Data Protection Policy

SpeakEasi is committed to protecting your privacy and we comply fully with UK and EU data protection law (GDPR). We have put in place physical, electronic and operational procedures intended to safeguard and secure the information we collect. All SpeakEasi staff have a legal duty to respect the confidentiality of your information, and access to your personal details is restricted only to those who have a reasonable need to access it.

We (“SpeakEasi” and/or “us” or “we”) is the trading name of Training for Learning Ltd, which provides online and consultancy services (the “Services”) to customers who are schools and other educational establishments (“School customer” or “you”) to help them teach Modern Foreign Languages. We are a company registered in England and Wales whose registered office is at Centre Of Excellence Hope Park, Trevor Forster Way, Bradford, West Yorkshire, England, BD5 8HH, United Kingdom and our company number is 04565466.

The information below should be read in addition to our Privacy Policy, and outlines specific information relevant to certain aspects of our GDPR compliance. Training for Learning Ltd is registered with the Independent Commissioners Office, registration reference no: ZA813640. A copy of this certificate can be downloaded here.

Introduction

In order to carry out our Services for our customers, SpeakEasi needs to process certain limited Personal Data about teachers and students which it obtains from its schools. This statement explains how we protect this Personal Data.

SpeakEasi’s Data Protection Manager

SpeakEasi has appointed a Data Protection Manager who will deal with all requests and enquiries concerning SpeakEasi’s uses of School Personal Data and endeavour to make sure that all School Personal Data is processed in compliance with regulations such as the GDPR, FERPA, COPPA etc.

Requests and enquiries should be sent to the Data Protection Managers at privacy@speakeasi.net.

Types of Personal Data we process

We only process Personal Data for the specific purpose of providing the Services to our customers.

We only process the absolute minimum of Personal Data to provide the Services.

As much as possible we keep Personal Data accurate and up-to-data (though we do expect teachers to let us know of name changes, spelling errors or class changes etc).

We only keep Personal Data for as long as is necessary to perform the services of the contract.

We make absolutely sure that all Personal Data collected and held is kept as secure as possible against any data breach.

Because we are an innovative and fast-moving EdTech company it is very important that we apply the principles of GDPR to all future projects. As such the Data Protection Manager will carry out Data Protection Impact Assessments on any new project to check that it will be GDPR compliant.

The types of Personal Data processed by SpeakEasi will include:

  • Names, email addresses, telephone numbers (where given) and passwords (cryptographically hashed) of teachers.
  • Names or aliases, email addresses or usernames and passwords (cryptographically hashed) of students.
  • Names, email addresses, telephone numbers, addresses, financial information and other personal details of SpeakEasi employees.

SpeakEasi is given this Personal Data by the School via its teachers and IT staff. We do not share Personal Data (either Student or Teacher) with any third parties.

SpeakEasi makes use of a number of publicly viewable leaderboards on our Site. We use these to encourage students, classes and teachers. All leaderboards are reset each week. Customers can choose to opt out of being displayed in any leaderboard.

Where Personal Data is kept

Our website is hosted in the EEA and as such School Personal Data is not normally transferred outside of the EEA.

Protecting your data

We take the protection of School Personal Data extremely seriously and we always have. In particular we have taken appropriate technical and organisational steps to ensure the security of School Personal Data, including company policies around the use of technology and devices and access to third party management software. All SpeakEasi employees and contractors have a copy of this policy, have been made aware of their duties under the GDPR and have received relevant training in how to protect your Personal Data. Such duties include but are not limited to:

Email – as much as possible we avoid transferring any Personal Data over email.

Printouts – we make every effort not to print out any Personal Data. If we do for the purposes of carrying out the services we will shred such data once it is no longer needed.

Storage – any Personal Data the company holds is stored on secure local devices or in third-party cloud services which have the sufficient level of data protection as is required by regulations such as the GDPR, FERPA and COPPA.

Backups – SpeakEasi carries out backups of our Database on a daily basis. These backups are automated.

Disposal – when Personal Data is no longer needed for the purposes of carrying out the contract such Personal Data will be securely deleted and disposed of.

Sharing Personal Data – no Personal Data may be shared informally and only those employees or contractors who need access to Personal Data will be given access to it.

IT Security – we have a comprehensive internal Information Security Policy which all SpeakEasi employees and contractors must abide by.

Our organisation

We are a small company and all of our employees are appropriately trained up in this policy. SpeakEasi is committed not only to the letter of the law, but also to the spirit of the law and places high importance on the correct, lawful and fair handling of all Personal Data, respecting the legal rights, privacy and trust of individuals with whom we deal.

Data breaches

All Personal Data breaches must be reported immediately to SpeakEasi’s Data Protection Manager. If a Personal Data breach occurs that is likely to result in a risk to the rights and freedoms of our customers, the Data Protection Managers will liaise with the School to ensure that the Information Commissioner’s Office is informed of the breach without delay and, in any event, within 72 hours after having become aware of it.

Implementation policy

This Policy shall be deemed effective as of 20 May 2018. No part of this Policy shall have retroactive effect and shall thus apply only to matters occurring on or after this date.