General Data Protection Regulation (GDPR)

This page covers the compliance for Pamoja Education Ltd (PJE), its subsidiaries and affiliates, including oxfordstudycourses.com.

 

The General Data Protection Regulation, known as GDPR, went into effect on May 25, 2018. It is the most sweeping legislation in the last two decades focused on data security and privacy, and significantly updates, extends, and harmonises data protection legislation across the EU/EEA. 

To read more about GDPR, please click here.

PJE has been committed to data privacy for over 10 years and welcomes the new regulation. PJE has been GDPR compliant since May 2018.

 

All adjustments for the Brexit agreement will be made to link to the UK GDPR as the unified accords are agreed.

 

Who is subject to GDPR?

Individuals, organisations and companies that control or process personal data are subject to GDPR. In broad terms, there are three different actors:

• Data subjects (students, families, Staff and agents)
• Data controllers (the Customer)
• Data processors (systems like OSC Platform, ManageBac, OpenApply & SchoolsBuddy)

As a data processor, we do not decide the purpose or lawfulness of the data we process and store. We are trustees acting on our customers’ behalf. As data controller the Customer remains ultimately responsible for deciding what data enters our systems. However, GDPR regulations do impose new and stricter regulations on processors. We will fully comply with these requirements for all of our services, including all OSC platform elements, ManageBac, OpenApply, SchoolsBuddy, and Integration partners.

 

How is GDPR different from previous data protection laws?

Key areas of difference centre on increased accountability for companies, greater access to personal data for individuals, and higher penalties for non-compliance. 

GDPR explicitly lays out key rights of data subjects:

• right to be informed
• right of rectification
• right of erasure
• right to restrict processing
• right of data portability
• right to object
• right of access

These rights form the framework for interactions between the data subject, controller, and processor. While the controller (Customer) remains responsible for respecting these rights, the processor (us) may assist in accomplishing these tasks.

The penalties for non-compliance are not insubstantial. The Information Commissioner’s Office (ICO) is responsible for enforcing GDPR and has a broad range of powers to do so.

 

What kind of data is covered, and what information is PJE allowed to collect?

All personal data concerning an individual (data subject) is included under GDPR. Specifically, personal data that allows an individual to be identified — for example name, address, phone number, photo, etc. — is included under GDPR.

Even if personal data has been encrypted, pseudonymised, or anonymized, it may still fall under the scope of GDPR if the data can still be used to identify a specific individual. 

Examples of personal data that OSC collects and stores includes:

• Names
• Addresses
• E-mail Addresses
• Phone Numbers
• ID Numbers (passport, national ID, SSN)

 GDPR specifies six lawful bases for collecting personal data:

• Consent 
• Written contract
• Legal obligation
• Vital interests
• Public tasks
• Legitimate interests 

 For most companies, the legal basis for data collection relates to either legal obligations as learning institutions, or to legitimate interests. 

Most of the bases require that the data processing is necessary, i.e. if you can reasonably achieve the same results and purpose without processing data, then you do not have a lawful basis.

 

Is PJE GDPR-compliant?

Yes, PJE has been designed from the start with personal data protection in mind as a default, and we pride ourselves on offering schools, students, and parents the highest level of security.

We have spent the lead up to May 2018 analysing the new requirements and making changes in our services and internal workflows.

As a part of our commitment to GDPR, PJE will:

• Ensure organisational and technical security for all services.
• Assist with documentation to demonstrate compliance and keep users informed.
• Provide contract addenda that comply with GDPR requirements for Data Processing Agreements (DPA)
• Offer support when your users exercise their data subject rights.

 

I have heard that PJE is not secure enough under GDPR! Is this true?

GDPR does not specify precise security requirements for cloud-based services. As a data processor, we have a shared responsibility with our Customers (controllers) to provide appropriate organisational and technical security, and be able to demonstrate it. GDPR strengthens the liabilities and penalties for companies that are unable to demonstrate those security protocols.

