Executive Summary – Data Privacy
The Key is committed to protecting your personal information when you are using The Key services. We want our services to be safe and useful environments for our audience. This Privacy Notice applies to information held about you and individuals connected to your organisation by The Key which acts as either a data controller or a processor depending on its role, as described below.
- who we are and how to contact us;
- how The Key may collect data from you and other data sources;
- the laws that apply to our use of your information;
- our roles when handling your data;
- what The Key will use this information for and how it will protect it;
- when The Key may use your details to contact you with marketing;
- whether The Key will disclose your details to anyone else and in any overseas country; and
- your choices regarding the personal information you provide to us.
We may need to update this policy and we will give you notice of this where reasonably possible; where you have given us your email address, we may use this to notify you of such changes and we will post a note on the sites to inform you that this policy has been updated. Please check this policy regularly to ensure you always understand how we use your information. All terms that are defined in this policy shall have the meanings given to them in the User Terms.
Last updated 22/09/2020
1. Who we are and how to contact us
We are The Key Support Services Limited trading as The Key, (“The Key”, “us”, “we” or “our”), a company registered in England at 3rd Floor, 70 White Lion Street, London, N1 9PP with company number 08268303. Our VAT number is 185442884. The Key offers its subscribers access to a range of online resources aimed at school leaders, trust leaders and school governors. We are part of the same group of companies as Governor Hub (which offers online resources to school governors) and ScholarPack (which offers a management information system to schools).
Our data protection lead (DPL) responsible for communicating with you about our use of your data can be contacted at firstname.lastname@example.org.
2. How we collect data from you and other data sources
- from your use of our products and services;
- from you accessing official The Key content on other websites including social media.
You give us your personal data directly through registering for a free trial, setting up your user account profile and marketing preferences, commenting on content on our site, entering competitions and surveys, submitting ideas, booking event tickets as well as personal information you provide to us by phone, SMS, livechat, email, in letters and other correspondence and in person. It may also include data contained in content and records you upload to the site.
The types of this direct information we collect about you may include:
- Your name and job title;
- Your user name;
- Your email addresses;
- Your postal address;
- Telephone or mobile numbers;
- Your marketing preferences;
- Your user generated content;
- Your billing details;
- Your school(s) / academies / trust at which you are registered as a user;
- Your career experience;
- Other information we receive from your organisation.
- We may also process your training records.
In addition, The Key may receive and process technical data about you through:
- The information we get from your day to day use of the Site (for example frequency of visits, how long you spend on each page and the content you view, interact with, download and upload);
- Your IP address (which is a number that can uniquely identify a specific computer or other network device on the internet) and other unique online identifiers such as Google Advertising IDs;
- Your browser type;
- Your device’s operating requirements and its settings and permissions;
- Your location.
We need this data to assist with customer and technical support, to verify your credentials and access levels and to help our business understand the way our users interact with our service.
We also may collect data from the following third-party data sources (provided such collection and use is in accordance with data protection laws):
- any publicly available social media sources that may help us understand our audience and what products you might be interested in;
- our third-party service providers (e.g. to tell us you have paid for a product or extended your renewal or that a support ticket has been closed);
- our group companies (e.g. to tell us what products you are likely to find interesting);
- other subscribers to our services (i.e. through our ‘invite a colleague’ referral function or other individuals at your school);
- third party list providers.
3. The data protection laws and principles we honour
Whenever you provide us with your personal information, we are legally obliged to use your information in line with all applicable laws concerning the protection of personal information, including the UK Data Protection Act 2018 and the EC General Data Protection Regulation 2016/679 (“GDPR”) as those laws may be replaced or amended from time to time. These laws are referred to collectively in this policy as the “data protection laws”.
A fundamental feature of the data protection laws is the establishment of privacy principles at Article 5 of the GDPR including the principles of transparency, purpose-limitation, data accuracy, retention/storage, data security and integrity, and data minimisation. We operate our business in accordance with these principles.
A key principle of the GDPR is that we must have a lawful basis to use your data.
