RM Plc Privacy Policy

Information Security Classification: Public

Status: Definitive

Version Number: 2.7

Date: 10/12/2024

  1. INTRODUCTION

    1.1 Background

    The RM Group of businesses creates and maintains an extensive range of innovative solutions and services -all designed or selected to meet the specific needs of educational users:

    • RM’s Schools Technology business provides software, services and technology to schools and colleges in the UK;

    • RM’s Assessment business provides e-assessment services and education data analysis to exam boards and central government in the UK and internationally; and

    • RM Resources provides physical and curriculum resources for schools and nurseries in the UK and internationally.

    The GDPR (General Data Protection Regulation) and the Data Protection Act 2018 set out the legal obligations for organisations in regard to the processing of personal data.

    (For the purposes of this Privacy Policy, “We”, “Us”, ”Our”, “RM” and “RM Group” means RM plc (Reg No. 01749877) and The Educational Resources Ltd(Reg No. 03100039), RM Education Ltd(Reg No. 01148594),RM Results, TTS Group Ltd (Reg No. 04373761) and West Mercia Supplies, which are registered in England and Wales, and SoNET Systems Pty Ltd (Australian Company Number 093 532 435) and RM Education Solutions India Pvt (Corporate Identification Number U72200KL2003PTC015931),respectively registered in Australia and India. See the latest RM plc Annual Report for further details about RM.)

    Purpose and scope of this Policy

    RM is committed to protecting and respecting the privacy of individuals.

    This Privacy Policy outlines how RM collects, stores and uses personal information that it collects about customers, candidates, examiners, job applicants, and visitors to the RM Group websites in the relevant jurisdictions, notably in the UK and EU.

    This Privacy Policy is intended for circulation to RM’s customers, suppliers and other interested parties. It is supported by an internal data protection framework.

    This Privacy Policy is intended for use in conjunction with the RM plc Data Protection Policy (available on request), the Terms of Website Use and the Cookies Policy(which are available on each RM Group company’s website). These documents set out the basis on which any personal data we collect from you, or that you provide to us, will be processed by us.

    1.3 Lawful Basis for Processing

    We will only process your data if there is a lawful basis for such processing. In the UK and the EU, the lawful basis for processing Personal Data will be one of the following:

    • Consent. You have given RM clear and specific consent for processing your data.

    • Contract. You, or the organisation you work for, have entered into a contract with us in which the processing of your data is required.

    • Legal obligation. We need to process your data in order to comply with a common law or statutory obligation.

    • Legitimate interests. We have a legitimate interest in processing your data in circumstances where it would be reasonable for you to expect such data processing and where there is a minimal privacy impact. Some direct marketing activities may be based on legitimate interests. Where legitimate interest is deemed to apply, RM will have carried out a Legitimate Interest Assessment.

    Outside of the UK and the EU, we will use these lawful bases to the extent we are allowed to do so under the laws of the relevant jurisdiction. Where this is not allowed, we will comply with the laws of the relevant jurisdiction.

    All international transfers of personal data will be compliant with applicable law and protected by appropriate technical and organisational measures.

    1.4 Contact details:

    For the purpose of data protection legislation, the data controller is either:

    (a)RM Educational Resources Ltd (which includes the trading entity “TTS”)

    (b)RM Education Ltd (which includes the trading entity RM Results)
    which each has their registered office at: 142B Park Drive, Milton Park, Abingdon, Oxon. OX14 4SE; or

    (c)RM Education Solutions India Pvt(“RMESI”)
    which has its registered office at Unit No.8A, Carnival Techno Park, Technopark, Kariyavattom PO, Trivandrum -695581, Kerala, India.

    Additional information for job applicants can be found at the end of this policy under section 13.

    1.5 RM Group websites

    It is possible that our websites contain links to other sites. RM is not responsible for the privacy practices or the content of such websites. The websites may also include comment fields, chat rooms, forums, message boards, and news groups. Please remember that any information that is disclosed in these areas becomes public information and you should exercise caution when deciding to disclose your personal information.

    Wherever this Privacy Policy refers to a website, we are referring to the applicable one of:

    In respect of RM Educational Resources Ltd:

    In respect of RM Education Limited:

    In respect of RM plc:

  2. HOW WE GET YOUR PERSONAL DATA

    2.1 Information about you that you give us

    • when filling in forms on our websites (listed in 1.5above);

    • by corresponding with us by phone, email or otherwise;

    • by calling one of our support helplines, where calls may be recorded

    • when you subscribe to our services;

    • when you place an order on one of our websites;

    • when you leave reviews for products, participate in discussion boards or other social media functions on our websites;

    • when you enter a competition, promotion or survey;

    • when you attend an RM activity, such as a seminar;

    • when you report a problem with our websites;

    • when you participate in a market research panel run by RM; and

    • when you apply for a job at RM, either directly or through an agency.

