I contact you?
If you have any questions about this Privacy Notice or data protection generally or want to exercise your rights, please contact us as follow:
Email: data@idlsgroup.com
Telephone us on 01524 580 665.
Submit a request via our website contact us form.
Or, if you prefer, write us a letter and post to the following address: International Dyslexia Learning Solutions Limited, Ascentis House, Lancaster Business Park, 3 Mannin Way, Lancaster, LA1 3SW
To view our Children's Privacy Policy, please click here.
