Executive Summary – Data Privacy
GovernorHub is committed to protecting your personal information when you are using GovernorHub services. We want our services to be safe and useful environments for our audience. This Privacy Notice applies to information held about you and individuals connected to your organisation by GovernorHub which acts as either a data controller or a processor depending on its role, as described below.
who we are and how to contact us;
how GovernorHub may collect data from you and other data sources;
the laws that apply to our use of your information;
our roles when handling your data;
what GovernorHub will use this information for and how it will protect it;
when GovernorHub may use your details to contact you with marketing;
whether GovernorHub will disclose your details to anyone else and in any overseas country; and
your choices regarding the personal information you provide to us.
We may need to update this policy and we will give you notice of this where reasonably possible; where you have given us your email address, we may use this to notify you of such changes and we will post a note on the sites to inform you that this policy has been updated. Please check this policy regularly to ensure you always understand how we use your information. All terms that are defined in this policy have the meanings given to them in the User Terms.
Last updated 19/10/2020.
Who we are and how to contact us
We are Ortoo Technologies Ltd trading as GovernorHub, (“GovernorHub”, “us”, “we” or “our”), a company registered in England at 3rd Floor, 80 Old Street, London EC1V 9HU with company number 8142817.
GovernorHub offers its users access to a range of online resources aimed at school governors. Our customers are schools, academies, trusts and local authorities or other resellers which purchase subscriptions to the service for their users.
We are part of the same group of companies as The Key (which offers online resources to school leaders, school governors and trust leaders) and ScholarPack (which offers a management information system to schools).
Our data protection lead (DPL) responsible for communicating with you about our use of your data can be contacted at firstname.lastname@example.org .
How we collect data from you and other data sources
from your use of our products and services;
from you accessing official GovernorHub content on other websites including social media.
You give us your personal data directly through registering for a free trial, setting up your user account profile and marketing preferences, commenting on content on our site, entering competitions and surveys, booking event tickets as well as personal information you provide to us by phone, SMS, livechat, email, in letters and other correspondence and in person. It may also include data contained in content and records you upload to the site.
The types of this direct information we collect about you may include:
Your name and job title;
Your user name;
Your email addresses;
Your postal address;
Telephone or mobile numbers;
Your marketing preferences;
Your user generated content;
Your billing details;
Information received from your linked school(s) / academies / trust at which you are registered as a user;
Details of your governor/trustee experience (what type you are, the dates of your term of office, your role, your access rights, your declarations of interest); and
We may also process your training records and DBS number records but we only do this as your processor and do not use this information for our own purposes.
In addition, GovernorHub may receive and process technical data about you through:
The information we get from your day to day use of the Site (for example frequency of visits, how long you spend on each page and the content you view, interact with, download and upload);
Your IP address (which is a number that can uniquely identify a specific computer or other network device on the internet) and other unique online identifiers such as Google Advertising IDs;
Your browser type;
Your device’s operating requirements and its settings and permissions;
We need this data to assist with customer and technical support, to verify your credentials and access levels and to help our business understand the way our users interact with our service.
We also may collect data from the following third-party data sources (provided such collection and use is in accordance with data protection laws):
any publicly available social media sources that may help us understand our audience and what products you might be interested in;
our third-party service providers (e.g. to tell us you have paid for a product or extended your renewal or that a support ticket has been closed);
our group companies (e.g. to tell us what products you are likely to find interesting);
other subscribers to our services (i.e. through our ‘invite a colleague’ referral function or other individuals at your school);
third party list providers.
The data protection laws and principles we honour
Whenever you provide us with your personal information, we are legally obliged to use your information in line with all applicable laws concerning the protection of personal information, including the UK Data Protection Act 2018 and the EC General Data Protection Regulation 2016/679 (“GDPR”) as those laws may be replaced or amended from time to time. These laws are referred to collectively in this policy as the “data protection laws”.
A fundamental feature of the data protection laws is the establishment of privacy principles at Article 5 of the GDPR including the principles of transparency, purpose-limitation, data accuracy, retention/storage, data security and integrity, and data minimisation. We operate our business in accordance with these principles.