    The information you give us may include your name, address, e-mail address and phone number, organisation, job role or title, financial and credit card information and some interests / preferences.

    Additional information for job applicants can be found at the end of this policy under section 13.

    2.2 Information about you that we collect

    Visits to websites

    With regard to each of your visits to our websites we will automatically collect the following information:

    • technical information, including your login information, the Internet protocol (IP) address used to connect your computer to the Internet, browser type and version, time zone setting, browser plug-in types and versions, operating system and platform; and

    • information about your visit, including the full Uniform Resource Locators (URL),clickstream to, through and from our site (including date and time),products you viewed or searched for, page response times, download errors, length of visits to certain pages, page interaction information (such as scrolling, clicks, and mouse-overs),methods used to browse away from the page platform and any phone number used to call our customer service number

    CCTV

    When you visit one of our offices, RM may record CCTV footage of you. The operation of CCTV is governed by the CCTV Policy, which is closely aligned with the ICO’s guidance on this subject. A copy of this policy is available upon request.

    2.3 Information we receive from other source

    This is information we receive about you if you use any of the websites we operate or other services we provide. In these cases we will have informed you when we collect that data if we intend to share those data internally and combine it with data collected on our websites. We will also have told you for what purpose we will share and combine your data.

    We work closely with third parties (including, for example, business partners, sub-contractors in technical, payment and delivery services, advertising networks, analytics providers, search information providers, credit reference agencies).

    We may also purchase marketing lists, containing contact data, from trusted third parties. We will always ensure that there was an appropriate lawful basis for the collection of this data,

  3. HOW WE USE YOUR PERSONAL DATA

    3.1 Information you give us

    We will use the information you give us:

    • to carry out our obligations arising from any contracts entered into between you and us and to provide you with the information, products and services that you request from us;

    • to provide you with information about other goods and services we offer that are similar to those that you have already purchased or enquired about where we have a legitimate business purpose to do so;

    • where relevant, to provide you with a support newsletter for the product(s) you have purchased. This may include updates, future roadmaps, technical articles and product information. You can unsubscribe from these at any time.

    • to notify you about changes to our service;

    • to ensure that content from our site is presented in the most effective manner for you and for your computer; and

    • to notify you about any recalls of goods that you have or may have purchased from RM.

    3.2 Information we collect about you

    We will use the information we collect about you:

    • to administer our websites and for internal operations, including troubleshooting, data analysis, testing, research, statistical and survey purposes;

    • to improve our websites to ensure that content is presented in the most effective manner for you and for your computer;

    • to allow you to participate in interactive features of our services, when you choose to do so;

    • as part of our efforts to keep our websites safe and secure;

    • to measure or understand the effectiveness of advertising we serve to you and others, and to deliver relevant advertising to you; and

    • to make suggestions and recommendations to you and other users of our websites about goods or services that may interest you or them.

    IP addresses

    The Internet protocol (IP) address used to connect your computer to the Internet. We use your IP address for the following purposes:

    • Issue triage: if you notify us of an issue, or our monitoring identifies an issue, then the information within the servers’ logs is used to identify the root cause and, wherever possible, identify a fix.

    • Issue trending: this provides us with aggregated trend data so we can monitor the quality of the service year-on-year.

    • Application usage data: we use server logs to review system usage, both for issue triage and for service reporting year-on-year.

    • Service analytics data: we do Pingdom and Microsoft to gather analytical data.

    Cookies

    We use cookies on our websites to improve your experience on the websites, mainly so that we don't have to ask you for your information on every page you visit. It also allows us to personalise the information shown to be closer to your interests.

    We (or third-party data processors acting on our behalf) may collect, store, and use your personal information for individual website experience improvement.

    For detailed information on the cookies we use and the purposes for which we use them see our Cookie policy which can be found on every RM Group website.

    3.3 Marketing

    We collate the information collected about you or provided by you in order to offer you a more tailored marketing experience but always where we either have your consent or where RM have a legitimate business purpose to do so.

    For marketing purposes, we may collect, store and use the following kinds of personal data:

    • information about your computer and about your visits to and use of this website (including your IP address, geographical location, browser type, referral source, length of visit and number of page views);

    • information that you provide to us for the purpose of registering with us (including name, company, telephone number and email address); and

    • any other information that you choose to send to or tell us.

