The RM Group of businesses creates and maintains an extensive range of innovative solutions and services -all designed or selected to meet the specific needs of educational users:
● RM Education provides software, services and technology to schools and colleges in the UK;
● RM Results provides e-assessment services and education data analysis to exam boards and central government in the UK and internationally; and
● RM Resources provides physical and curriculum resources for schools and nurseries in the UK and internationally. The GDPR (General Data Protection Regulation) and the Data Protection Act 2018 set out the legal obligations for organisations in regard to the processing of personal data.
1.2 Purpose and scope of this Policy
RM is committed to protecting and respecting the privacy of individuals.
1.3 Lawful Basis for Processing
We will only process your data if there is a lawful basis for such processing. The lawful basis for processing Personal Data will be one of the following:
● Consent. You have given RM clear and specific consent for processing your data.
● Contract. You, or the organisation you work for, have entered into a contract with us in which the processing of your data is required.
● Legal obligation. We need to process your data in order to comply with a common law or statutory obligation.
● Legitimate interests. We have a legitimate interest in processing your data in circumstances where it would be reasonable for you to expect such data processing and where there is a minimal privacy impact. Some direct marketing activities may be based on legitimate interests. Where legitimate interest is deemed to apply, RM will have carried out a Legitimate Interest Assessment.
Outside of the UK and the EU, we will use these lawful bases to the extent we are allowed to do so under the laws of the relevant jurisdiction. Where this is not allowed, we will comply with the laws of the relevant jurisdiction.
All international transfers of personal data will be compliant with applicable law and protected by appropriate technical and organisational measures.
1.4 Contact details:
For the purpose of data protection legislation, the data controller is either:
(a) RM Educational ResourcesLtd (which includes the trading entities “The Consortium” and “TTS”)
(b) RM Education Ltd (which includes the trading entity RM Results)
(c) Schools Educational Software Ltd (Company number 14130331)
Which each has their registered office at: 142B Park Drive, Milton Park, Abingdon, Oxon. OX14 4SE; or
(d) RM Education Solutions India Pvt (“RMESI”)
Which has its registered office at Unit No.8A, Carnival Techno Park, Technopark, Kariyavattom PO, Trivandrum - 695581, Kerala, India.
Additional information for job applicants can be found at the end of this policy under section 13.
1.5 RM Group websites
It is possible that our websites contain links to other sites. RM is not responsible for the privacy practices or the content of such websites. The websites may also include comment fields, chat rooms, forums, message boards, and news groups. Please remember that any information that is disclosed in these areas becomes public information and you should exercise caution when deciding to disclose your personal information.
In respect of RM Educational Resources Ltd:
In respect of RM Education Limited:
In respect of RMESI:
In respect of RM plc:
2.1 Information about you that you give us
(a) when filling in forms on our websites (listed in 1.5above);
(b) by corresponding with us by phone, email or otherwise;
(c) by calling one of our support helplines, where calls may be recorded
(d) when you register to use our websites;
(e) when you subscribe to our services;
(f) when you place an order on one of our websites;
(g) when you, leave reviews for products, participate in discussion boards or other social media functions on our websites
(h) when you enter a competition, promotion or survey;
(i) when you attend an RM activity, such as a seminar;
(j) when you report a problem with our websites; and
(k) when you participate in a market research panel run by RM
(l) when you apply for a job at RM, either directly or through an agency.
The information you give us may include your name, address, e-mail address and phone number, organisation, job role or title, financial and credit card information and some interests / preferences.
Additional information for job applicants can be found at the end of this policy under section 13.
2.2 Information about you that we collect
Visits to websites
With regard to each of your visits to our websites we will automatically collect the following information:
(a)technical information, including your login information, the Internet protocol (IP) address used to connect your computer to the Internet, browser type and version, time zone setting, browser plug-in types and versions, operating system and platform; and
(b)information about your visit, including the full Uniform Resource Locators (URL), clickstream to, through and from our site (including date and time), products you viewed or searched for, page response times, download errors, length of visits to certain pages, page interaction information (such as scrolling, clicks, and mouse-overs), methods used to browse away from the page platform and any phone number used to call our customer service number.
When you visit one of our offices, RM may record CCTV footage of you. The operation of CCTV is governed by the CCTV Policy, which is closely aligned with the ICO’s guidance on this subject. A copy of this policy is available upon request.