The six forms of lawful basis that are available are summarised in the info-graphic below:
The Key relies on two main legal bases for its use of your data.
Firstly, that our use is necessary in order to perform our contract with you (being our User Terms and the documents they refer to) and is a reasonably proportionate and integral use of your data. For example, this applies when we use your data to provide you with access to our resources and to fulfil orders for the products you have requested, to manage product and technical support, to bill you and to run integral support tools including engagement of essential third party providers.
Secondly, we rely on the ‘legitimate interests’ basis where our use of the data has been analysed to be balanced in our interests. This would cover our marketing and business intelligence and certain sales functions, certain of our analytics tools, our personalisation of your content, our processing of auto renewals and our engagement of third-party providers to provide any non-essential functions. We will continually assess our legitimate business needs against the need to maintain and protect your individual rights and freedoms. We are happy to make our assessment of our legitimate interests available to you upon request. In summary, we conduct a 3-stage test to challenge ourselves and confirm our legitimate interests to hold personal data as follows:
- We identify what our legitimate business interests are at any given time.
- We check the necessity of processing the personal data for the purpose which we are intending. We check that there are not any less intrusive means to deliver the objective.
- We make sure we weigh the balance of the interests of our business with the interests of the individuals whose personal information we hold.
We may also rely on your explicit consent on occasion during your online journey – for example to send you certain SMS messages, email messages, certain news briefings, some survey requests or where you wish us to help you share your professional experience with others.
When we do use your data and whichever legal basis we rely on, we will always ensure we consider that it is necessary and proportionate.
4. Our roles as a data controller and a processor
In common with most businesses, we handle your data in two different ways – firstly as a data controller when we handle your data for our own business purposes and make decisions on how and why to do this. This includes when we use it for marketing, invoicing and to provide you with the service you have subscribed to.
We may also process your data as a data processor on behalf of your school organisation. For example, when you use our site to store your training and compliance records or when you use our systems to record personal data about third parties such as teaching professionals and students. When we handle this data, we are processing it on your behalf and it is your school organisation that is the data controller.
The diagram below outlines the role and relationship of The Key to the personal data accessed through our services.
We may use these records as a data controller also (e.g. to build a marketing profile for you) but when we display them to you we do so on behalf of your school organisation. We do not claim ownership over any of the data processed for you as a data processor but you grant us a licence to use that data in accordance with the User Terms and this policy.
5. What will The Key use your information for?
We use your information to:
- provide you with access to our resources and to fulfil orders for the products you have requested;
- to manage and run integral product and technical support tools and to provide you with requested support;
- to bill you;
- for our marketing functions including (unless you tell us otherwise) telling you about products and services we think may be relevant for you;
- for business intelligence – to better understand our members and their locations so that we can personalise content, use analytical tools, improve online navigation and for product and service improvement;
- to ensure the technical security and business continuity of our Site;
- our legal rights and complying with our legal obligations.
We may also (directly or through third party providers) use your information to contact you about renewals. The Key operates an auto renewal policy so that we will advise you in good time before your due subscription renewal date of its expiry and if we do not hear from you informing us that you wish to cancel, we will automatically renew your subscription for a further year.
We may also monitor information and communications which may be recorded for purposes of quality assurance, training and fraud prevention.
Do we use automated decision making?
We may use automated systems or triggers to help us identify your compliance with the User Terms and to help us make decisions, for example helping us to identify the relevance of products or services to users or to help us understand the renewal risk profile of an individual user or group of users. These decisions do not have a legal or significant effect on you and do not affect the price offered to you. Individuals may have a right to certain information about automated decisions we make about them and may also have a right to request human intervention and to challenge the decision.
6. Marketing and other contact
The Key has two key reasons for contacting you (we may contact you in-app or in-product, using online live chat, by telephone, SMS or email, by post or social media as described in this policy):
Firstly, to provide you with service messages. Examples of these messages may be requests to verify user credentials, to confirm your orders, to inform you of renewal options, to communicate security, product and policy updates, to assist you with technical support or in relation to any correspondence we receive from you or any comment or complaint you make about The Key products or services.