A key principle of the GDPR is that we must have a lawful basis to use your data.
The six forms of lawful basis that are available are summarised in the info-graphic below:
GovernorHub relies on two main legal bases for its use of your data.
Firstly, that our use is necessary in order to perform our contract with you (being our User Terms and the documents they refer to) and is a reasonably proportionate and integral use of your data. For example, this applies when we use your data to provide you with access to our resources and to fulfil orders for the products you have requested, to manage product and technical support, to bill you and to run integral support tools including engagement of essential third party providers.
Secondly, we rely on the ‘legitimate interests’ basis where our use of the data has been analysed to be balanced in our interests. This would cover our marketing and business intelligence and certain sales functions, certain of our analytics tools, our personalisation of your content, our processing of auto renewals and our engagement of third-party providers to provide any non-essential functions. We will continually assess our legitimate business needs against the need to maintain and protect your individual rights and freedoms. We are happy to make our assessment of our legitimate interests available to you upon request. In summary, we conduct a 3-stage test to challenge ourselves and confirm our legitimate interests to hold personal data as follows:
We identify what our legitimate business interests are at any given time.
We check the necessity of processing the personal data for the purpose which we are intending. We check that there are not any less intrusive means to deliver the objective.
We make sure we weigh the balance of the interests of our business with the interests of the individuals whose personal information we hold.
We may also rely on your explicit consent on occasion during your online journey – for example to send you certain SMS messages, email messages, certain news briefings, some survey requests or where you wish us to help you share your professional experience with others.
When we do use your data and whichever legal basis we rely on, we will always ensure we consider that it is necessary and proportionate.
Our roles as a data controller and a processor
In common with most businesses, we handle your data in two different ways – firstly as a data controller when we handle your data for our own business purposes and make decisions on how and why to do this. This includes when we use it for marketing, invoicing and to provide you with the service you have subscribed to.
We may also process your data as a data processor on behalf of your school organisation. For example, when you use our site to manage your calendar or to store notes, training and compliance records or when you use our systems to record personal data about third parties such as teaching professionals and students. When we handle this data, we are processing it on your behalf and it is your school organisation that is the data controller.
The diagram below outlines the role and relationship of GovernorHub to the personal data accessed through our services.
What will GovernorHub use your information for?
We use your information to:
provide you with access to our resources and to fulfil orders for the products you have requested;
to manage and run integral product and technical support tools and to provide you with requested support;
to bill you;
for our marketing functions including (unless you tell us otherwise) telling you about products and services we think may be relevant for you;
for business intelligence - to better understand our members and their locations so that we can personalise content, use analytical tools, improve online navigation and for product and service improvement;
to ensure the technical security and business continuity of our Site;
our legal rights and complying with our legal obligations.
We may also (directly or through third party providers) use your information to contact you about renewals. GovernorHub may operate an auto renewal policy from time to time and, where this applies, we will advise you in good time before your due subscription renewal date of its expiry and if we do not hear from you informing us that you wish to cancel, we will automatically renew your subscription for a further year.
We may also monitor information and communications which may be recorded for purposes of quality assurance, training and fraud prevention.
Do we use automated decision making?
We may use automated systems or triggers to help us identify your compliance with the User Terms and to help us make decisions, for example helping us to identify the relevance of products or services to users or to help us understand the renewal risk profile of an individual user or group of users. These decisions do not have a legal or significant effect on you and do not affect the price offered to you. Individuals may have a right to certain information about automated decisions we make about them and may also have a right to request human intervention and to challenge the decision. More details can be found in the ‘Rights of individuals’ section below.
Marketing and other contact
GovernorHub has two key reasons for contacting you (we may contact you in-app, in-product, using online live chat, by telephone, SMS or email, by post or social media as described in this policy):
Firstly, to provide you with service messages. Examples of these messages may be requests to verify user credentials, to confirm your orders, to inform you of renewal options, to communicate security, product and policy updates, to assist you with technical support or in relation to any correspondence we receive from you or any comment or complaint you make about GovernorHub products or services. Our products also permit in-product communication between users (e.g. members of the same governing board).