2.3 Information we receive from other sourcesThis is information we receive about you if you use any of the websites we operate or other services we provide. In these cases we will have informed you when we collect that data if we intend to share those data internally and combine it with data collected on our websites. We will also have told you for what purpose we will share and combine your data.
We work closely with third parties (including, for example, business partners, sub-contractors in technical, payment and delivery services, advertising networks, analytics providers, search information providers, credit reference agencies).
We may also purchase marketing lists, containing contact data, from trusted third parties. We will always ensure that there was an appropriate lawful basis for the collection of this data.
3.1 Information you give us
We will use the information you give us:
(a) to carry out our obligations arising from any contracts entered into between you and us and to provide you with the information, products and services that you request from us;
(b) to provide you with information about other goods and services we offer that are similar to those that you have already purchased or enquired about where we have a legitimate business purpose to do so;
(c) where relevant, to provide you with a support newsletter for the product(s) you have purchased. This may include updates, future roadmaps, technical articles and product information. You can unsubscribe from these at any time.
(d) to notify you about changes to our service;
(e) to ensure that content from our site is presented in the most effective manner for you and for your computer; and
(f) to notify you about any recalls of goods that you have or may have purchased from RM;
3.2 Information we collect about you
We will use the information we collect about you:
(a) to administer our websites and for internal operations, including troubleshooting, data analysis, testing, research, statistical and survey purposes;
(b) to improve our websites to ensure that content is presented in the most effective manner for you and for your computer;
(c) to allow you to participate in interactive features of our services, when you choose to do so;
(d) as part of our efforts to keep our websites safe and secure;
(e) to measure or understand the effectiveness of advertising we serve to you and others, and to deliver relevant advertising to you; and
(f) to make suggestions and recommendations to you and other users of our websites about goods or services that may interest you or them.
The Internet protocol (IP) address used to connect your computer to the Internet. We use your IP address for the following purposes:
1. Issue triage: if you notify us of an issue, or our monitoring identifies an issue, then the information within the servers’ logs is used to identify the root cause and, wherever possible, identify a fix.
2. Issue trending: this provides us with aggregated trend data so we can monitor the quality of the service year-on-year.
3. Application usage data: we use server logs to review system usage, both for issue triage and for service reporting year-on-year.
4. Service analytics data: we do Pingdom and Microsoft to gather analytical data.
We (or third-party data processors acting on our behalf) may collect, store, and use your personal information for individual website experience improvement.
We collate the information collected about you or provided by you in order to offer you a more tailored marketing experience but always where we either have your consent or where RM have a legitimate business purpose to do so.
For marketing purposes, we may collect, store and use the following kinds of personal data:
(a) information about your computer and about your visits to and use of this website (including your IP address, geographical location, browser type, referral source, length of visit and number of page views);
(b) information that you provide to us for the purpose of registering with us (including name, company, telephone number and email address); and
(c) any other information that you choose to send to or tell us.
If you have recently purchased products or services from us, we may contact you with information about goods or services similar to those which were the subject of the previous sale or negotiations.
When we communicate with you by email for the purpose of marketing, we will always provide you with information about how to stop receiving such communications from us in the future.
If your email address is linked to a business account, we may process your data on the basis of legitimate interests. However, it is possible that we would also recognise your email as belonging to an individual and, in that scenario, we would process your data only if you have given consent. It is possible for one email address to be against both business and personal classifications.
For example, MrTeacher@gmail.com is linked to a school account. RM will market to you in your business capacity on the basis of legitimate interests until you unsubscribe to these emails. Additionally, since the email address is classified as also belonging to an individual, we will market to you in your personal capacity only if we have received your consent to do so. Your consent may be withdrawn at any time.
We do not knowingly solicit information from children and we do not knowingly market our services to children.
3.4 Sharing with RM Group companies
RM’s provision of the products or services to you may require the transfer of data to RMEducation Limited’s wholly owned subsidiary, RM Education Solutions India Private Limited (“RMESI”), which operates outside the European Economic Area. India has not been approved by the European Commission as having adequate protections in place for the purpose of the transfer of personal data. You agree that RM will be permitted to transfer your data to RMESI provided that RM shall have entered into an agreement with RMESIbased upon standard contractual clauses approved by the European Commission for transfers of personal data to processors outside of the European Economic Area and which agreement shall include security obligations on RMESI.
RM has a central database which all RM Group companies can access. It is possible that some personal data (such as the name on an invoice, or a contact at a school) will be visible by all RM Group companies.
3.5 Sharing with Third Parties
RM may share your data with trusted third parties using one of the following lawful bases:
● Consent: where you have provided consent for your data to be shared.
