Executive Summary – Data Privacy
GovernorHub is a secure, cloud-based tool that provides online resources aimed at school governors. Our customers are schools, academies, trusts and local authorities or other resellers which purchase subscriptions to the service for their users. This Privacy Policy applies to information about you as a user and anyone else’s data which is stored using our services.
Whenever you provide us with your personal information, we are legally obliged to use your information in line with all applicable laws concerning the protection of personal information, including the UK Data Protection Act 2018 and the EC General Data Protection Regulation 2016/679 (“GDPR”) as those laws may be replaced or amended from time to time. These laws are referred to collectively in this policy as the “data protection laws”.
GovernorHub is committed to protecting your personal information when you are using GovernorHub services. We want our services to be safe and useful environments for our audience. This Privacy Notice applies to information held about you (in the variety of roles in which you may be a data subject under this Policy (see the Section below on Capacity in which ‘You’ may be a ‘Data Subject’)) and individuals connected to your organisation by GovernorHub which acts as either a data controller or a processor depending on its role, as described below.
This Privacy Policy explains the following (amongst other things):
the laws that apply to our use of your information;
our roles when handling your data;
when GovernorHub may use your details to contact you with marketing;
whether GovernorHub will disclose your details to anyone else and in any overseas country;
and your rights regarding the personal information you provide to us.
We may need to update this policy and we will give you notice of this where reasonably possible; where you have given us your email address, we may use this to notify you of such changes and we will post a note on the sites to inform you that this policy has been updated.
Please check this policy regularly to ensure you always understand how we use your information. All terms that are defined in this policy have the meanings given to them in the User Terms.
Last updated 16/05/2024.
1. Capacity in which ‘You’ may be a ‘Data Subject
We recognise that we hold personal information in relation to a range of Data Subjects, all of which may be referred to as ‘You’ for the purposes of this Policy. We anticipate that ‘You’ are likely to fall into one of the following defined sub-categories of ‘Data Subject’ and the definitions used for the purposes of these sub-categories will be used in this Policy clarify the way in which we will use your data (in addition to other definitions as described in this document):
Role | Definition |
User Types | Note: a user can be more than one of the roles below |
Board User | A person with a profile on GovernorHub on a maintained school or a local academy board. This could be a governor, trustee or anyone that has been approved as being part of the governance function by a board (e.g. associate members etc.). |
Board Admin | A person with a profile on GovernorHub on a maintained school or a local academy board who performs administrative duties for that board. Most often, but not restricted to, the Clerk |
GovernorHub Knowledge User | A person with a profile on GovernorHub on any board which has access to a GovernorHub Knowledge subscription. GovernorHub Knowledge users' data will be shared with The Key and processed by The Key in accordance with their Privacy Policy. |
MAT Board User | A person with a profile on GovernorHub on a Multi Academy Trust (MAT) Board. This could be a trustee or anyone that has been approved as being part of the trust board function by that board |
MAT Board Admin | A person with a profile on GovernorHub on a Multi Academy Trust Board who performs administrative duties for that board. Most often, but not restricted to the clerk/governance professional |
Governor Services/MAT Central Admin | A person with a profile on GovernorHub who centrally manages or performs other administrative duties on the behalf of a Trust, Local Authority (LA) or reseller using the main app or admin.governorhub.com |
GovernorHub Admin | Internal to GovernorHub only and a limited number of people who have access to the system (customers support, sales, security, backup, maintenance, demo accounts) |
Other Data Subjects |
|
Billing contact | Used for billing and invoicing, may not have access to GovernorHub. Details stored in CRM (SalesForce) and Zuora (Invoicing) |
Marketing Contact | A person who has subscribed to or taken part in free events, news updates or other offer but is NOT a current customer and does not have a GovernorHub profile |
2. Who we are and how to contact us
GovernorHub, (“GovernorHub”, “us”, “we” or “our”), is a trading division of The Key Support Services Limited, (“The Key”) a company registered in England at 8th Floor, HYLO 103, 105 Bunhill Row, London, EC1Y 8LZ with company number 0268303.
In addition to GovernorHub The Key offers various online resources to school and trust leaders. Depending on the access rights granted as part of any subscription to GovernorHub users may be granted access to these online resources.
