PRIVACY POLICY
Marell Consulting Limited: Privacy Policy
Introduction
At Marell Consulting Limited we are committed to protecting your privacy. We have put in place this policy and will use the procedures described in this policy to protect any personal information we collect about you according to the requirements of the General Data Protection Regulation (GDPR) (Regulation (EU) 2016/679.
The purpose of this policy is to explain how we control, process, handle and protect your personal information. Please read this policy before signing a contract with Marell Consulting Limited; before giving us consent to process your personal information; before using our website at www.marellconsulting.co.uk.
Policy key definitions:
-
"I", "our", "us", or "we" refer to the business, Marell Consulting Limited
-
"you", "the user" refer to the person(s) using this website
-
GDPR means General Data Protection Act
-
PECR means Privacy & Electronic Communications Regulation
-
ICO means Information Commissioner's Office
-
Cookies mean small files stored on a user’s computer or device
-
Personal information is any information which identifies or can be used to identify an individual
Who we are and what we do
Marell Consulting Limited is a specialist consulting company offering school improvement, training and notification services for independent schools that are inspected by Ofsted. In order to carry out our core business and additional activities we collect and process data some of which is classified as personal information. We collect the personal information of the following types of people to enable us to carry out our business:
-
Leaders, managers and staff members of schools that are prospective clients
-
Leaders, managers and staff members of schools that are contracted clients
-
Suppliers who support our services
-
Prospective and current associates and temporary workers
Collecting Personal Information
We collect your personal information from:
-
our website – www.marellconsulting.co.uk when you use the site, complete our online contact form, buy our products and services
-
public sources such as your school website; the Ofsted website; the Department for Education website; social media accounts
-
you, when you contact us by phone or email; book a spot on one of our training workshops through Eventbrite; attend our training workshops; interact with us on Twitter or LinkedIn; subscribe to our newsletter
What personal information do we collect?
We collect, use, store and transfer different kinds of personal data about you which we have grouped together as follows:
-
Type of Personal Information
-
When and where we collect it
Identity Data which includes first name, last name, username or similar identifier, pupils’ dates of birth, UPN numbers, addresses
When we are looking for potential clients we can get your name and last name from your school website, Ofsted Website, DfE website, Social Media.
We also get identity data when you sign a contract with us and in the process of fulfilling the requirements of that contract.
We do also get identity data when you give it to us while you book a spot on our training workshops; when you contact us because someone recommended us; when you are enquiring about our services; when you are looking to work with us as an associate or temporary employee; when you want to offer your services to us as a supplier.
When you interact with us on our social media platforms
In the process of fulfilling the requirements of a contract with a school we might get this information if we are required to carry out processes such as analysing pupil outcomes; checking admissions registers; analysing attendance
Contact Data which includes email address; work email address in the format name.surname @company.co.uk; telephone/mobile number
Pupils’ Addresses;
When we are looking for potential clients we can get your contact data from your school website, Ofsted Website, DfE website, Social Media.
We also get contact data in the process of fulfilling the requirements of a contract.
We do also get contact data when you give it to us while you book a spot on our training workshops; when you contact us because someone recommended us; when you are enquiring about our services; when you are looking to work with us as an associate or temporary employee; when you want to offer your services to us as a supplier.
In the process of fulfilling the requirements of a contract with a school we might get this information if we are required to carry out processes like checking admissions registers
Financial Data which includes bank account and payment card details
When you buy products and services from us online.
Transaction Data which includes details about payments to and from you and other details of products and services you have purchased from us
When you buy products and services from us online.
Technical Data which includes [internet protocol (IP) address, your login data, browser type and version, time zone setting and location, browser plug-in types and versions, operating system and platform and other technology on the devices you use to access this website].
When you are using our website.
Profile Data which includes your username and password, purchases or orders made by you, your interests, preferences, feedback and survey responses
When you buy products and services from us online
Marketing and Communications Data which includes your preferences in receiving marketing from us and your communication preferences
When we ask for your consent to send marketing emails, notification emails, our newsletter or when you contact us to opt out.
Usage Data which includes information about how you use our website, products and services. This information is collected using internet cookies
When you are using our website.
Internet cookies on our website
We use cookies on our website to provide you with a better user experience. We do this by placing a small text file on your device / computer hard drive to track how you use the website, to record or log whether you have seen particular messages that we display, to keep you logged into the website where applicable, to display relevant adverts or content, to refer you to a third-party website.