Secondly, GovernorHub may need to contact you for its marketing purposes. This may take the form of:
direct postal mailings where the mailing is in our legitimate interests of informing you about a product or service we think you will find useful and will help grow our business;
e-mail or SMS messages where this is legally permissible - for example where you are an existing user and our marketing is about similar products and services. We will always provide you with a way of opting out from hearing from us in the future;
to invite you to participate in surveys or research – these may either be for our own legitimate business intelligence and marketing purposes or they may be needed for sectoral research for our online content (participation is always voluntary);
offering you free trials or demos of new products or services for our legitimate interests of informing you about a product or service we think you will find useful and growing our business;
operating our ‘invite a colleague’ or ‘ask for work experience’ function where your colleague has indicated you have consented to this and you are an existing member;
offering you the opportunity to take part in competitions and promotions;
We do not track your online behaviour once you leave our Site. We may use information which we hold about you to show you relevant advertising on popular third-party sites (e.g. LinkedIn, Facebook, Google, Instagram, Snapchat and Twitter). This could involve showing our members an advertising message on a third party site. We do this by matching data with social media sites who create audiences for our advertising campaigns. If you don’t want to be shown targeted advertising messages from GovernorHub, some third party sites allow you to request not to see messages from specific advertisers on that site in future. You can also contact us to request this at email@example.com;
offering you an extension to your subscription covering additional modules or products offered by our group as part of a wider related product suite. For example, our GovernorHub database and The Key databases are securely interlinked so that your basic account profile is shared (first name, last name and user ID) - this helps to ensure you can easily navigate around our entire suite of online content across our Group.
You may opt out of receiving marketing by amending your preferences. You can do this by emailing us at firstname.lastname@example.org, or by clicking the link on any marketing emails we may send you.
We may use analytics and business intelligence tools to support our marketing function. This means:
We use third party analytics providers (like Google Analytics) to analyse your use of our Site and what products may be of interest to you.
We may analyse what social media sites you engage with and how you interact with them as well as analysing the content of your social media professional profiles and when we are in a social media group together we may use the content of the group for the legitimate interests of our business intelligence and to understand our customers’ needs. We may use information provided by these sites to enrich your profile – i.e. to understand better which product or service may be of interest to you as long as it is necessary and not excessive. We do not use automated decision making in relation to this activity that has a legal or significant effect on you and we always diligence the providers for compliance with data protection laws. Please read the privacy policies of all social media sites you engage with for details of how they may share this information with us by creating customised audiences for example. We may advertise to you as a result of this information but we never track the third party sites you visit after visiting our site.
We may use third parties to send you marketing, news briefings or renewal reminders. We only ever choose third parties that meet our security requirements and comply with data protection laws. GovernorHub requires these third parties to comply strictly with its instructions and GovernorHub requires that they do not use your personal information for their own business purposes
We may use third party sources to match our data with theirs or to help cleanse our data if you have consented to this.
Some emails that we send you have no tracking in at all e.g. support or service emails. Other emails we send include tracking so that we can tell how much traffic those emails send to our site. In some emails we can track, at an individual level, whether the user has opened and clicked on links in the email.
Will GovernorHub share my personal information with anyone else?
Within our group
There are times when we may share your information with other companies in our group - this will be relevant when some of our internal support services are shared across The Key Support LTD group. It will also apply where we have your consent to give you access to online content forming part of a wider Group product suite and to market group company products and services to you.
In addition, we hope we will continue to expand. So, eventually, we may have additional group companies (we will all be owned by the same company, though). If this happens, we may want to share your information around our group so they can use it for the same internal purposes as we do, as described in this policy (for example marketing where we think this might be of interest to you or we might want to store our data on one server).
It is possible that we could sell our business to a third party, or re-organise our business or become insolvent. In that scenario, our database of customers is one of the biggest parts of that business, so we would need to share it with the buyer and their advisers.
With your Governor Services organisation, academy trust or other resellers
GovernorHub account holders (such as your governing board or academy trust) are able to set permissions on the GovernorHub product that allows sharing of user data details which they may use for lawful purposes. You can set your own permissions on your profile page – however admins will be able to access all content. In this scenario, GovernorHub is the data processor. The account holders will be data controllers of that data and their privacy policies will explain the uses of their data. They are also able to grant permission to the reseller of the GovernorHub product to access your profile. Account holders are responsible for allocating the specific permissions (e.g. member level/admin level/account holder level) to their personnel.