● Legitimate Interests: where sharing the data is in RM’s legitimate business interests and not outbalanced by the need to protect your individual rights.
● Contract: where sharing your data is required for the performance of a contract.
● Legal obligation: where sharing your data is required in order to comply with law.
Where data is shared to fulfil our contractual obligations, and RM is acting as a data processor, enquiries as to the scope and nature of such data sharing should be raised, in the first instance, with the data controller, e.g. school, awarding body, etc.
We may share your data with trusted third parties for the following reasons:
(a) We may share your data with third parties directly involved in the provision of RM products and services where you have requested those RM products and services, e.g. delivery companies.
(b) We may share your data with third parties indirectly involved in the provision of RM products and services, e.g. service providers for our websites and email providers.
(c) We may share your data with third parties that help us to improve the quality of the products and services that we provide. SThe lawful basis for such data sharing will either be your consent or our legitimate interests, depending on the purpose and nature of processing involved. Such third parties may include:
● Survey providers
● Data analytics and matching providers
● Market research organisations
● Event registration providers
(d) We may share your data with third parties such as law enforcement authorities, either on the basis of legitimate interests or because we have a legal obligation to do so.
If you have provided explicit consent, we may share your data with third parties in order that you can be contacted to complete surveys, so we can study how our customers use our products and services and improve our offering accordingly. You are not obliged to complete any survey sent to you and may request that past reviews be deleted.
Where you have provided explicit consent to receive marketing communications, we may also share your data with third parties involved in the delivery of such communications.
RM will never sell your data to third parties.
Other than when we are sharing your data in order to comply with our legal obligations, all third parties that may access your data are subject to the following conditions:
● A contract, and relevant data processing agreement, will be in place.
● Data must only be processed for specific purposes and in accordance with RM’s instructions.
● Appropriate security measures must be in place to protect your data.
● Data provided or accessed will be minimised, and where appropriate, pseudononymised.
● The data must not be used for the third party’s own purposes.
● Data must be deleted when it is no longer required or at the end of the contract.
● Where you request this, we will ask third parties to delete your data from their systems.
When your data is transferred to a third party located outside of the European Economic Area (EEA), we will enter into an agreement based upon standard contractual clauses approved by the European Commission for transfers of personal data to processors outside of the EEA and this agreement shall include security obligations on the third party.
A list of all sub-processors used is available upon request.
3.6 Social Media
On some of our websites when we ask for your consent for direct marketing, we may also ask for your consent to share your details with social media platforms so that they can provide you with targeted marketing. If you give us your consent, but then at a later date wish to stop receiving targeted marketing from RM in this way, you can either opt out directly by telling us or by changing your marketing preferences on the platform.
However, you may also receive targeted advertising on social media platforms based on your browsing history, whether or not you follow us. RM has no control over the marketing you receive in this way, and you should manage your marketing preferences within the platform if you wish to change the marketing you receive.
If we have sought, and you have given us, your consent, we may also share your anonymised data with social media platforms for the purpose of identifying other potential customers (“lookalikes”) who have a similar online profile to you.
Sharing your personal information
You agree that we have the right to share your personal information with:
(a) Any member of the RM Group, which means our subsidiaries, our ultimate holding company and its subsidiaries, as defined in section 1159 of the UK Companies Act 2006;
(b) Selected third parties including:
● business partners, suppliers and sub-contractors for the performance of any contract we enter into with them or you;
● advertisers and advertising networks that require the data to select and serve relevant adverts to you and others provided we have a lawful basis to do so;
● analytics and search engine providers that assist us in the improvement and optimisation of our websites; and
● credit reference agencies for the purpose of assessing your credit score where this is a condition of us entering into a contract with you.
Disclosure to third parties
We will disclose your personal information to third parties:
(a) In the event that we sell or buy any business or assets, in which case we will disclose your personal data to the prospective seller or buyer of such business or assets;
(b) If any RM Group company or substantially all of its assets are acquired by a third party, in which case personal data held by it about its customers will be one of the transferred assets;
The data that we collect from you maybe transferred to, and stored at:
(a) Third party cloud-hosted environments, e.g. Microsoft Azure, using servers that reside only in EEA.
(b) Third party data centres, using servers that reside only in the UK.
RM uses a range of security measures in order to protect Personal data, managed through a Group Information Security Framework, based on ISO 27001, the international standard for information security management. In addition, a number of business units, including RM Education Solutions India Pvt, are certified to ISO 27001:2013. Further details are available upon request to the Data Protection Officer (details below).