Secondly, The Key may need to contact you for its marketing purposes. This may take the form of:
- direct postal mailings where the mailing is in our legitimate interests of informing you about a product or service we think you will find useful and will help grow our business;
- e-mail or SMS messages where this is legally permissible – for example where you are an existing user and our marketing is about similar products and services. We will always provide you with a way of opting out from hearing from us in the future;
- to invite you to participate in surveys or research – these may either be for our own legitimate business intelligence and marketing purposes or they may be needed for sectoral research for our online content (participation is always voluntary);
- offering you free trials or demos of new products or services for our legitimate interests of informing you about a product or service we think you will find useful and growing our business;
- operating our ‘invite a colleague’ or ‘ask for work experience’ function where your colleague has indicated you have consented to this and you are an existing member;
- offering you the opportunity to take part in competitions and promotions;
- We do not track your online behaviour once you leave our Site. We may use information which we hold about you to show you relevant advertising on popular third-party sites (e.g. LinkedIn, Facebook, Google, Instagram, Snapchat and Twitter). This could involve showing our members an advertising message on a third party site. We do this by matching data with social media sites who create audiences for our advertising campaigns. If you don’t want to be shown targeted advertising messages from The Key, some third party sites allow you to request not to see messages from specific advertisers on that site in future. You can also contact us to request this at email@example.com or 0800 061 4500;
- offering you an extension to your subscription covering additional modules or products offered by our group as part of a wider related product suite. For example, our GovernorHub database and The Key databases are securely interlinked so that your basic account profile is shared (first name, last name and user ID) – this helps to ensure you can easily navigate around our entire suite of online content across our Group.
You may opt out of receiving marketing by amending your preferences. You can do this by calling the team on 0800 061 4500, emailing us at firstname.lastname@example.org, or by clicking the link on any marketing emails we may send you.
We may use analytics and business intelligence tools for the legitimate business interests of supporting our marketing function. This means:
- We use third party analytics providers (like Google Analytics) to analyse your use of our Site and what products may be of interest to you.
- We may analyse what social media sites you engage with and how you interact with them as well as analysing the content of your social media professional profiles and when we are in a social media group together we may use the content of the group for the legitimate interests of our business intelligence and to understand our customers’ needs. We may use information provided by these sites to enrich your profile – i.e. to understand better which product or service may be of interest to you as long as it is necessary and not excessive. We do not use automated decision making in relation to this activity that has a legal or significant effect on you and we always diligence the providers for compliance with data protection laws. Please read the privacy policies of all social media sites you engage with for details of how they may share this information with us by creating customised audiences for example. We may advertise to you as a result of this information (see above) but we never track the third party sites you visit after visiting our site.
- We may use third parties to send you marketing, news briefings or renewal reminders. We only ever choose third parties that meet our security requirements and comply with data protection laws. The Key requires these third parties to comply strictly with its instructions and The Key requires that they do not use your personal information for their own business purposes
- We may use third party sources to match our data with theirs or to help cleanse our data if you have consented to this.
Some emails that we send you have no tracking in at all e.g. support or service emails. Other emails we send include tracking so that we can tell how much traffic those emails send to our site. In some emails we can track, at an individual level, whether the user has opened and clicked on links in the email.
7. Will The Key share my personal information with anyone else?
Within our group
There are times when we may share your information with other companies in our group – this will be relevant when some of our internal support services are shared across the Key group. It will also apply where we have your consent to give you access to online content forming part of a wider Group product suite and to market group company products and services to you .
In addition, we hope we will continue to expand. So, eventually, we may have additional group companies (we will all be owned by the same company, though). If this happens, we may want to share your information around our group so they can use it for the same internal purposes as we do, as described in this policy (for example marketing where we think this might be of interest to you or we might want to store our data on one server).
It is possible that we could sell our business to a third party, or re-organise our business or become insolvent. In that scenario, our database of customers is one of the biggest parts of that business, so we would need to share it with the buyer and their advisers.