For over a decade, PJE has successfully protected data from millions of users. We continue to invest in organisational security, network and infrastructure security, and application security to ensure we can offer world-class security beyond standard requirements. We are careful not to provide explicit detail about our security measures but our standard protocols include:

• Application security: traffic encryption, strongly hashed passwords, safeguards against vulnerabilities such as cross site scripting, SQL injections, phishing and others.
• Network security: firewalls and systems to detect suspicious behaviour, stop malicious attempts to gain access, or compromise the resilience of the service (e.g. DDOS attacks).
• Organisational security: access policies, audit logs and confidentiality agreements.
• Physical security: preventing unauthorized access to infrastructure processing personal data.
• Procedural security: IT management processes to minimize the risk of human errors, or testing regimes to identify software weaknesses before releasing new features to our cloud services, or policies to ensure data is only processed on instruction from our customers.

 

How does PJE obtain personal data about users, and how is it used?

User data is submitted to our platforms in three ways:

1. directly by the users
2. by representatives authorised by the users
3. via an integration with a third-party system

 Data typically enters our systems via “course application system”. We use personal data under our protection only when we receive direct instructions from the Customer. The data stored on our systems belongs directly to our Customers, and only a handful of PJE staff have access to personal data under strict confidentiality and security. We process personal data independently only if it is vital to the integrity or security of the service, or to analyze or evaluate the quality of the service provided.

 

Can any of our users request data deletion under the “right to be forgotten”?

Likely not. A data deletion request is valid only if the lawful basis of the processing is Consent (see above), or if the original purpose is no longer valid. Our Data Protection Officer can also assist with advice in difficult cases. If a data subject is granted the right to be deleted, PJE will, either through our software or our support services, help execute these rights and confirm the deletion.

 

When does PJE delete personal data?

PJE deletes personal data when instructed by our Customers, or if the contract between us and the Customer is terminated. The procedures around deleting Customer data upon termination of service should be provided in writing or in a Data Processor Agreement. An instruction to delete a user in our services can either be manually performed in the platform by a Customer representative or upon request to our support team. When users are deleted in our systems, there are safeguards in place to prevent errors leading to an irreplaceable loss of data. In many cases customers will have to manually confirm the deletion of customer data, including personal data.

 

Does PJE send data to third parties?

Yes, PJE may send sensitive data to a third party for the purpose of fulfilling the contract of services as requested by the Customer and only under secure transport and to the point needed.

 

Will PJE notify users if a data breach has occurred?

Depending on the nature of the data breach, our customers might be required to promptly notify both the users affected and the supervising authorities. PJE is required to notify its customers when becoming aware of a data breach, and to help them in fulfilling obligations in notifying users.

 

Can I require a cloud service provider, like PJE, to only host personal data in my country?

One of the GDPR’s primary objectives is the free flow of personal data inside the European Economic Area (EEA), under one common regulation. In most cases, restricting vendors in processing data across the EEA would not be permitted under GDPR.

 

Does PJE process data outside the EEA? Is it allowed to process data outside the EEA?

GDPR does not forbid personal data to flow outside the EEA, but expects that any data processing outside the EEA is done following the same principles. 

In addition, controllers or processors that process data outside the EEA must provide detailed information about the nature of the processing. In some cases, they must also allow customers or users to object to the processing.

 

Does GDPR impact customers outside the EU?

Not legally. The EU, obviously, has no legislative power over other jurisdictions. GDPR does not offer any rights or freedoms to data subjects located outside the EU, and does not put obligations on non-EU customers that do not process data on EU/EEA data subjects. 

However, PJE offers, for the most part, the same services and same level of security to all our customers. In other words, no matter where you are located, you will benefit from our approach to security of personal data under GDPR. 

 

Who do I contact with further questions?

 

 In addition to monitoring our own compliance and providing advice and training to our own staff, our DPO will be available to our customers and their DPOs to discuss data privacy issues.The DPO can be reached at [email protected]. 

 

Please note that any communication with our DPO must be in English.