The Key through its group companies ScholarPack Ltd and Arbor Education Ltd offer a management information system to schools. Separate privacy policies are maintained for each of these other products.
Our data protection lead (DPL) responsible for communicating with you about our use of your data can be contacted at dataprotection@governorhub.com .
3. How we collect data from you and other data sources
This Privacy Policy relates to our use of any personal information we collect from you:
from any GovernorHub website that links to this Privacy Policy.
from you signing up to and agreeing to an account with GovernorHub on behalf of a school either as a governor/trustee, clerk/governance professional, Governor Service Administrator or Reseller
You give us your personal data directly through:
registering for an account, whether free trial or active subscription,
setting up your user account profile and indicating your marketing preferences, including providing any personal account records
data through posting in content on messaging boards and or commenting on such boards,
entering competitions and surveys, booking event/webinars tickets
any interactions you have with us by phone, SMS, livechat, email, feedback, letters and other correspondence and in person.
To understand the types of this direct information we collect about you see Schedule 2: Fields Collected
In particular we collect diversity information which allows us to report on diversity across governing boards on an anonymised basis. This is a voluntary collection of information and is done with your consent and reported on if you have an active term of office. For more information see. See Schedule 2: Profile Information: Personal Information/Diversity Information
We also may collect data from the following third-party data sources (provided such collection and use is in accordance with data protection laws):
Department for Education (DfE) where they make data publicly available to us;
your school website;
any publicly available social media sources that may help us understand our audience and what products you might be interested in;
our third-party service providers (e.g. to tell us you have paid for a product or extended your renewal or that a support ticket has been closed);
our group companies (e.g. to tell us what products you are likely to find interesting);
other users of our services (i.e. through our ‘invite a colleague’ referral function or other individuals at your school);
third party list providers. This is obtained from credible education focused sources and used for our own purposes we will not resell such information. (e.g to identify a specific type of role within a school / governing board)
4. The data protection laws and principles we honour
A fundamental feature of the data protection laws is the establishment of privacy principles at Article 5 of the GDPR including the principles of lawful basis, transparency, purpose-limitation, data accuracy, retention/storage, data security, data integrity, and data minimisation. We operate our business in accordance with these principles.
The six forms of lawful basis that are available are summarised in the table below:
Lawfulness of processing
Consent | Contractual necessity | Legal Obligations | Vital interests
| Public interest | Legitimate interests |
The consent of data subject to the processing of their personal data | Processing is needed in order to enter into or perform a contract | The controller is obliged to process personal data for a legal obligation | It is vital that specific data are processed for matters of life and death | Public authorities and organisations in the scope of public duties and interest | There is a weighed and balanced legitimate interest where processing is needed and the interest is not overridden by others |
GovernorHub relies on three main legal bases for its use of your data.
Firstly, that our use is necessary in order to perform our contract with you (being our User) taking into consideration our terms and conditions (along with any commercial contract) and is reasonably proportionate and integral use of your data. For example, this applies when we use your data to provide you with access to our resources and to fulfil orders for the products you have requested, to manage product and technical support, to bill you and to run integral support tools including engagement of essential third party providers, for example our cloud hosting partners.
Secondly, specifically relating to your diversity information we rely on “Consent” when we collect and process this information. This covers the anonymised reports we provide concerning diversity of governing boards. We may also rely on your explicit consent on occasion during your online journey – for example to send you certain SMS messages, email messages, certain news briefings, some survey requests or where you wish us to help you share your professional experience with others.
Finally, we rely on the ‘legitimate interests’ basis where our use of the data has been analysed to be balanced. This would cover our marketing and business intelligence and certain sales functions, certain of our analytics tools, our personalisation of your content, our processing of auto renewals and our engagement of third-party providers to provide any non-essential functions.
We will continually assess our legitimate business needs against the need to maintain and protect your individual rights and freedoms. We are happy to make our assessment of our legitimate interests available to you upon request.
In summary, we conduct a 3-stage test to challenge ourselves and confirm our legitimate interests to hold personal data as follows:
We identify what our legitimate business interests are at any given time.
We check the necessity of processing the personal data for the purpose which we are intending. We check that there are not any less intrusive means to deliver the objective.
We make sure we weigh the balance of the interests of our business with the interests of the individuals whose personal information we hold.