A wide range of technical controls are used, including but not limited to:
● Data encryption
● Anti-virus and anti-malware software
● Network monitoring
● Access management
● Vulnerability scanning and penetration testing
A wide range of non-technical controls are used, including but not limited to:
● Physical security controls at RM offices
● Security policies, including Data Classification & Handling, Data Protection, etc.
● Security training
The implementation of such controls may vary between specific products and services.
All websites have security measures in place to protect the loss, misuse and alteration of the information under our control. Where necessary RM will inform law enforcement agencies or other relevant organisations regarding misconduct.
All information you provide to us is stored on our secure servers. Any payment transactions will be encrypted and utilise technologies to ensure PCI DSS compliance. Where we have given you (or where you have chosen) a password which enables you to access certain parts of our websites, you are responsible for keeping this password confidential. We ask you not to share a password with anyone.
Unfortunately, the transmission of information via the internet is not completely secure. Although we will do our best to protect your personal data, we cannot guarantee the security of your data transmitted to our websites; any transmission is at your own risk. Once we have received your information, we will use strict procedures and security features to try to prevent unauthorised access.
RM has established a data retention framework based on statutory and non-statutory guidance. The framework applies to both digital and non-digital data. In regard to the retention of personal data of individuals who are neither employees nor former employees, data retention schedules will be applied in accordance with the following:
(b) Product-specific and service-specific data retention schedules
Data retention schedules will be documented and will be communicated, either through terms and conditions of the relevant product and / or service, or upon request.
In accordance with data protection legislation, RM recognises that data subjects have specific rights that must be protected and observed.
Right to be informed
RM provides employees, customers and other third parties with information about how personal data is collected, processed and managed. RM seeks to provide this information in language that is clear, concise and intelligible. This information is intended to be easily accessible for internal and external users.
Right of access
RM provides data subjects with access to the personal data that it manages as a data controller. A Subject Access Request (SAR) process has been defined (see paragraph 8 below) and communicated. Data subjects for whom RM is not the data controller but may process their personal data, should –in the first instance –contact the data controller directly when requesting such access.
Right to rectification
RM recognises the right of individuals to have inaccurate or incomplete data to be amended. Data subjects for whom RM is not the data controller, should –in the first instance –contact the data controller when making a data rectification request.
Right to erasure
RM recognises the right of individuals to request for their data to be deleted or removed where there is no compelling reason for its continued processing. RM will, in all cases, follow the ICO’s guidance on how and when such a request should be observed.
RM maintains a data retention schedule so that personal data is not retained for longer than is necessary with regard to the purpose for which the data was original collected. However, some personal data may be required to be retained in order to observe other legal or regulatory obligations. In addition, inline with the ICO’s guidance on the constraints that existing when deleting data retained in digital back-ups, RM will seek to place such back-ups beyond effective use.
Right to data portability
Where the right of portability applies, as defined by the ICO, RM will provide data in a form that is structured, commonly used and in a machine readable form. In most cases, this will be the CSV format.
Right to object
RM recognises the right of individuals to object to the processing of their personal data, where such objections are allowable under data protection legislation.
Rights related to automated decision making including profiling
RM does not use automated decision making where such decisions have a significant effect on data subjects.
You have the right to ask us not to process your personal data for marketing purposes. We will usually inform you (before collecting your data) if we intend to use your data for such purposes or if we intend to disclose your information to any third party for such purposes. You can exercise your right to prevent such processing by not checking certain boxes on the forms we use to collect your data. You can also exercise the right at any time by contacting us using the details set out in paragraph 10 below.
In “My Account”, there is a privacy dashboard. If you register, you will get an RM account. That will give you access to an area to show your preferences for communication.
Each time you receive electronic marketing information from us, you have the option to decline to receive further marketing information from us.
To stop receiving email communications from RM in the future, you can:
1. click on the opt-out link in the email and follow the instructions; or
2. reply to the email with “UNSUBSCRIBE” in the subject line; or
3. for RM Education Limited customers only, visit rm.com/unsubscribe and provide your email address.
If you change your preferences, we will endeavour to ensure our systems reflect this within one (1) week of receiving your alteration.
Please note that if you terminate your RM account, but have also subscribed to newsletters, for example, you must additionally unsubscribe from these in order to cease receiving communication. This also applies to any third parties you have agreed we can share your information with.