With your Governing Board or Governing Group fellow members and clerks
The only mandatory items of personal data required by the system are your name and email address.
Each account holder (as data controller) can configure the permissions required to view other content stored in the GovernorHub product. Some data required by a governing board is mandatory and you should consult the account holder for further information on this. Example permitted user groups are fellow members of your governing body including your clerk If you wish to view the permitted user groups accessing your data, please visit your account profile.
If your school is an academy within a multi-academy trust (MAT) which subscribes to GovernorHub, the trustees / directors in the MAT board will be able to view the individual academy local governing boards’ noticeboard, calendar, documents and governing board membership pages including your personal data on those pages.
All these third parties are data controllers in relation to the data we share with them and we urge you to review their privacy policies.
With our service providers
Sometimes GovernorHub uses third parties to process your information on our behalf, for example to provide services such as email deployment or cloud storage services or analysis of the technical data we use. We need these providers to provide us with their services for our legitimate interests of operating our business and our site effectively. Please contact us for a list of these providers. They fall into the following categories:
Accounts and billing, payment and card providers (we do not view or store your card details in the GovernorHub system. Anyone involved with the processing, transmission, or storage of card data must comply with the Payment Card Industry Data Security Standards (PCI DSS));
Sales fulfilment and customer support;
Business intelligence analytics;
Site usage analytics;
Legal, accounting and finance support;
When we use the services of others it will be required in order to fulfil our obligations under our User Terms or it will be in the legitimate interests of growing our business and improving your use of our products and services.
With third party list providers
We may purchase information from third parties about you when we have confirmed that you have been told about this and we have undertaken appropriate due diligence on compliance. We will always process your data in compliance with data protection laws.
Will other end users be able to see my data?
Your account profile sets out the relevant permissions to access your data. Please also refer to the section above which addresses sharing within your organisation. Certain permitted administrators will be able (and must be able) to view certain information relating to your profile.
On occasion, or upon receiving a request, we will email the account holder’s nominated lead user/admin and/or the individual (or body) who authorised or organised membership on behalf of your school, to inform them that a new permitted user has requested registration with us. This is intended to help ensure that people who register are eligible to use the service.
Sharing aggregated or anonymised information
In line with the organisational and technical measures and techniques of anonymisation and/or pseudonymisation advocated by the data protection laws, we may share aggregated or anonymised information within and outside of GovernorHub - with members of our Group and with partners such as research groups, policy groups, the DfE, or Ofsted. You will not be able to be identified from this information.
We may also use and disclose information in aggregate (so that no individuals are identified) for marketing and strategic development purposes.
We may use all or any part of your information and combine it with other user’s information to produce anonymous statistical data which we may use internally or share with third parties. Such data will not identify you or any other user personally. For example such data may show: popularity of news items, popularity of discussion topics, demand for training materials, frequency of calendar events, numbers of documents stored. These examples are illustrative only and are not intended to be an exhaustive list.
Disclosures required by law
We may also process your data where we have a legal duty to do so (this includes exchanging information with other companies and organisations for the purposes of fraud protection) or in connection with regulatory reporting, litigation or asserting or defending legal rights and interests.
Overseas Transfers of your data
GovernorHub’s group companies are currently all located within the UK and our internal servers are there also or within the EEA.
The only occasions when we may transfer your personal data overseas are:
Transfers to third parties we contract to manage your data (see the section on disclosures to third parties above). We always ensure that such transfers meet the requirements of data protection laws and that (a) such information is protected by suitable and legally approved safeguards and (b) that we are comfortable with the recipient’s security arrangements. For further details, please contact email@example.com
Transfers that are required by law.
Offensive or inappropriate content on our Site
The User Terms shall govern the behaviour, standards and acceptable uses of our Sites. If a User posts or uploads content which is disruptive or may reasonably be deemed to be offensive, inappropriate or objectionable or otherwise in breach of our User Terms, we may remove such content and may deny you access to the Site temporarily or permanently as we see fit.