When we do use your data and whichever legal basis we rely on, we will always ensure we consider that it is necessary and proportionate.
5. Our roles as a data controller and a processor
In common with most businesses, we handle your data in two different ways – firstly as a data controller when we handle your data for our own business purposes, to provide you with the service you have subscribed to or signed up for. This includes when we use it for marketing, invoicing and to improve our products and services.
We may also process your data as a data processor on behalf of your school organisation. For example, when you use our site to manage your calendar or to store notes, training and compliance records or when you use our systems to record personal data about third parties such as teaching professionals and students. When we handle this data, we are processing it on your behalf and it is your school organisation that is the data controller. Please check your school’s privacy policy in relation to our processing of such personal data in these circumstances.
The diagram below outlines the role and relationship of GovernorHub to the personal data accessed through our services. We may need to share parts of your profile information (name, etc.) with your Local Authority, Academy Trust, or government agencies. In relation to diversity information we are the data controller because we are capturing this data to provide aggregated diversity information on governing boards.
Data controller vs Data processor
When is GovernorHub a data controller and when are we a data processor?
Data Controller: GovernorHub is a Data Controller except where we are a data processor as set out below
Data processor:
User Generated Content | Governor, Compliance and experience records When you use our site to manage your calendar, to upload details of your experience or your compliance and training records, you are using our site as a storage mechanism only and we are your data processor. |
| Board communication and documentation When you communicate (via GovernorHub) i.e make calendar entries and share content with other governor board members or other governor groups or account holders.
When you upload documentation it may contain information on third parties (i.e CVs, teaching professionals or students)
It is your responsibility to check you have the relevant permissions to upload documentation relating to third parties into GovernorHub. |
Governor Information | Governor Profile When you complete your profile information you do at the request of your Governing Boards requirements who may also determine mandatory fields and remove your profile.
|
We do not claim ownership over any of the data processed for you as a data processor. We are granted a licence to process your data in accordance with our user terms.
6. What will GovernorHub use your information for?
to provide you with access to our resources
to fulfil orders for the products you have requested;
to manage and run integral product and technical support tools and to provide you with requested support;
to bill you or your school, LA, MAT, Trust or reseller;
for our marketing functions including (unless you tell us otherwise) telling you about products and services we think may be relevant for you;
business intelligence, to better understand our customer and their locations so that we can personalise content.
to analyse product usage via analytical tools, to improve online navigation and for product and service improvement;
to ensure the technical security and business continuity of our site and systems;
to protect our legal rights and complying with our legal obligations;
to provide it to third-party sub processors as required to provide the functionality of the product; View our Sub Processors list.
to provide it to third-party systems who integrate with our products, where you have provided consent to do so.
We may also monitor information and communications with us which may be recorded for purposes of quality assurance, training and fraud prevention.
We may also (directly or through third party providers) use your information to contact you about renewals. GovernorHub may operate an auto renewal policy from time to time and, where this applies, we will advise you in good time before your due subscription renewal date of its expiry and if we do not hear from you informing us that you wish to cancel, we will automatically renew your subscription for a further year.
We may use automated systems or triggers to help us identify your compliance with the User Terms and to help us make decisions, for example helping us to identify the relevance of products or services to users or to help us understand the renewal risk profile of an individual user or group of users. These decisions do not have a legal or significant effect on you and do not affect the price offered to you. Individuals may have a right to certain information about automated decisions we make about them and may also have a right to request human intervention and to challenge the decision. More details can be found in the ‘Rights of individuals’ section below.
Marketing and other contact
Where you are a Marketing Contact we may contact you to follow up on your inquiries for GovernorHub products and services.
For all User Types, GovernorHub has two key reasons for contacting you (we may contact you in-app, in-product, using online live chat, by telephone, SMS or email, by post or social media as described in this policy):
Firstly, to provide you with service messages. Examples of these messages may be requests to verify user credentials, to confirm your orders, to inform you of renewal options, to communicate security, product and policy updates, to assist you with technical support or in relation to any correspondence we receive from you or any comment or complaint you make about GovernorHub products or services. Our products also permit in-product communication between users (e.g. members of the same governing board).