Some cookies are required to enjoy and use the full functionality of this website.
We use a cookie control system which allows you to accept the use of cookies, and control which cookies are saved to your device / computer. Some cookies will be saved for specific time periods, where others may last indefinitely. Your web browser should provide you with the controls to manage and delete cookies from your device, please see your web browser options.
Cookies that we use are;
Cookie name
Life span
Purpose
svSession
Persistent
Identifies unique visitors and tracks a visitor’s sessions on a site
hs
Session
Security
XSRF-TOKEN
Persistent
Security
smSession
Persistent (Two weeks)
Identifies logged in site members
TSxxxxxxxx (where x is replaced with a random series of numbers and letters)
Persistent
Security
TSxxxxxxxx_d (where x is replaced with a random series of numbers and letters)
Persistent
Security
Processing Personal Information
This is how we process your information:
-
recording names, contact information and other identifiers of potential and current associates, temporary workers, or clients
-
calling and sending promotional emails to potential clients
-
sending newsletters and notification emails to clients
-
corresponding by telephone and email with staff, managers and leaders of schools with which we have a contract
-
analysing, evaluating, summarising, reporting on the data of the stakeholders of schools in order to fulfil the requirements of our contract. Stakeholders include pupils, staff, managers, leaders, parents, referral agencies, vocational training providers
-
publishing client feedback and case studies on the company website or other promotional material with names, roles, photographs attached
Lawful bases for processing your personal information
Under the GDPR we control and process any personal information about you electronically using the following lawful bases: Legitimate Interests, Consent and Contract
Legitimate Interests: We use identity and contact information that we collect from public sources such as Ofsted, the Department for Education and school websites to market our services to potential clients.
Why and how we use this basis:
The potential clients for our main service – school improvement consultancy – are school leaders and they are not accessible via generic company email addresses. In order to send them marketing emails we need their direct email addresses, and these are usually in the format name.surname@school.co.uk.
We contact school leaders via direct email then follow up with a phone call. The email we send has a section where the receiver is given an option to:
-
opt out of receiving future marketing emails
-
opt in to receiving future marketing emails
-
opt in to receiving our monthly newsletters
-
opt in to receiving notification emails informing them about changes in legislation, guidance, and advice that affect their school
Data retention period: Since we ask for your consent for future marketing and give you the option to opt-out in the first email we send you, we will continue to process your information under this basis until you withdraw consent, or it is determined your consent no longer exists
Sharing your information: We may share your data with external third parties such as our email marketing service provider MailChimp. This information will only be shared for as long as we have your consent.
Consent: as described above we will ask you to give clear consent for us to process your personal data for specific purposes.
Why and how we use this basis:
-
If you are not in contract with Marell Consulting Limited but would like to receive newsletters and notification emails, we will ask you to give clear consent to allow us to record your personal information on our mailing lists and send you newsletters and notification emails. Any email marketing messages we send are sent either manually or through MailChimp, our email marketing service provider. Email marketing messages that we send may contain tracking beacons or tracked clickable links or similar server technologies in order to track subscriber activity within email marketing messages. Where used, such marketing messages may record a range of data such as; times, dates, I.P addresses, opens, clicks, forwards, geographic and demographic data. Such data, within its limitations will show the activity each subscriber made for that email campaign.
All email marketing messages we send are in accordance with the GDPR and the PECR. We provide you with an easy method to withdraw your consent (unsubscribe) or manage your preferences or the information we hold about you at any time.
-
In order to publish your feedback about our services on our website or on promotional materials, with your name, role and in some cases your photograph attached, we will ask you to give clear consent about where the information will be published and if your name, role and photograph can be used.
Data retention period:
We will continue to process your information under this basis until you withdraw consent, or it is determined your consent no longer exists.
Sharing your information: We may share your data with external third parties such as our email marketing service provider MailChimp. This information will only be shared for as long as we have your consent.
Contract: It is not possible for us to fulfil our contractual duties without collecting and processing personal information. In order to provide school improvement services, we need to collect and process the following types of personal information:
-
identity and contact data to register you as a new client; communicate with members of your organisation such as Senior Management Team, Governors/Trustees, Teachers, Non-teaching staff
-
identity data during key procedures such as lesson observations; performance management; CPD training
-
identity data during procedures such as checking compliance with the standards governing records like the Single Central Register and the Admissions Register; analysing pupil outcomes and attendance; scrutinising pupils work; evaluating the extent to which the outcomes set on EHC plans (Education, Health and Care plans) are met; analysing survey responses from stakeholders
Data retention period: We shall continue to process your information until the contract between us ends or is terminated under any contract terms.
