We have assessed the roles of each party in connection with processing Student Data using the twelve factors published by the Information Commissioner’s Office (ICO). These factors help determine whether an organisation is acting as a data controller or a data processor.

Based on this assessment, the school is considered the data controller in relation to Student Data.

The data controller is the organisation that determines:

• Why personal data is collected.
• The purpose for which the data will be used.
• What type of personal data should be collected.
• Which individuals the personal data will be collected from.

In this relationship, the school decides what student data should be collected and which students the data relates to.

The school has the direct relationship with the students (the data subjects). Because of this, the school determines how and why their personal data is processed.

The school appoints Dr Frost Learning to process that data on its behalf.

Dr Frost Learning processes Student Data only under the instructions of the school.

As a result, Dr Frost Learning acts as a data processor, while the school acts as the data controller.

Taking all of the ICO factors into account, the school has more indicators supporting its role as the controller in this relationship.

Whenever Dr Frost Learning processes personal data on behalf of a controller, we enter into a Data Processing Agreement (DPA) with that controller.

This agreement defines how personal data is processed, protected and managed in accordance with applicable data protection laws.