Secondly, GovernorHub may need to contact you for its marketing purposes. This may take the form of:
direct postal mailings where the mailing is in our legitimate interests of informing you about a product or service we think you will find useful and will help grow our business;
e-mail or SMS messages where this is legally permissible - for example where you are an existing user and our marketing is about similar products and services. We will always provide you with a way of opting out from hearing from us in the future;
to invite you to participate in surveys or research – these may either be for our own legitimate business intelligence and marketing purposes or they may be needed for sectoral research for our online content (participation is always voluntary);
offering you free trials or demos of new products or services from within The Key Group for our legitimate interests of informing you about a product or service we think you will find useful and growing our business;
advertising to you through online marketing messages and online ads on pages of our Site that you visit. This is in our legitimate interests of ensuring you are aware of content or products that may improve your experience and grow our business. Where we use cookies for any online advertisements, we will always ask for your consent;
operating our ‘invite a colleague’ or ‘ask for work experience’ function where your colleague has indicated you have consented to this and you are an existing member;
offering you the opportunity to take part in competitions and promotions;
We do not track your online behaviour once you leave our site.
offering additional modules or products offered by our group as part of a wider related product suite. For example, our GovernorHub database and The Key databases are securely interlinked so that your basic account profile is shared (first name, last name and user ID) - this helps to ensure you can easily navigate around our entire suite of online content across our Group.
You may opt out of receiving marketing by amending your preferences. You can do this by clicking the link on any marketing emails or Emailing us at dataprotection@governorhub.com
We may use analytics and business intelligence tools for the legitimate business interests of supporting our marketing, design, research and product development functions. This means:
We use third party analytics providers (like Google Analytics) to analyse your use of our Site and what products may be of interest to you.
We may analyse activities on our social media pages/profiles/groups managed by us that you engage with. As well as analysing the content of your social media professional profiles, when we are in social media group(s) together we may use the content of the group for the legitimate interests of our business intelligence and to understand our customers’ needs. We may use information provided by these sites to enrich your profile – i.e. to understand better which product or service may be of interest to you as long as it is necessary and not excessive. We do not use automated decision making in relation to this activity that has a legal or significant effect on you and we always carry our appropriate diligence on the providers for compliance with data protection laws. Please read the privacy policies of all social media sites you engage with for details of how they may share this information with us by creating custom audiences for example. We may advertise to you as a result of this information but we never track the third party sites you visit after visiting our site.
We may use third parties to send you marketing, news briefings or renewal reminders. We only ever choose third parties that meet our security requirements and comply with data protection laws. GovernorHub requires these third parties to comply strictly with its instructions and GovernorHub requires that they do not use your personal information for their own business purposes
We may use third party sources to match our data with theirs or to help cleanse our data if you have consented to this.
Some emails that we send you have no tracking in at all e.g. support or service emails. Other emails we send include tracking so that we can tell how much traffic those emails send to our site. In some emails we can track, at an individual level, whether the user has opened and clicked on links in the email.
7. Will GovernorHub share my personal information with anyone else?
Within our group
There are times when we might share information such as account contact, billing contact, headteacher or marketing contact info within The Key Group. This will be relevant when some of our internal support services are shared for example, Business Intelligence, Finance, Information Security and IT. It will also apply where we have your consent to give you access to online content forming part of a wider Group product suite and to market The Key group products and services to you.
In addition, we hope the group will continue to expand. So, eventually, we may have additional group companies (we will be under common ownership, though). If this happens, we may want to share your information around our group so they can use it for the same internal purposes as we do, as described in this policy.
In the unlikely event that we sell our business to a third party, or re-organise our business or become insolvent. In that scenario, our database of customers is a significant asset of our business and we might need to share elements of the database to a buyer and their advisers.
With your Governor Services organisation, academy trust or other resellers
Governor Admins (such as your governing board or academy trust) are able to set permissions on the GovernorHub product that allows sharing of Governor Information which they may use for lawful purposes. You can set your own permissions on your profile page – however admins will be able to access all content. They are also able to grant permission to the reseller of the GovernorHub product to access your profile. Governor Admins are responsible for allocating the specific permissions (e.g. member level/admin level/account holder level) to their personnel.
With your fellow Governing Board or Group members and clerks
The only mandatory items of personal data required by the system are your name and email address. Your Governing Board may require you to fill out additional fields.