Sharing your information: We do not share personal information collected under contract with third parties unless you opt in to receiving our newsletter and notification emails in which case your personal information may be shared with our email marketing service provider MailChimp.
Your individual rights
Under the GDPR you have the right to:
-
Be informed about the collection and use of your data including: the purposes for processing your personal data, the retention periods for that personal data, and who it will be shared with.
-
Request access to your personal information. This enables you to receive a copy of the personal information we hold about you and to check that we are lawfully processing it.
-
Request correction of the personal information that we hold about you. This enables you to have any incomplete or inaccurate information we hold about you corrected.
-
Request erasure of your personal information. This enables you to ask us to delete or remove personal information where there is no good reason for us continuing to process it. You also have the right to ask us to delete or remove your personal information where you have exercised your right to object to processing (see below).
-
Object to processing of your personal information where we are relying on a legitimate interest (or those of a third party). You also have the right to object where we are processing your personal information for direct marketing purposes.
-
Request the restriction of processing of your personal information. This enables you to ask us to suspend the processing of personal information about you, for example if you want us to establish its accuracy or the reason for processing it.
-
Request the transfer of your personal information to another party.
We handle all requests related to the above rights in accordance with the GDPR timeframes. You also have the right to complain to the ICO [www.ico.org.uk] if you feel there is a problem with the way we are handling your data. We are registered with the ICO under the Data Protection Register, our registration number is: ZA458605.
Data security and protection
We ensure the security of any personal information we hold by using secure data storage technologies and precise procedures in how we store, access and manage that information. Our methods meet the GDPR requirements.
Storage and security of information collected on our website
Our company is hosted on the Wix.com platform. Wix.com provides us with the online platform that allows us to sell our products and services to you. Your data may be stored through Wix.com’s data storage, databases and the general Wix.com applications. They store your data on secure servers behind a firewall.
All direct payment gateways offered by Wix.com and used by our company adhere to the standards set by PCI-DSS as managed by the PCI Security Standards Council, which is a joint effort of brands like Visa, MasterCard, American Express and Discover. PCI-DSS requirements help ensure the secure handling of credit card information by our store and its service providers.
Storage and security of information collected by all other means
We have put in place a variety of measures in place to store your personal information securely and ensure that:
-
the data can be accessed, altered, disclosed or deleted only by those who are authorised to do so and that those people only act within the scope of the authority they are given
-
the data is accurate and complete in relation to the reason for processing and
-
the data remains accessible and usable for example - if personal data is accidentally lost, altered or destroyed, we are able to recover it and therefore prevent any damage or distress to you.
Data stored electronically:
Your personal information is stored on the Macintosh Hard Drives of our MacBooks. These hard drives are protected by:
-
FileVault which protects the information on the drive by encrypting its contents automatically
-
Firewalls which are set up to prevent unauthorised applications, programmes and services from accepting incoming connections
-
Passwords which are required to gain access
Data on the hard drives is backed up on Apple’s iCloud which can only be accessed using two-factor authentication: the AppleID password of the administrator and verification of the identity of the administrator using one of the company’s trusted devices.
It is also backed up on external hard drives which are kept in a secure location. Access to the drives is protected by the administrators’ password.
All Associates who process personal information on behalf of Marell Consulting Limited are required to demonstrate that they have security measures of similar rigour as described above on their laptops before any data is passed on to them for the purpose of fulfilling our contractual obligations. Associates are required to permanently delete any copies of personal data on their systems after they have processed and transferred it back to us.
Data stored on paper:
-
is scanned for backup
-
is filed by client and files are labelled using abbreviations
-
is kept in a secure location accessible only by those are authorised to do so
-
Is shredded after processing if it does not need to be filed
Personal data breaches
If any personal data is lost, destroyed, corrupted or disclosed; if someone accesses the data or passes it on without proper authorisation; or if the data is made unavailable, for example, when it has been encrypted by ransomware, or accidentally lost or destroyed we will notify ICO within 72 hours as required under GDPR. We will carefully assess the risk to you as an individual and notify you without delay as soon as it is determined that the breach is likely to result in a high risk your rights and freedoms. We will give you advice about the steps you can take to protect yourself from the breach.
Resources & further information
Overview of the GDPR - General Data Protection Regulation