PRIVACY POLICY

Marell Consulting Limited: Privacy Policy

 

Introduction

At Marell Consulting Limited we are committed to protecting your privacy. We have put in place this policy and will use the procedures described in this policy to protect any personal information we collect about you according to the requirements of the General Data Protection Regulation (GDPR) (Regulation (EU) 2016/679.

 

The purpose of this policy is to explain how we control, process, handle and protect your personal information. Please read this policy before signing a contract with Marell Consulting Limited; before giving us consent to process your personal information; before using our website at www.marellconsulting.co.uk.

 

Policy key definitions:

 

  • "I", "our", "us", or "we" refer to the business, Marell Consulting Limited

  • "you", "the user" refer to the person(s) using this website

  • GDPR means General Data Protection Act

  • PECR means Privacy & Electronic Communications Regulation

  • ICO means Information Commissioner's Office

  • Cookies mean small files stored on a user’s computer or device

  • Personal information is any information which identifies or can be used to identify an individual

 

Who we are and what we do

Marell Consulting Limited is a specialist consulting company offering school improvement, training and notification services for independent schools that are inspected by Ofsted. In order to carry out our core business and additional activities we collect and process data some of which is classified as personal information. We collect the personal information of the following types of people to enable us to carry out our business:

  • Leaders, managers and staff members of schools that are prospective clients

  • Leaders, managers and staff members of schools that are contracted clients

  • Suppliers who support our services

  • Prospective and current associates and temporary workers

 

Collecting Personal Information

We collect your personal information from:

  • our website – www.marellconsulting.co.uk when you use the site, complete our online contact form, buy our products and services

  • public sources such as your school website; the Ofsted website; the Department for Education website; social media accounts

  • you, when you contact us by phone or email; book a spot on one of our training workshops through Eventbrite; attend our training workshops; interact with us on Twitter or LinkedIn; subscribe to our newsletter

 

What personal information do we collect?

 

We collect, use, store and transfer different kinds of personal data about you which we have grouped together as follows:

 

  • Type of Personal Information

  • When and where we collect it

Identity Data which includes first name, last name, username or similar identifier, pupils’ dates of birth, UPN numbers, addresses

 

When we are looking for potential clients we can get your name and last name from your school website, Ofsted Website, DfE website, Social Media.

 

We also get identity data when you sign a contract with us and in the process of fulfilling the requirements of that contract.

 

We do also get identity data when you give it to us while you book a spot on our training workshops; when you contact us because someone recommended us; when you are enquiring about our services; when you are looking to work with us as an associate or temporary employee; when you want to offer your services to us as a supplier.

 

When you interact with us on our social media platforms

In the process of fulfilling the requirements of a contract with a school we might get this information if we are required to carry out processes such as analysing pupil outcomes; checking admissions registers; analysing attendance

 

Contact Data which includes email address; work email address in the format name.surname @company.co.uk; telephone/mobile number

Pupils’ Addresses;

 

When we are looking for potential clients we can get your contact data from your school website, Ofsted Website, DfE website, Social Media.

 

We also get contact data in the process of fulfilling the requirements of a contract.

 

We do also get contact data when you give it to us while you book a spot on our training workshops; when you contact us because someone recommended us; when you are enquiring about our services; when you are looking to work with us as an associate or temporary employee; when you want to offer your services to us as a supplier.

 

 

In the process of fulfilling the requirements of a contract with a school we might get this information if we are required to carry out processes like checking admissions registers

 

Financial Data which includes bank account and payment card details

 

When you buy products and services from us online.

Transaction Data which includes details about payments to and from you and other details of products and services you have purchased from us

 

When you buy products and services from us online.

Technical Data which includes [internet protocol (IP) address, your login data, browser type and version, time zone setting and location, browser plug-in types and versions, operating system and platform and other technology on the devices you use to access this website].

 

When you are using our website.

Profile Data which includes your username and password, purchases or orders made by you, your interests, preferences, feedback and survey responses

 

When you buy products and services from us online

Marketing and Communications Data which includes your preferences in receiving marketing from us and your communication preferences

 

When we ask for your consent to send marketing emails, notification emails, our newsletter or when you contact us to opt out.

Usage Data which includes information about how you use our website, products and services. This information is collected using internet cookies

 

When you are using our website.

 

Internet cookies on our website

We use cookies on our website to provide you with a better user experience. We do this by placing a small text file on your device / computer hard drive to track how you use the website, to record or log whether you have seen particular messages that we display, to keep you logged into the website where applicable, to display relevant adverts or content, to refer you to a third-party website.

 

Some cookies are required to enjoy and use the full functionality of this website.