    If you have recently purchased products or services from us, we may contact you with information about goods or services similar to those which were the subject of the previous sale or negotiations.

    When we communicate with you by email for the purpose of marketing, we will always provide you with information about how to stop receiving such communications from us in the future.

    If your email address is linked to a business account, we may process your data on the basis of legitimate interests. However, it is possible that we would also recognise your email as belonging to an individual and, in that scenario, we would process your data only if you have given consent. It is possible for one email address to be against both business and personal classifications.

    For example, MrTeacher@gmail.com is linked to a school account. RM will market to you in your business capacity on the basis of legitimate interests until you unsubscribe to these emails. Additionally, since the email address is classified as also belonging to an individual, we will market to you in your personal capacity only if we have received your consent to do so. Your consent may be withdrawn at any time.

    We do not knowingly solicit information from children and we do not knowingly market our services to children.

    3.4 Sharing with RM Group companies

    RM’s provision of the products or services to you may require the transfer of data to RM Education Limited’s wholly-owned subsidiary, RMESI, which operates outside the European Economic Area(EEA). India has not been approved by the European Commission as having adequate protections in place for the purpose of the transfer of personal data. You agree that RM will be permitted to transfer your data to RMESI provided that RM shall have entered into an agreement with RMESI based upon standard contractual clauses approved by the European Commission for transfers of personal data to processors outside of the EEA and which agreement shall include security obligations on RMESI.

    RM has a central database which all RM Group companies can access. It is possible that some personal data (such as the name on an invoice, or a contact at a school) will be visible by all RM Group companies.

    3.5 Sharing with Third Parties

    RM may share your data with trusted third parties using one of the following lawful bases:

    • Consent: where you have provided consent for your data to be shared.

    • Legitimate Interests: where sharing the data is in RM’s legitimate business interests and not outbalanced by the need to protect your individual rights.

    • Contract: where sharing your data is required for the performance of a contract.

    • Legal obligation: where sharing your data is required in order to comply with law.

    Where data is shared to fulfil our contractual obligations, and RM is acting as a data processor, enquiries as to the scope and nature of such data sharing should be raised, in the first instance, with the data controller, e.g. school, awarding body, etc.

    We may share your data with trusted third parties for the following reasons:

    • We may share your data with third parties directly involved in the provision of RM products and services where you have requested those RM products and services, e.g. delivery companies.

    • We may share your data with third parties indirectly involved in the provision of RM products and services, e.g. service providers for our websites and email providers.

    • We may share your data with third parties that help us to improve the quality of the products and services that we provide. The lawful basis for such data sharing will either be your consent or our legitimate interests, depending on the purpose and nature of processing involved. Such third parties may include:

      • Survey providers

      • Data analytics and matching providers

      • Market research organisations

      • Event registration providers

      and your data will be processed in accordance with their privacy policy or the terms of RM’s agreement with these third parties. However, data sharing of this kind may be excluded in some contracts where RM is acting as a data processor

    • We may share your data with third parties such as law enforcement authorities, either on the basis of legitimate interests or because we have a legal obligation to do so.

    Where you have provided explicit consent, or have not opted out of receiving such communications, we may share your data with third parties in order that you can be contacted to complete surveys, so we can study how our customers use our products and services and improve our offering accordingly. You are not obliged to complete any survey sent to you and may request that past reviews be deleted.

    Where you have provided explicit consent to receive marketing communications, we may also share your data with third parties involved in the delivery of such communications. (See also “3.6 Social Media” below.)

    RM will never sell your data to third parties.

    Other than when we are sharing your data in order to comply with our legal obligations, all third parties processing your data on our behalf are subject to the following conditions:

    • A contract, and relevant data processing agreement, will be in place

    • Data must only be processed for specific purposes and in accordance with RM’s instructions.

    • Appropriate security measures must be in place to protect your data

    • Data provided or accessed will be minimised, and where appropriate, pseudonymised

    • The data must not be used for the third party’s own purposes

    • Data must be deleted when it is no longer required or at the end of the contract

    • Where you request this, we will ask third parties to delete your data from their systems

    When your data is transferred to a third party located outside of the European Economic Area (EEA), we will enter into an agreement based upon standard contractual clauses approved by the European Commission for 14transfers of personal data to processors outside of the EEA and this agreement shall include security obligations on the third party.

    A list of all sub-processors used is available upon request.