Each instance of GovernorHub can be configured as per the contract agreed when first set up for the School, LA, MAT, Trust, or reseller. These configurations relate to the permissions of how Administrators can view content including your profile information and documents. You should consult your Governor Admin for further information on this.
Governor Admins can create user groups with fellow members of your governing body including your clerk If you wish to view the permitted user groups accessing your data, please visit your account profile.
If your school is an academy within a multi-academy trust (MAT) which subscribes to GovernorHub, the trustees / directors in the MAT board will be able to view the individual academy local governing boards’ noticeboard, calendar, documents and governing board membership pages including your personal data on those pages.
All these third parties are data controllers in relation to the data we share with them and we urge you to review their privacy policies.
With our service providers
For specific purposes GovernorHub uses third parties to process your information on our behalf, for example to provide services such as email deployment or cloud storage services or analysis of the technical data we use. Please contact us for a list of these providers. They fall into the following categories:
Accounts and billing, payment and card providers (we do not view or store your card details in the GovernorHub system. Anyone involved with the processing, transmission, or storage of card data must comply with the Payment Card Industry Data Security Standards (PCI DSS));
Sales fulfilment and customer support;
Business intelligence analytics;
Site usage analytics;
Technical support;
Security
Survey providers;
Marketing support;
Legal, accounting and finance support;
Cloud Infrastructure.
Alternative methods of logging into our Site through accredited providers such as Google and Microsoft. Please review their privacy policies for an explanation of how these providers use the log in credentials you provide to them. We do not receive any personal data from these providers other than confirmation that your log-in has been successful.
Will other end users be able to see my data?
Your account profile sets out the relevant permissions to access your data. Please also refer to the section above which addresses sharing within your organisation. Certain permitted administrators will be able (and must be able) to view certain information relating to your profile.
On occasion, or upon receiving a request, we will email the account holder’s nominated lead user/admin and/or the individual (or body) who authorised or organised membership on behalf of your school, to inform them that a new user has requested registration with us. This is intended to help ensure that people who register are eligible to use the service.
Sharing aggregated or anonymised information
In line with the organisational and technical measures and techniques of anonymisation and/or pseudonymisation advocated by the data protection laws, we may share aggregated or anonymised information within and outside of GovernorHub - with members of our Group and with partners such as research groups, policy groups or the DfE, or Ofsted. You will not be able to be identified from this information.
In addition we collect on a voluntary basis Diversity information, an aggregate of this information will be made available to your governing board or trust board. For more information click here.
We may also use and disclose information in aggregate (so that no individuals are identified) for marketing and strategic development purposes.
We may use all or any part of your information and combine it with other user’s information to produce anonymous statistical data which we may use internally or share with third parties. Such data will not identify you or any other user personally. For example, such data may show: popularity of news items, popularity of discussion topics, demand for training materials, frequency of calendar events, numbers of documents stored. These examples are illustrative only and are not intended to be an exhaustive list.
Disclosures required by law
We may also process your data where we have a legal duty to do so (this includes exchanging information with other companies and organisations for the purposes of fraud protection) or in connection with regulatory reporting, litigation or asserting or defending legal rights and interests.
8. Overseas Transfers of your data
GovernorHub’s group companies are currently all located within the UK and our internal servers are there also or within the EEA.
The only occasions when we may transfer your personal data outside the UK are:
Transfers to third parties we contract to manage your data (see the section on disclosures to third parties and service providers above). We always ensure that such transfers meet the requirements of data protection laws and that (a) such information is protected by suitable and legally approved safeguards and (b) that we are comfortable with the recipient’s security arrangements. For further details, please contact dataprotection@governorhub.com
Transfers that are required by law.
9. Offensive or inappropriate content on our site
The User Terms shall govern the behaviour, standards and acceptable uses of our Sites. If a User posts or uploads content which is disruptive or may reasonably be deemed to be offensive, inappropriate or objectionable or otherwise in breach of our User Terms, we may remove such content and may deny you access to the Site temporarily or permanently as we see fit.
Where we reasonably believe that you are or may be in breach of any applicable laws, in respect of hate-speech for example we may disclose your personal information to the relevant data controller, who may inform law enforcement agencies.
