The web presence of What2Learn CPD is managed by What2Learn Ltd. What2Learn Ltd is registered with the Information Commissioner’s Office. What2Learn Ltd aim to be as clear as possible about how and why we use information about you so that you can be confident that your privacy is protected. This policy describes the information collected when you use “W2L” services. This information includes personal information as defined in the General Data Protection Regulation (GDPR) 2016 and the subsequent UK Data Protection Act, 2018.
The online presence of W2L CPD consists of two distinct components. The blog-based system is powered by WordPress and collects no user data and places no cookies on user systems.
The Moodle-based system (all URLs starting with https://courses.what2learn.com) does require collection and use of user data and cookies as detailed below.
Third-party ad servers
There are no third-party ad servers or ad networks used at onlinesafetyalliance.org and no user data is shared with any third parties.
Log Files
W2L’s Moodle-based system makes use of log files. The information inside the log files tracks interaction with elements within the online safety courses and scores attained in assessments. This data is essential to collect to measure user progress towards completion of the course. No Analytics-style data is collected on user location and search history.
Cookies and Web Beacons
The Moodle-based system of W2L uses Session Cookies. A session Cookie is generated when you log into the Certificate system. A session cookie only holds information for that session. When you log out this cookie is removed.
Some sections of the Moodle-based system invite course participants to visit highly reputable external websites. These external sites are not controlled or managed by What2Learn Ltd and may use cookies. The privacy policies of these external sites should be considered separately to this policy.
If you wish to disable cookies, you may do so through your individual browser options. More detailed information about cookie management with specific web browsers can be found at the browsers’ respective websites. It must be noted that this will prevent a user from being able to record scores achieved in assessments and will thereby prevent successful completion of the Certificate.
Customer data
No data is collected or stored by the W2L system which could be considered ‘high risk’.
Course participant data stored in the W2L Moodle-based system is name and email address. We require each participant account to have an email address to allow passwords to be reset and to allow us to communicate changes to the site and to provide administrative support. Log data as defined above is also collected.
Where participants have signed up to the W2L email newsletter in order to receive updates on the Moodle-based CPD courses, additional information is collected. Additional data collected is employer name, role in school and school phase. This data is stored with the service MailChimp to ensure full GDPR compliance. MailChimp’s data privacy documentation can be seen at https://mailchimp.com/legal/privacy/. This data is used for very occasional email communications relating to online safety issues or OSA services that the OSA believes might be of interest to school staff. This data is not shared with any third parties and the individual may unsubscribe from such communications at any time.
Who can access the data?
Where organisations sign up for a group package, an identified administrator will be able to access user data for staff within their own organisation, but not the data of any others. All W2L staff who have access to user data are trained on their responsibilities in line with current data protection legislation.
Where is the data stored?
All user data is kept on a pair of secure databases, and a web server. All data is stored within the EU using Amazon Web Services (AWS) based in Ireland. For full details of how AWS ensure GDPR compliance please visit https://aws.amazon.com/compliance/gdpr-center/
Data security
HTTPS is used on the servers and throughout the OSA online presence to encrypt and secure the data of those using the W2L system. Administrative access to systems is provided to limited to key individuals and complex administrative access codes are employed to reduce the threat of unauthorised access. Administrative access to the system is monitored through log data. Daily backups of user data are kept on servers and tested to ensure timely restoration of user data in the event of a physical or technical incident. All systems and software are maintained with relevant security updates. In the event of a data breach being identified, the Supervisory Authority would be contacted within 72 hours along with the nominated point of contact within each affected school. Repeated failures to access the Moodle-based system result in automated IP banning and temporary account lockouts.
Data shared between establishments and What2Learn Ltd is encrypted with passwords shared through alternative communications channels.
Data security procedures are regularly reviewed.
Legal basis
We shall only process your Personal Data in accordance with principles of data protection and if there is a legal basis to do so. Data processed by W2L meets the principles of Legitimate Interest within the GDPR as:
- Processing of data is necessary to verify and record that individuals have successfully demonstrated knowledge of online safety issues.
Data Retention
Unless we receive a deletion request, we will retain your information for as long as your account is active or as is reasonably useful for operational purposes.
Personal Privacy
Participants are not visible to one another and our systems do not permit messages to be sent between any users.
Use of Integrated Services
Some users may opt to use Google or Microsoft Integrated Services to gain access to the Moodle-based system of onlinesafetyalliance.org using existing account details. Doing so will grant onlinesafetyalliance.org access to basic profile information to with the sole purpose of identifying users to record their progress through our learning materials and assessments. Our product uses OAuth 2 for user authentication and the user is informed clearly of the level of access they will be providing and the purpose of this access. We never have access to Google or Microsoft passwords.
In using OAuth 2, What2Learn Ltd is compliant with:
- The Developer Policy of Google Platform
- The Policy of Google Buttons
- The EU User Consent Policy
You may revoke our access to your account on any Integrated Service, such as Google or Microsoft, at any time by updating the appropriate settings in the account preferences of the respective Integrated Service. You should check your privacy settings on each Integrated Service to understand and change the information sent to us through each Integrated Service. Please review each Integrated Service’s terms of use and privacy policies carefully before using their services and connecting to our system.
Use of integrated services is optional and down to the preference of each school. Where Integrated Services are not used accounts will be created for teachers and students in a format agreed with a designated member of school staff.
Right of erasure
In accordance with applicable European legislation you can delete your account and your usage logs from the system. In the case of requests to delete student accounts, the relevant school will be informed that this request has been made in order to confirm that the request made is legitimate.
Your rights
You have the right to exercise your data protection rights at any time.
You have the right to request information as to the personal data relating to you has been processed by us.
Contact person
If you have questions regarding data protection, need information or want your data to be deleted please contact our Data Protection Officer via email: [email protected]