    3.6 Social Media

    RM uses social media to provide customers and potential customers with news about products, services, competitions and events. You can follow RM on social media platforms, but how your data is processed will be subject to the terms and conditions, including the privacy policy, of these platforms.

    On some of our websites when we ask for your consent for direct marketing, we may also ask for your consent to share your details with social media platforms so that they can provide you with targeted marketing. If you give us your consent, but then at a later date wish to stop receiving targeted marketing from RM in this way, you can either opt out directly by telling us or by changing your marketing preferences on the platform.

    However, you may also receive targeted advertising on social media platforms based on your browsing history, whether or not you follow us. RM has no control over the marketing you receive in this way, and you should manage your marketing preferences within the platform if you wish to change the marketing you receive.

    If we have sought, and you have given us, your consent, we may also share your anonymised data with social media platforms for the purpose of identifying other potential customers(“lookalikes”) who have a similar online profile to you.

  4. DISCLOSURE OF YOUR INFORMATION

    Sharing your personal information

    When you share your data with us, you agree that we have the right to share your personal information with:

    • Any member of the RM Group, which means our subsidiaries, our ultimate holding company and its subsidiaries, as defined in section 1159 of the UK Companies Act 2006;

    • Selected third parties including:

      • business partners, suppliers and sub-contractors for the performance of any contract we enter into with them or you;

      • advertisers and advertising networks that require the data to select and serve relevant adverts to you and others provided we have a lawful basis to do so;

      • analytics and search engine providers that assist us in the improvement and optimisation of our websites; and

      • credit reference agencies for the purpose of assessing your credit score where this is a condition of us entering into a contract with you.

    Disclosure to third parties

    We will disclose your personal information to third parties:

    • In the event that we sell or buy any business or assets, in which case we will disclose your personal data to the prospective seller or buyer of such business or assets;

    • If any RM Group company or substantially all of its assets are acquired by a third party, in which case personal data held by it about its customers will be one of the transferred assets;

    • If we are under a duty to disclose or share your personal data in order to comply with any legal obligation, or in order to enforce or apply our terms of use or terms and conditions of supply and other agreements; or to protect the rights, property, or safety of any of our RM Group companies, our customers, or others. This includes exchanging information with other companies and organisations for the purposes of fraud protection and credit risk reduction.

  5. WHERE WE STORE YOUR PERSONAL DATA

    The data that we collect from you maybe transferred to, and stored at:

    • Third party cloud-hosted environments, e.g. Microsoft Azure, using servers that reside only in EEA.

    • Third party data centres, using servers that reside only in the UK.

    • A destination outside the European Economic Area (”EEA).Your personal data may be processed by RM staff operating outside the European Economic Area ("EEA") who work for us (employed by our wholly-owned subsidiary, RM Education Solutions India Pvt)or for one of our suppliers. Such staff maybe engaged in, among other things, the fulfilment of your order, the processing of your payment details and the provision of support services. By submitting your personal data, you agree to this transfer, storing or processing. We will take all steps reasonably necessary to ensure that your data is treated securely and in accordance with this Privacy Policy.

  6. HOW YOUR DATA IS PROTECTED

    Security

    RM uses a range of security measures in order to protect Personal data, managed through a Group Information Security Framework, based on ISO 27001, the international standard for information security management. In addition, a number of business units, including RM Education Solutions India Pvt, are certified to ISO 27001:2013.Further details are available upon request to the Data Protection Officer (details below).

    A wide range of technical controls are used, including but not limited to:

    • Data encryption

    • Anti-virus and anti-malware software

    • Access management

    • Vulnerability scanning and penetration testing

    A wide range of non-technical controls are used, including but not limited to:

    • Physical security controls at RM offices

    • Security policies, including Data Classification & Handling, Data Protection, etc.

    • Security training

    The implementation of such controls may vary between specific products and services.

    Security: websites

    All websites have security measures in place to protect the loss, misuse and alteration of the information under our control. Where necessary RM will inform law enforcement agencies or other relevant organisations regarding misconduct.

    All information you provide to us is stored on our secure servers. Any payment transactions will be encrypted and utilise technologies to ensure PCI DSS compliance. Where we have given you (or where you have chosen) a password which enables you to access certain parts of our websites, you are responsible for keeping this password confidential. We ask you not to share a password with anyone.

    Unfortunately, the transmission of information via the internet is not completely secure. Although we will do our best to protect your personal data, we cannot guarantee the security of your data transmitted to our websites; any transmission is at your own risk. Once we have received your information, we will use strict procedures and security features to try to prevent unauthorised access.