 

We use a cookie control system which allows you to accept the use of cookies, and control which cookies are saved to your device / computer. Some cookies will be saved for specific time periods, where others may last indefinitely. Your web browser should provide you with the controls to manage and delete cookies from your device, please see your web browser options.

 

Cookies that we use are;

 

Cookie name

 

Life span

Purpose

svSession

Persistent

Identifies unique visitors and tracks a visitor’s sessions on a site

hs

Session

Security

XSRF-TOKEN

Persistent

Security

smSession

Persistent (Two weeks)

Identifies logged in site members

TSxxxxxxxx (where x is replaced with a random series of numbers and letters)

Persistent

Security

TSxxxxxxxx_d (where x is replaced with a random series of numbers and letters)

Persistent

Security

 

Processing Personal Information

This is how we process your information:

  • recording names, contact information and other identifiers of potential and current associates, temporary workers, or clients

  • calling and sending promotional emails to potential clients

  • sending newsletters and notification emails to clients

  • corresponding by telephone and email with staff, managers and leaders of schools with which we have a contract

  • analysing, evaluating, summarising, reporting on the data of the stakeholders of schools in order to fulfil the requirements of our contract. Stakeholders include pupils, staff, managers, leaders, parents, referral agencies, vocational training providers

  • publishing client feedback and case studies on the company website or other promotional material with names, roles, photographs attached

 

Lawful bases for processing your personal information

Under the GDPR we control and process any personal information about you electronically using the following lawful bases: Legitimate Interests, Consent and Contract

 

Legitimate Interests: We use identity and contact information that we collect from public sources such as Ofsted, the Department for Education and school websites to market our services to potential clients.

 

Why and how we use this basis:

The potential clients for our main service – school improvement consultancy – are school leaders and they are not accessible via generic company email addresses. In order to send them marketing emails we need their direct email addresses, and these are usually in the format name.surname@school.co.uk.

 

We contact school leaders via direct email then follow up with a phone call. The email we send has a section where the receiver is given an option to:

  • opt out of receiving future marketing emails

  • opt in to receiving future marketing emails

  • opt in to receiving our monthly newsletters

  • opt in to receiving notification emails informing them about changes in legislation, guidance, and advice that affect their school

 

Data retention period: Since we ask for your consent for future marketing and give you the option to opt-out in the first email we send you, we will continue to process your information under this basis until you withdraw consent, or it is determined your consent no longer exists

 

Sharing your information: We may share your data with external third parties such as our email marketing service provider MailChimp. This information will only be shared for as long as we have your consent.

 

Consent: as described above we will ask you to give clear consent for us to process your personal data for specific purposes.

 

Why and how we use this basis:

  • If you are not in contract with Marell Consulting Limited but would like to receive newsletters and notification emails, we will ask you to give clear consent to allow us to record your personal information on our mailing lists and send you newsletters and notification emails. Any email marketing messages we send are sent either manually or through MailChimp, our email marketing service provider. Email marketing messages that we send may contain tracking beacons or tracked clickable links or similar server technologies in order to track subscriber activity within email marketing messages. Where used, such marketing messages may record a range of data such as; times, dates, I.P addresses, opens, clicks, forwards, geographic and demographic data. Such data, within its limitations will show the activity each subscriber made for that email campaign.

All email marketing messages we send are in accordance with the GDPR and the PECR. We provide you with an easy method to withdraw your consent (unsubscribe) or manage your preferences or the information we hold about you at any time.

 

  • In order to publish your feedback about our services on our website or on promotional materials, with your name, role and in some cases your photograph attached, we will ask you to give clear consent about where the information will be published and if your name, role and photograph can be used.

 

Data retention period:

We will continue to process your information under this basis until you withdraw consent, or it is determined your consent no longer exists.

 

Sharing your information: We may share your data with external third parties such as our email marketing service provider MailChimp. This information will only be shared for as long as we have your consent.

 

Contract: It is not possible for us to fulfil our contractual duties without collecting and processing personal information. In order to provide school improvement services, we need to collect and process the following types of personal information:

  • identity and contact data to register you as a new client; communicate with members of your organisation such as Senior Management Team, Governors/Trustees, Teachers, Non-teaching staff

  • identity data during key procedures such as lesson observations; performance management; CPD training

  • identity data during procedures such as checking compliance with the standards governing records like the Single Central Register and the Admissions Register; analysing pupil outcomes and attendance; scrutinising pupils work; evaluating the extent to which the outcomes set on EHC plans (Education, Health and Care plans) are met; analysing survey responses from stakeholders

 

Data retention period: We shall continue to process your information until the contract between us ends or is terminated under any contract terms.