10. How long will GovernorHub keep my information?
We will store the information linked to your account during the term for your subscription but we will keep this information under regular review to ensure we still need to use it. Individual governors: Where your account is no longer associated with a subscription you can request your account be removed by contacting your Governor Admin or your account will automatically be removed after a period of inactivity of up-to 2 years.
We will disable your account if your account is terminated for any reason. We may then keep limited data about your account for a period in line with our data retention policy. To determine the appropriate period, we consider the amount of data, its nature and sensitivity, the potential for harm and whether we can achieve our purposes through other means as well as our applicable legal requirements. Details of our records retention policy is available upon request. We will regularly cleanse this data. We will also delete your data on your request though we may hold a list of the ‘opt out’ requests to administer your request.
11. How we protect your data
We have implemented reasonable and appropriate Technological and Organisational security measures to protect the data we hold about you on our servers including; HTTPS the industry standard for encryption and SSL technology. In addition, we are UKAS ISO27001 & CyberEssentials accredited, our certificates can be requested by contacting us. We undertake periodic internal and external audits to maintain the standards. We also undertake annual penetration tests by an external Crest accredited penetration tester. Details of our latest Technological and Organisational measures can be provided upon request.
All information you provide to us is stored on our secure servers. Any payment transactions will be encrypted.
Unfortunately, the transmission of information via the internet is not completely secure and we cannot guarantee that data breaches will never occur. Please keep your account details and your device safe from unauthorised use or intervention at all times – and remember to log out or close down stale or inactive pages after use.
12. How to keep your account secure:
You should not allow others to access your account, for example by sharing your login details with a colleague. All users at your organisation are entitled under the licensing agreement to set up their own account which they can do on governor.hub.com
GovernorHub strongly recommends you activate and protect your account with multi factor authentication.
No online service or website can be completely secure; if you have any concerns that your GovernorHub account could have been compromised e.g. someone could have discovered your password, please get in touch straight away via governorhub.com.
GovernorHub websites contain hyperlinks to websites owned and operated by third parties. These third-party websites have their own privacy and security policies, and are also likely to use cookies, and we therefore urge you to review them. They will govern the use of personal information you submit when visiting these websites, which may also be collected by cookies. We do not accept any responsibility or liability for the privacy practices of such third-party websites and your use of such websites is at your own risk.
13. Your rights
You have a number of rights in relation to the information that we hold about you which are summarised below. You can exercise your rights by contacting us at dataprotection@governorhub.com. You may also wish to contact your school for information.
The right to be informed about our use of your data. This is met by this Policy.
The right to access information we hold about you and to obtain information about how we process it (commonly known as a “data subject access request”). This enables you to receive a copy of the personal data we hold about you and to check that we are lawfully processing it. Please note that we may ask you to specify what you wish to see in order to focus our search, and we may have to verify your identity/authority.
In some circumstances, the right to withdraw your consent to our processing of your information, which you can do at any time. If you withdraw your consent, we may not be able to provide certain products or services to you. We will advise you if this is the case at the time you withdraw your consent.
In some circumstances, the right to receive certain information you have provided to us in an electronic format and/or request that we transmit it to a third party;
The right to request that we rectify your information if it’s inaccurate or incomplete though we may need to verify the accuracy of the new data you provide to us. At any time you can review, delete or change the information you submitted during registration by visiting the Your Account section once logged in (accessed by clicking on your name at the top of the page). You should update your information if it changes.
In some circumstances, the right to request that we erase your information where there is no good reason for us continuing to process it. We may continue to retain your information if we’re entitled or required to retain it. You also have the right to ask us to delete or remove your personal data where you have successfully exercised your right to object to processing (see below), where we may have processed your information unlawfully or where we are required to erase your personal data to comply with local law. Note, however, that we may not always be able to comply with your request of erasure for specific legal reasons which will be notified to you, if applicable, at the time of your request.
The right to object to, and to request that we restrict, our processing of your information in some circumstances for example where we are relying on our legitimate interests or using it for direct marketing. Again, there may be situations where you object to, or ask us to restrict, our processing of your information but we’re entitled to continue processing it and/or to refuse your request.
If we have got something wrong please do contact us in the first instance. However individuals have a right to complain to the UK Information Commissioner’s Office by visiting www.ico.org.uk, or to the data protection regulator in the country where they live or work.
Schedules