Processing of Personal Data for Virtual Work Experience and Subject Spotlights
For Springpod to deliver its market-leading and innovative services, it must use certain information. When considered together with Springpod's Privacy Notice, this notice gives you more detailed information about what data is processed, under what lawful basis and how it is secured.
What information is processed?
Student data
For a student to have an account on springpod.com, they need to input the following pieces of information:
Mandatory information
Basic Information Required for an account:
Name
Email Address (2 step validated)
Username
Password (created by the user)
Age
Activity
Their activity on our platform
Education and work activity
Agreement to our T's & C's
Optional Information
We ask for this information, but it is not mandatory:
School
Year Group
Gender
Ethnicity
Parent data
For a parent to have an account on springpod.com, they need to input the following pieces of information:
Mandatory information
Basic Information Required for an account:
Name
Email Address (2 step validated)
Username
Password (created by the user)
Information relating to their child
Activity
Their activity on our platform
Agreement to our T's & C's
Teacher data
For a teacher to have an account on springpod.com, they need to input the following pieces of information:
Mandatory information
Basic Information Required for an account:
Name
Email Address (2 step validated)
Username
Password (created by the user)
The Education Provider that employs them
Their DPO and Safeguarding contact
Activity
Their activity on our platform
Agreement to our T's & C's
Partner data
For a partner hosting an experience on springpod.com, they need to input the following pieces of information:
Mandatory information
Basic Information Required for an account:
Name
Email Address (2 step validated)
Username
Password (created by the user)
The Business that employs them
Activity
Their activity on our platform
Agreement to our T's & C's
What's the lawful basis for processing?
Mandatory information is processed lawfully under the basis of necessity per GDPR Article 6, part 1(b) and optional.
Optional information is processed lawfully under the basis of legitimate Interest per GDPR Article 6, Part 1(f).
Special category information is processed lawfully under the lawful bases of legitimate interest, considering that the prohibition in GDPR Article 9 is exempt under GDPR Article 9, Part 2 (b) because the information is used for employment. One of the main reasons for this is that the Student remains in complete control of their data because they can object to processing carried out under legitimate interest.
Students are also allowed to give Springpod consent to use the information they have provided for marketing purposes, which may include sharing the information with third parties for marketing.
Student Data may be shared with Parents, Employers and Education providers under the lawful bases of necessity and/or legitimate interest where applicable, unless in the case of legitimate interest, the Student has objected to it.
Who is the Data Controller?
For providing the Work Experience
Because Springpod is delivering the work experience on behalf of the Employer, it is the Employer who is the Data Controller for the purpose of providing the work experience. Springpod will act as the Data Processor on behalf of the Employer.
For educational records
When records are shared with Education Providers, it is so that they can use it for education, so the Education Provider will be the data controller for the purpose of sharing information with them, and Springpod will be acting as the data processor on their behalf.
For the use of the Springpod platform
When anyone registers for an account on the Springpod Platform, Springpod will be the Data Controller, even though Springpod may be acting as a data processor for Education Providers or Employers at the same time for other purposes.
Why do we ask for Data Sharing Agreements?
Before sharing any information between Springpod and an education provider or Employer, a Data Sharing Agreement that governs the sharing must be agreed upon by both parties.
There are added checks in place before information can be shared between Springpod and an education provider, such as the name and contact information of their Data Protection Officer and Safeguarding Responsible Person so that we have that information ready to respond to any data subject requests or safeguarding concerns.
How does Springpod manage its data integrity?
Springpod takes their responsibility to protect personal data seriously, and have a suite of policies and processes to ensure that the best possible standards are applied.
Our Risk & Compliance Officer is a skilled and experienced Risk & Compliance professional employed to monitor our business and ensure compliance.
Springpod manages its business risk and compliance using a Risk Management Framework managed and overseen by the Risk & Compliance Officer.
The Risk Management Framework is backed up by a suite of policies and procedures broader than data protection that has been specifically designed to minimise risk and ensure regulatory compliance.
The Framework allows us to manage our business risk, regulatory compliance, incidents, and their parties centrally and for appropriate measures to ensure everyone's safety and security.
How does Springpod let people know about their processing?
Throughout the data collection process, people giving their information are told what data is needed and why, and where it's optional; they are told that they do not have to provide the information and that they can have it erased at any time.
Springpod have a public-facing privacy notice, which you can view here.
How is information shared?
Most of the time, the information that Springpod makes available to Employers and Education Providers to facilitate the Virtual Work Experience is given to us directly by Students themselves.
Occasionally we receive information from Education Providers and employers when it's appropriate and lawful.
Transfer of data in connection with provision of Springpod services
All information shared by Springpod is done so securely, and data in transit is encrypted.
Springpod's key Third Party suppliers
While we're happy to share this information with you as our client, the details of Springpod's third parties are confidential information, which must not be shared with anyone unless you have written permission from Springpod in advance.
Springpod uses several cloud-based Apps to manage its business and deliver its services. Where this is the case, we take care to ensure that those third parties comply with relevant data protection legislation and security requirements.
Security of Springpod's key Third Party suppliers
Google Workspace
Google Workspace has been built from the ground up to mitigate the unique threats to cloud systems. Google designed Google Workspace with very stringent privacy and security standards based on industry best practices with a robust contractual commitment regarding data ownership, data use, security, transparency and accountability. All users have Multi-Factor Authentication (MFA) employed. Data in transit is secured by transit Link Security (TLS) where possible.
Google undergoes several independent third-party audits regularly. The independent auditors examine the controls present in their data centres, infrastructure and operations. Examples of these audits and standards include: SOC1™, (SSAE-16/ISAE-3402), SOC2™, SOC3™, ISO 27001, ISO 27018:2014 and FedRAMP. Core customer data that is uploaded or created in Google Workspace services is encrypted at rest. This encryption happens as it is written to disk, and Google encrypts data with distinct encryption keys. Data is encrypted using 128-bit or stronger Advanced Encryption Standard (AES). Google encrypts core Google Workspace data while it is "in transit" as well, whether it is travelling over the Internet between the customer and Google or moving within Google as it shifts from one data centre to another. This data is encrypted using HTTPS with forward secrecy.
Amazon Web Services (AWS)
All users access Springpod's platform via a front end application that can access the data it needs via an authenticated API that uses a secure SSL connection encrypted with 2048 bit RSA key certificate issued by Amazon. We authenticate users on the platform rather than using a directory.
Authentication and authorisation on the back end ensure that users can only access the data that concerns them and is protected by strong user passwords that are combined with a salt and encrypted using a 128 bit AES cipher and base64 encoded using the tested and widely peer-reviewed Crypto library.
All access to the system is logged, both at the AWS network level and through the logging of authentication requests.
What do we need to do to make this compliant at our end?
As with any new project, there are a few things to think about to ensure that you are taking data protection into account.
What if I have more questions?
If you would like any more information about processing personal data to facilitate work experience, you can contact Springpod's Risk & Compliance Officer by:
Telephone: +44 (0)203 637 8665 (Ex. 230)
Email: dpo@springpod.com
And if you want further guidance on your own responsibility to comply with data protection regulations, there is a range of useful tools and guidance on the UK Information Commissioner's Office (ICO) website at www.ico.org