headerbg

Privacy Policy

Stat Solutions Ltd (trading as ASSET for Schools®)

1. Purpose and Scope

Stat Solutions Ltd ("we", "us", "our") is committed to protecting the confidentiality, integrity, and availability of personal data processed through our business operations and software services, including ASSET for Schools®.

This Privacy Policy explains how personal data is collected, used, stored, protected, shared, retained, and deleted, and how individuals may exercise their data protection rights.

This policy applies to:

  • Our websites and web-based services
  • ASSET for Schools® software platform
  • Communications with customers, suppliers, and partners
  • Training, demonstrations, support, and consultancy services

This policy forms part of our ISO 27001-certified Information Security Management System (ISMS).

2. Data Controller and Contact Details

Data Controller:

Stat Solutions Ltd (trading as ASSET for Schools®)

869 High Road, London, N17 8EY

Company No: 04890386


Data Protection Officer (DPO):

Assistant Manager

Email: dpo@assetforschools.co.uk

Telephone: 0207 183 8357

3. Legal and Regulatory Framework

We process personal data in accordance with:

  • UK GDPR
  • Data Protection Act 2018
  • ISO/IEC 27001:2022
  • ICO guidance and best practice

We are registered with the Information Commissioner's Office (ICO) and maintain ISO 27001 certification and Cyber Essentials Plus controls.

4. Lawful Basis for Processing

We process personal data only where a lawful basis applies, including:

  • Performance of a contract
  • Compliance with a legal obligation
  • Legitimate interests (balanced against individual rights)
  • Consent (where required)

We do not rely on blanket consent for system processing. Where consent is used, it is explicit, informed, and revocable.

5. How We Collect Personal Data

Personal data may be collected via:

  • Booking and contact forms
  • Online chat and surveys
  • Telephone calls and emails
  • Training, demonstrations, and webinars
  • Cookies and analytics tools (see Cookies Policy)
  • Data uploaded by schools into ASSET for Schools®

All collection methods are documented, controlled, and risk-assessed under our ISMS.

6. Categories of Personal Data We Process

6.1 Data Uploaded and Controlled by Schools (Customer Data)

Our customers (schools, academies, MATs, local authorities and Virtual Schools) upload pupil-level data into the ASSET for Schools® platform. This data is stored within our software environment and is processed only for the purpose of delivering the contracted service to the customer, including reporting, analysis, monitoring, and PEP functionality. The customer determines what data is uploaded and remains the Data Controller for that data. We act as Data Processor when providing the platform and support services.

6.2 Pupil Data Fields (as configured in the platform)

The platform may process the following categories of pupil information (noting that exact fields used depend on the customer's configuration and module use):

Identity and School Context

  • Pupil Name (optional; may be left blank where pseudonymisation is used)
  • Pseudonymisation (optional feature supported)
  • School information / URN (required)
  • School information / URN (required)

Pupil Characteristics

  • Gender (Required)
  • Ethnicity (Required)
  • Religion (Required)
  • FSM (Required)
  • SEN (Required)
  • EAL (optional)
  • Additional pupil groups / categorisation (optional)

Assessments and Attainment

  • EYFS Assessments (required)
  • KS1 Reading mark / scale score / teacher assessment (required)
  • KS1 Writing mark / scale score / teacher assessment (required)
  • KS1 Maths mark / scale score / teacher assessment (required)
  • KS2 Reading mark / scale score / teacher assessment (required)
  • KS2 Writing mark / scale score / teacher assessment (required)
  • KS2 Maths mark / scale score / teacher assessment (required)
  • List of subjects taken in the school (required)
  • Pupils grades/ targets/ predicted grades/ other attainment indicators per subject (required)
  • Class groups for each subject (optional)

Personal Education Plan (PEP) Modules

  • Basic Info (PEP) (required)
  • Pupil Voice (PEP) (required)
  • SEND module (PEP) (required)
  • Meeting module (PEP) (required)
  • Targets & Actions (PEP) (required)
  • QA & Sign Off (PEP) (required)
  • Achievement (PEP) (required)
  • Assessment (PEP) (required)

Attendance and Behaviour

  • Suspensions (required)

6.3 Special Category Data

Some pupil characteristics processed within the platform may constitute "special category" personal data under UK GDPR (for example ethnicity, religion, and certain SEND-related information). This data is processed only under the customer's documented instructions and for education-related statutory and safeguarding purposes. Access is controlled by role-based permissions and data is protected by appropriate technical and organisational security measures.

7. How We Use Personal Data

Customer-uploaded pupil data is processed only to provide analytics, reporting, monitoring, and PEP functionality to the customer and is not used for advertising, profiling, or training any AI models.

Personal data is used for:

  • Account creation, access control, and security
  • Service delivery and support
  • Training, demonstrations, and communications
  • Product improvement (non-personal, aggregated data only)

We do not use customer or pupil data for AI training, profiling, or automated decision-making beyond the contracted service.

8. Information Security and Storage

We implement layered security controls in line with ISO 27001, including:

  • Role-based access control
  • Encryption in transit and at rest
  • Secure UK-based hosting
  • Regular vulnerability scanning and penetration testing
  • Incident detection and response procedures
  • Incident detection and response procedures

Access to personal data is restricted to authorised personnel only.

9. Data Retention

Personal data is retained only for as long as necessary for:

  • Contractual obligations
  • Legal and regulatory requirements
  • Legitimate business purposes

Retention periods are defined in our Data Retention Schedule and reviewed annually.

[Ref DP10.2 Records Retention and Protection Policy]

10. Data Sharing and Processors

We do not sell personal data.

Data may be shared with:

  • Approved subcontractors and consultants (under contract and NDA)
  • Hosting and infrastructure providers
  • Regulatory bodies where legally required

All processors are subject to due diligence and contractual security requirements.

11. International Transfers

All data is stored and processed in the UK.

If international transfers become necessary, appropriate safeguards will be implemented and individuals informed.

12. Data Deletion and Disposal

Individuals may request deletion of personal data where legally permissible.

Deletion is:

  • Authorised by the DPO
  • Logged and verified
  • Applied to live systems and backups in accordance with retention controls

Certain records may be retained where required by law.

13. Data Subject Rights

Individuals have the right to:

  • Be informed
  • Access their data
  • Rectify inaccuracies
  • Request erasure
  • Restrict processing
  • Object to processing
  • Data portability

Requests are handled within statutory timeframes.

14. Complaints

Complaints may be raised with us directly or with the ICO:

https://ico.org.uk

15. Third-Party Links

Our websites may link to external sites. We are not responsible for their privacy practices.

16. Changes to This Policy

This policy is reviewed at least annually or following material changes. Updates are communicated appropriately.

17. Contact Us

Stat Solutions Ltd

869 High Road, London, N17 8EY

Email : virtualschools@assetforschools.co.uk

Tel : 0207 183 8357