 

Sharing your information: We do not share personal information collected under contract with third parties unless you opt in to receiving our newsletter and notification emails in which case your personal information may be shared with our email marketing service provider MailChimp.

 

Your individual rights

Under the GDPR you have the right to:

 

  • Be informed about the collection and use of your data including: the purposes for processing your personal data, the retention periods for that personal data, and who it will be shared with.

  • Request access to your personal information. This enables you to receive a copy of the personal information we hold about you and to check that we are lawfully processing it.

  • Request correction of the personal information that we hold about you. This enables you to have any incomplete or inaccurate information we hold about you corrected.

  • Request erasure of your personal information. This enables you to ask us to delete or remove personal information where there is no good reason for us continuing to process it. You also have the right to ask us to delete or remove your personal information where you have exercised your right to object to processing (see below).

  • Object to processing of your personal information where we are relying on a legitimate interest (or those of a third party). You also have the right to object where we are processing your personal information for direct marketing purposes.

  • Request the restriction of processing of your personal information. This enables you to ask us to suspend the processing of personal information about you, for example if you want us to establish its accuracy or the reason for processing it.

  • Request the transfer of your personal information to another party.

 

We handle all requests related to the above rights in accordance with the GDPR timeframes.  You also have the right to complain to the ICO [www.ico.org.uk] if you feel there is a problem with the way we are handling your data. We are registered with the ICO under the Data Protection Register, our registration number is: ZA458605.

 

Data security and protection

We ensure the security of any personal information we hold by using secure data storage technologies and precise procedures in how we store, access and manage that information. Our methods meet the GDPR requirements.

 

Storage and security of information collected on our website

Our company is hosted on the Wix.com platform. Wix.com provides us with the online platform that allows us to sell our products and services to you. Your data may be stored through Wix.com’s data storage, databases and the general Wix.com applications. They store your data on secure servers behind a firewall. 
All direct payment gateways offered by Wix.com and used by our company adhere to the standards set by PCI-DSS as managed by the PCI Security Standards Council, which is a joint effort of brands like Visa, MasterCard, American Express and Discover. PCI-DSS requirements help ensure the secure handling of credit card information by our store and its service providers.

 

Storage and security of information collected by all other means

We have put in place a variety of measures in place to store your personal information securely and ensure that:

  • the data can be accessed, altered, disclosed or deleted only by those who are authorised to do so and that those people only act within the scope of the authority they are given

  • the data is accurate and complete in relation to the reason for processing and

  • the data remains accessible and usable for example - if personal data is accidentally lost, altered or destroyed, we are able to recover it and therefore prevent any damage or distress to you.

 

Data stored electronically:

Your personal information is stored on the Macintosh Hard Drives of our MacBooks. These hard drives are protected by:

  • FileVault which protects the information on the drive by encrypting its contents automatically

  • Firewalls which are set up to prevent unauthorised applications, programmes and services from accepting incoming connections

  • Passwords which are required to gain access

 

Data on the hard drives is backed up on Apple’s iCloud which can only be accessed using two-factor authentication: the AppleID password of the administrator and verification of the identity of the administrator using one of the company’s trusted devices.

 

It is also backed up on external hard drives which are kept in a secure location. Access to the drives is protected by the administrators’ password.

 

All Associates who process personal information on behalf of Marell Consulting Limited are required to demonstrate that they have security measures of similar rigour as described above on their laptops before any data is passed on to them for the purpose of fulfilling our contractual obligations. Associates are required to permanently delete any copies of personal data on their systems after they have processed and transferred it back to us.

 

Data stored on paper:

  • is scanned for backup

  • is filed by client and files are labelled using abbreviations

  • is kept in a secure location accessible only by those are authorised to do so

  • Is shredded after processing if it does not need to be filed

 

Personal data breaches

If any personal data is lost, destroyed, corrupted or disclosed; if someone accesses the data or passes it on without proper authorisation; or if the data is made unavailable, for example, when it has been encrypted by ransomware, or accidentally lost or destroyed we will notify ICO within 72 hours as required under GDPR. We will carefully assess the risk to you as an individual and notify you without delay as soon as it is determined that the breach is likely to result in a high risk your rights and freedoms. We will give you advice about the steps you can take to protect yourself from the breach.

 

 

Resources & further information

Overview of the GDPR - General Data Protection Regulation

Data Protection Act 2018

Privacy and Electronic Communications Regulations 2003

The Guide to the PECR 2003

Twitter Privacy Policy

LinkedIn Privacy Policy

Mailchimp Privacy Policy

School Improvement Consultants 

Copyright ©2019 Marell Consulting Limited. All rights reserved

  • Facebook Social Icon
  • LinkedIn Social Icon
  • Twitter Social Icon