Privacy notice for users of organisation partner portals

In a nutshell:

At Potentially we provide an engaging skills training and life-long learning platform for those that want to develop personally and professionally so that they can achieve their potential whether in education, in their early careers or throughout their later careers.  For example, your university or college has built a full career ready employability and skills development programme on Potentially helping you to become work-ready, and develop life-long learning skills. Our folio allows you to keep a log of any learning moments that show how you are capable and skilled across competencies. As a user of your organisation's portal you can showcase and share achievements with colleagues, peers and future employers. 

That’s why this notice is important to read!

Privacy

Our policies and procedures are there to protect the security and privacy of the users of the partnership organisation platforms, whether universities, colleges, local councils or companies.

We apply best practice principles and work towards compliance with industry standards, proactively seeking third-party audits that validate our application of enterprise-level security and operations. Data security experts and auditors scrutinise, test, and validate the privacy, security, data management and operational measures we deliver and maintain.

All employees are trained in data security and privacy principles.

‍

Enterprise-level development infrastructure, practices and processes

Best practices procedures that are reviewed regularly with staff trained to leading standards

‍

Data Security and Privacy Practices

Potential.ly has a set of policies and procedures in place to ensure the systematic management of sensitive data. Potential.ly follows common OWASP (The Open Web Application Security Project) guidelines and is registered and compliant with Information Commissioner’s Office with respect to data protection, use of and freedom of Information. More information can be found at ico.org.uk.

Organisations Potentially adheres to:
‍

EU GDPR compliant – Potential.ly is GDPR compliant and requires its subprocessors to comply with the terms of the GDPR.

‍

ico. –Registered and  compliant with Information Commissioner’s Office with respect to data  protection, use of and freedom of Information. More information can be found at ico.org.uk

SSL HTTPS – The website incorporates HTTPS  encryption across the entire potential.ly website, protecting  against common OWASP problems.

‍

ISO 27001 – Amazon Web Services, our hosting provider is certified to the international standard for information security, ISO 27001 for United Kingdom data centres. The certificate can be found at here. This standard provides a framework for managing a business’s security responsibilities and provides external  assurance for customers as to the scope and scale of the secure environment. Potential.ly works towards ISO 27001 principles across its operations, practices, processes and infrastructure.

‍

OWASP –  The potential.ly platform follows common OWASP (The Open Web Application Security Project) guidelines. OWASP represents a broad consensus about what the most critical web application security flaws are.

‍

Sub-processors –  The only sub-processors used are those which provide hosting hardware and infrastructure. They can only access our systems at our request.

‍

We need it to provide you with a service you’ve requested

If you don’t provide us with the required personal data, we’ll try to provide the service, but it may be impossible.

If another organisation helps us to provide the service, we’ll also make your data available to them. If this involves transferring information to a country not recognised as providing equivalent protection, we’ll use additional safeguards approved by UK or EU regulators.

We require all organisations we work with to keep information as safe as we do.

‍

If you log on with your organisation’s Identity Provider we process:

• The IP address, browser version, service provider accessed and time of access for each authentication request
• If your organisation shares your user identifier this will either be your organisation's email address or a pseudonymised user identifier
• Your affiliation to your organisation
• Cookies to maintain session state and user preferences
• In addition your organisation may send additional information to enhance your experience. Usually this is imported profile information from your organisation you log in from with credentials from these organisations
  including:
  - first name and last name
  - academic institution/school
  - area of work or study (e.g. course)
  - role (e.g. student or staff).
• Please check with your organisation for a full list of data shared.
  ‍

Product usage information - Information  processed while using our Products, such as:

• Your interactions for example, reflections, quiz responses, messages to staff, comments, and uploaded files
• Performance metrics and engagement e.g. how you engage with content, activities, use certain features etc.
• Descriptions, images, tagging, and other information related to engagement
• How you use the platform, including time spent interacting with resources, content, diagnostics and other features with a date and time stamp of your engagement

‍

Through third-party tracking (Google analytics) we track general information on:

• Device
• Browser type
• Operating system
• Geo-location information (e.g., Country or state)
• Persistent identifiers
• Internet Protocol (IP) address (a number that is automatically assigned to your computer when you use the Internet, which may vary from session to session)
• Domain name

‍

In addition we may utilise information to analyse in order to improve our platform service and features. We use the information described above to:

• Create and maintain your account and identify you as a user when you log in and use the platform features

• Provide effective support, such as contacting you and communicating with you, including responding to your comments or inquiries

• Provide, operate, maintain, and improve our platform product, service and features

• Personalise and improve your experience

• Provide customer support

• Solicit feedback about our Products, including by asking you to respond to surveys or questionnaires (with your permission)

‍

‍

Disclosure of information through potential.ly platform

Additionally, our platform has features that share information (including personal information) with authorised third parties or that allow you to share information with third parties or the public. These disclosures are described below.

Academic Institutions, course providers, or parents.  We may share your personal information with the Academic Institution or company which is linked to your use of our Products. Where permitted, we may also share your information with relevant parties associated with the Academic Institution, such as educators or fellow students, or parents of students using our Products or fellow users.

For example, this would apply:

• If your Academic Institution uses our Products as a personal or professional learning / development platform and has given you access to the service; or

• If you are taking a course via your organisation's platform/portal, we will share your personal information you provided upon account registration and course registration with the organisation whether e.g. educator and/or academic Institution or employer.

‍

‍

‍

‍

‍

‍