Where we reasonably believe that you are or may be in breach of any applicable laws, in respect of hate-speech for example we may disclose your personal information to relevant third parties, including to law enforcement agencies or your mobile phone operator or other internet communications provider and relevant third parties such as your school and other agencies. We shall only do so in circumstances where such disclosure is permitted under applicable laws, including data protection law.
How long will GovernorHub keep my information?
We will store the information linked to your account during the term for your subscription but we will keep this information under regular review to ensure we still need to use it.
We will disable your account if your account is terminated for any reason. We may then keep limited data about your account for a period in line with our data retention policy from time to time in force. To determine the appropriate period, we consider the amount of data, its nature and sensitivity, the potential for harm and whether we can achieve our purposes through other means as well as our applicable legal requirements. Details of our records retention policy is available upon request. We will regularly cleanse this data. We will also delete your data on your request though we may hold a list of the ‘opt out’ requests to administer your request.
How we protect your data
We have implemented reasonable and appropriate security measures to protect the data we hold about you on our servers including HTTPS and the industry standard for encryption and SSL technology. All information you provide to us is stored on our secure servers. Any payment transactions will be encrypted.
Unfortunately, the transmission of information via the internet is not completely secure and we cannot guarantee that data breaches will never occur. Please keep your account details and your Device safe from unauthorised use or intervention at all times – and remember to log out or close down stale or inactive pages after use.
You should not allow others to access your account, for example by sharing your login details with a colleague. All users at your organisation are entitled under the licensing agreement to set up their own account which they can do on the sites or by emailing firstname.lastname@example.org.
No website can be completely secure; if you have any concerns that your GovernorHub account could have been compromised e.g. someone could have discovered your password, please get in touch straight away.
For security purposes only, in the future, we may require users to verify their credentials. We also reserve the right to contact the account holder in the event of any unusual or noteworthy login activity or patterns of usage. We won’t use this information for unexpected reasons.
We also do not recommend that you put email addresses, URLs, phone numbers, full names or addresses, holiday / home absence information, credit-card details or other identifying or sensitive information in any online messaging function now or in future.
You have a number of rights in relation to the information that we hold about you which are summarised below. You can exercise your rights by contacting us at email@example.com. You may also wish to contact your school for information they hold as a data controller:
The right to be informed about our use of your data. This is met by this Policy.
The right to access information we hold about you and to obtain information about how we process it (commonly known as a “data subject access request”). This enables you to receive a copy of the personal data we hold about you and to check that we are lawfully processing it. Please note that we may ask you to specify what you wish to see in order to focus our search, and we may have to verify your identity/authority.
In some circumstances, the right to withdraw your consent to our processing of your information, which you can do at any time. If you withdraw your consent, we may not be able to provide certain products or services to you. We will advise you if this is the case at the time you withdraw your consent.
In some circumstances, the right to receive certain information you have provided to us in an electronic format and/or request that we transmit it to a third party;
The right to request that we rectify your information if it’s inaccurate or incomplete though we may need to verify the accuracy of the new data you provide to us. At any time you can review, delete or change the information you submitted during registration by visiting the Your Account section once logged in (accessed by clicking on your name at the top of the page). You should update your information if it changes.
In some circumstances, the right to request that we erase your information where there is no good reason for us continuing to process it. We may continue to retain your information if we’re entitled or required to retain it. You also have the right to ask us to delete or remove your personal data where you have successfully exercised your right to object to processing (see below), where we may have processed your information unlawfully or where we are required to erase your personal data to comply with local law. Note, however, that we may not always be able to comply with your request of erasure for specific legal reasons which will be notified to you, if applicable, at the time of your request.
The right to object to, and to request that we restrict, our processing of your information in some circumstances for example where we are relying on our legitimate interests or using it for direct marketing. Again, there may be situations where you object to, or ask us to restrict, our processing of your information but we’re entitled to continue processing it and/or to refuse your request.
Individuals have a right to complain to the UK Information Commissioner’s Office by visiting www.ico.org.uk, or to the data protection regulator in the country where they live or work.
Last Revised 19/10/2020.