To prevent you receiving such communications from RM in the future, you can send a letter clearly identifying yourself and asking that we remove you from our contact lists. Contact details are set out in paragraph 10 below.
Third party websites
Our websites may, from time to time, contain links to and from the websites of our partner networks, advertisers and affiliates. If you follow a link to any of these websites, please note that these websites have their own privacy policies and that we do not accept any responsibility or liability for these policies. Please check these policies before you submit any personal data to these websites.
Right of complaint to the ICO
Should you have a concern about RM’s information rights practices, please report it to us for investigation. If, following our internal review, you are not satisfied, you can report the matter to the Information Commissioner’s Office.
The Data Protection Legislation gives you the right to access information held about you. Your right of access can be exercised in accordance with such legislation.
Upon receipt of a written request to our Data Protection Officer (see paragraph 11 below for contact details),and upon validation of the requestor’s identity, RM will within one(1) month:
(a) confirm whether any of your personal data is being processed;
(b) provide a description of the personal data, the reasons it is being processed and whether it is given to any other organisations; and
(c) if it is not disproportionate to do so, provide copies of the information comprising the data.
If the request is particularly complex or numerous, RM may extend the period for repose by up to two (2) months.
If the request is manifestly unfounded or excessive, RM may charge a fee or refuse to respond.
If disclosing the personal data will adversely affect the rights and freedoms of others, RM may withhold such personal data. This may extend to intellectual property and trade secrets.
RM Data Protection Officer
142B Park Drive
Telephone: +44 (0) 8450 700300
Fax: +44 (0) 8450 700400
As RM processes personal data of EU nationals, and in compliance with the UK GDPR Article 27, we have appointed Willans Data Protection Services as our representative in the EU. They can be contacted as follows:
Address: Willans Data Protection Limited, 2 Pembroke House, 28-32 Upper Pembroke Street, Dublin, Ireland D02 EK84.
Telephone 00 353 1 447 0402
We understand that when searching for employment a large amount of personal and highly confidential data is disclosed and we take our responsibility to protect this very seriously. This section sets out the basis on which any personal data we collect from you, or you provide to us, will be processed by RM Careers.
This policy is designed to be compliant with, and will be implemented in accordance with the UK GDPR, and any other associated legislation. However, RM will observe the requirements of local laws for applicants outside the UK and EU.
Information we may collect
We generally collect personal data contained in your CV, or submitted with your application and/or any personal information form, such as name, address, home phone number, work phone number, mobile phone number(s), e-mail addresses and general contact information.
We collect and may disclose statistical information gathered as a whole (e.g. total number of applicants and applicant origin) for internal reporting purposes. However, we never disclose information that identifies any individual for such purposes.
If you receive an offer from us, we may conduct a limited background check, or ask a third party to do this on our behalf. The nature of the check may depend on the role for which you have received an offer. Any such background check will be compliant with the laws of the country in which the role you have applied for is located. Further information is available on request.
How we may use this Information
RM gathers the personal information required for you to be considered for job vacancies within RM and to conduct research relating to our recruitment activities. Generally, the information gathered from you is used to assist you to search for RM job vacancies, apply for RM job vacancies and to be processed for each job application you submit. As such, it may require us to release your personal information with your consent to RM hiring managers, administrators and third party contractors. These RM hiring managers, administrators and third party contractors may be in the UK or in other parts of the world including outside the European Economic Area ("EEA"). By registering with RM, you agree that your information may be shared with RM hiring managers, administrators and third party contractors for the purpose of supporting you to find suitable RM job vacancies, applying for RM job vacancies, supporting our research relating to our recruitment activities and processing you for each job application you submit and you consent to the transfer of your information outside the EEA.
Where we store your personal data
Your personal data is stored on secure servers hosted by RM-approved contractors. These servers reside in the EEA.
RM is a global organisation, and therefore your data may be transferred to any of our operating businesses throughout the world with your consent, for the purpose of being considered for any RM job vacancy you apply for, or for being matched to, specific RM job vacancies and being contacted by a RM hiring manager, administrator or third-party contractor to discuss your interest and suitability.
By submitting your personal information, you agree to RM transferring, storing and processing your personal data outside the EEA. In particular, you agree to our wholly owned subsidiary, RMESI, processing your data outside the EEA. For roles based in Australia, you also agree to our group company, SoNET Systems Pty Ltd, processing your data outside the EEA.
How long is your personal data retained
If your application was unsuccessful, we will retain your personal data for a period of twelve (12) months, before deleting the same.