With our service providers
Sometimes The Key uses third parties to process your information on our behalf, for example to provide services such as email deployment or cloud storage services or analysis of the technical data we use. We need these providers to provide us with their services for our legitimate interests of operating our business and our Site effectively. You can view the list of providers on our sub processors page. They fall into the following categories:
- Accounts and billing, payment and card providers (we do not view or store your card details in The Key’s system. Anyone involved with the processing, transmission, or storage of card data must comply with the Payment Card Industry Data Security Standards (PCI DSS));
- Sales fulfilment and customer support;
- Business intelligence analytics;
- Site usage analytics;
- Technical support;
- Survey providers;
- Marketing support;
- Legal, accounting and finance support;
- Cloud Infrastructure.
When we use the services of others it will be required in order to fulfil our obligations under our User Terms or it will be in the legitimate interests of growing our business and improving your use of our products and services.
With third party list providers
We may purchase information from third parties about you when we have confirmed that you have been told about this and we have undertaken appropriate due diligence on compliance. We will always process your data in compliance with data protection laws.
Will other end users be able to see my data?
Your account profile sets out the relevant permissions to access your data. Certain permitted administrators will be able (and must be able) to view certain information relating to your profile (such as the Lead User).
Permitted Users at your school can view certain information relating to your school’s information in the ‘My school’ section of certain of the sites, for example Compliance Tracker. This section includes a list of all the other Permitted Users at your school, including their first name, surname and role. This allows Permitted Users to see which of their colleagues are also registered, and to ensure they are eligible, in line with our General Terms and Conditions.
On occasion, or upon receiving a request, we will email the Lead User and/or the individual (or body) who authorised or organised membership on behalf of your school, to inform them that a new Permitted User has registered with us. This is intended to help ensure that people who register are eligible to use the service.
You can also set your preferences for certain products to allow us to share your references, training records or testimonials with third parties.
Some of our products offer a function to comment on an article or to add your own notes. Depending on the product, you may be asked for your permission to display your name, role and school, and you may be able to withhold this permission and instead be acknowledged anonymously using your role and a general description of your type of school and its broad geographical location (for example, headteacher, secondary school, East of England). Please check the individual products for details.
Sharing aggregated or anonymised information
In line with the organisational and technical measures and techniques of anonymisation and/or pseudonymisation advocated by the data protection laws, we may share aggregated or anonymised information within and outside of The Key – with members of our Group and with partners such as research groups, policy groups, the DfE, or Ofsted. You will not be able to be identified from this information.
We may also use and disclose information in aggregate (so that no individuals are identified) for marketing and strategic development purposes. We may use all or any part of your information and combine it with other user’s information to produce anonymous statistical data which we may use internally or share with third parties. Such data will not identify you or any other user personally. For example, such data may show: popularity of news items, popularity of discussion topics, demand for training materials, numbers of documents stored. These examples are illustrative only and are not intended to be an exhaustive list.
Disclosures required by law
We may also process your data where we have a legal duty to do so (this includes exchanging information with other companies and organisations for the purposes of fraud protection) or in connection with regulatory reporting, litigation or asserting or defending legal rights and interests.
8. Overseas Transfers of your data
The Key’s group companies are currently all located within the UK and our internal servers are there also or within the EEA.
The only occasions when we may transfer your personal data overseas are:
- Transfers to third parties we contract to manage your data (see the section on disclosures to third parties above). We always ensure that such transfers meet the requirements of data protection laws and that (a) such information is protected by suitable and legally approved safeguards and (b) that we are comfortable with the recipient’s security arrangements. For further details, please contact email@example.com
- Transfers that are required by law.
9. Offensive or inappropriate content on our Site
The User Terms shall govern the behaviour, standards and acceptable uses of our Sites. If a User posts or uploads content which is disruptive or may reasonably be deemed to be offensive, inappropriate or objectionable or otherwise in breach of our User Terms, we may remove such content and may deny you access to the Site temporarily or permanently as we see fit.
Where we reasonably believe that you are or may be in breach of any applicable laws, in respect of hate-speech for example we may disclose your personal information to relevant third parties, including to law enforcement agencies or your mobile phone operator or other internet communications provider and relevant third parties such as your school and other agencies about the content and your behaviour. We shall only do so in circumstances where such disclosure is permitted under applicable laws, including data protection law.
10. How long will The Key keep my information?
We will store the information linked to your account during the term for your subscription but we will keep this information under regular review to ensure we still need to use it.
We will disable your account if your account is terminated for any reason. We may then keep limited data about your account for a period in line with our data retention policy from time to time in force. To determine the appropriate period, we consider the amount of data, its nature and sensitivity, the potential for harm and whether we can achieve our purposes through other means as well as our applicable legal requirements. Details of our records retention policy is available upon request. We will regularly cleanse this data. We will also delete your data on your request though we may hold a list of the ‘opt out’ requests to administer your request.
11. How we protect your data
We have implemented reasonable and appropriate security measures to protect the data we hold about you on our servers including HTTPS and the industry standard for encryption and SSL technology. In addition, we are UKAS ISO27001 accredited from the Centre for Assessment (CfA) cert 19/0369. We undertake periodic internal and external audits to maintain the standard.
Unfortunately, the transmission of information via the internet is not completely secure and we cannot guarantee that data breaches will never occur. Please keep your account details and your Device safe from unauthorised use or intervention at all times – and remember to log out or close down stale or inactive pages after use.
You should not allow others to access your account, for example by sharing your login details with a colleague. All members of your school are entitled under the licensing agreement to set up their own account which they can do on the sites or by contacting the team on 0800 061 4500.
No website can be completely secure; if you have any concerns that your The Key account could have been compromised e.g. someone could have discovered your password, please get in touch straight away.
For security purposes only, in the future, we may require users to verify their credentials. We also reserve the right to contact the school in the event of any unusual or noteworthy login activity or patterns of usage. We won’t use this information for unexpected reasons.
We also do not recommend that you put email addresses, URLs, phone numbers, full names or addresses, holiday / home absence information, credit-card details or other identifying or sensitive information in any online messaging function now or in future.
12. Your rights
- You have a number of rights in relation to the information that we hold about you as a data controller which are summarised below. You can exercise your rights by contacting us at firstname.lastname@example.org. You may also wish to contact your school for information they hold as a data controller:
- The right to be informed about our use of your data. This is met by this Policy.
- The right to access information we hold about you and to obtain information about how we process it (commonly known as a “data subject access request”). This enables you to receive a copy of the personal data we hold about you and to check that we are lawfully processing it. Please note that we may ask you to specify what you wish to see in order to focus our search, and we may have to verify your identity/authority.
- In some circumstances, the right to withdraw your consent to our processing of your information, which you can do at any time. If you withdraw your consent, we may not be able to provide certain products or services to you. We will advise you if this is the case at the time you withdraw your consent.
- In some circumstances, the right to receive certain information you have provided to us in an electronic format and/or request that we transmit it to a third party;
- The right to request that we rectify your information if it’s inaccurate or incomplete though we may need to verify the accuracy of the new data you provide to us. At any time you can review, delete or change the information you submitted during registration by visiting the Your Account section once logged in (accessed by clicking on your profile). You should update your information if it changes.
- In some circumstances, the right to request that we erase your information where there is no good reason for us continuing to process it. We may continue to retain your information if we’re entitled or required to retain it. You also have the right to ask us to delete or remove your personal data where you have successfully exercised your right to object to processing (see below), where we may have processed your information unlawfully or where we are required to erase your personal data to comply with local law. Note, however, that we may not always be able to comply with your request of erasure for specific legal reasons which will be notified to you, if applicable, at the time of your request.
- The right to object to, and to request that we restrict, our processing of your information in some circumstances for example where we are relying on our legitimate interests or using it for direct marketing. Again, there may be situations where you object to, or ask us to restrict, our processing of your information but we’re entitled to continue processing it and/or to refuse your request.
- Individuals have a right to complain to the UK Information Commissioner’s Office by visiting www.ico.org.uk, or to the data protection regulator in the country where they live or work.
Last Revised 22/09/2020.