  7. HOW LONG YOUR DATA IS KEPT

    RM has established a data retention framework based on statutory and non-statutory guidance. The framework applies to both digital and non-digital data. In regard to the retention of personal data of individuals who are neither employees nor former employees, data retention schedules will be applied in accordance with the following:

    • Contracts

    • Product-specific and service-specific data retention schedules

    Data retention schedules will be documented and will be communicated, either through terms and conditions of the relevant product and / or service, or upon request.

  8. YOUR DATA PROTECTION RIGHTS

    Individuals’ Rights

    In accordance with data protection legislation, RM recognises that data subjects have specific rights that must be protected and observed.

    Right to be informed

    RM provides employees, customers and other third parties with information about how personal data is collected, processed and managed. RM seeks to provide this information in language that is clear, concise and intelligible. This information is intended to be easily accessible for internal and external users.

    Right of access

    RM provides data subjects with access to the personal data that it manages as a data controller. A Subject Access Request (SAR) process has been defined (see paragraph 8 below) and communicated. Data subjects for whom RM is not the data controller but may process their personal data, should –in the first instance –contact the data controller directly when requesting such access.

    Right to rectification

    RM recognises the right of individuals to have inaccurate or incomplete data to be amended. Data subjects for whom RM is not the data controller, should –in the first instance –contact the data controller when making a data rectification request.

    Right to erasure

    RM recognises the right of individuals to request for their data to be deleted or removed where there is no compelling reason for its continued processing. RM will, in all cases, follow the ICO’s guidance on how and when such a request should be observed.

    RM maintains a data retention schedule so that personal data is not retained for longer than is necessary with regard to the purpose for which the data was original collected. However, some personal data may be required to be retained in order to observe other legal or regulatory obligations. In addition, in line with the ICO’s guidance on the constraints that existing when deleting data retained in digital back-ups, RM will seek to place such back-ups beyond effective use.

    Right to data portability

    Where the right of portability applies, as defined by the ICO, RM will provide data in a form that is structured, commonly used and in a machine-readable form. In most cases, this will be the CSV format.

    Right to object

    RM recognises the right of individuals to object to the processing of their personal data, where such objections are allowable under data protection legislation.

    Rights related to automated decision making including profiling

    RM does not use automated decision making where such decisions have a significant effect on data subjects.

    Withdrawing consent

    You have the right to ask us not to process your personal data for marketing purposes. We will usually inform you (before collecting your data) if we intend to use your data for such purposes or if we intend to disclose your information to any third party for such purposes. You can exercise your right to prevent such processing by not checking certain boxes on the forms we use to collect your data. You can also exercise the right at any time by contacting us using the details set out in paragraph 10 below.

    In “My Account”, there is a privacy dashboard. If you register, you will get an RM account. That will give you access to an area to show your preferences for communication.

    Each time you receive electronic marketing information from us, you have the option to decline to receive further marketing information from us.

    To stop receiving email communications from RM in the future, you can:

    • click on the opt-out link in the email and follow the instructions; or

    • reply to the email with “UNSUBSCRIBE” in the subject line; or

    • for RM Education Limited customers only, visit rm.com/unsubscribe and provide your email address.

    If you change your preferences, we will endeavour to ensure our systems reflect this within one (1) week of receiving your alteration.

    Please note that if you terminate your RM account, but have also subscribed to newsletters, for example, you must additionally unsubscribe from these in order to cease receiving communication. This also applies to any third parties you have agreed we can share your information with.

    To prevent you receiving such communications from RM in the future, you can send a letter clearly identifying yourself and asking that we remove you from our contact lists. Contact details are set out in paragraph 10 below.

    Third party websites

    Our websites may, from time to time, contain links to and from the websites of our partner networks, advertisers and affiliates. If you follow a link to any of these websites, please note that these websites have their own privacy policies and that we do not accept any responsibility or liability for these policies. Please check these policies before you submit any personal data to these websites.

    Right of complaint to the ICO

    Should you have a concern about RM’s information rights practices, please report it to us for investigation. If, following our internal review, you are not satisfied, you can report the matter to the Information Commissioner’s Office.

  9. SUBJECT ACCESS REQUESTS

    The Data Protection Legislation gives you the right to access information held about you. Your right of access can be exercised in accordance with such legislation.

    Upon receipt of a written request to our Data Protection Officer (see paragraph 11below for contact details),and upon validation of the requestor’s identity, RM will within one(1) month:

    • confirm whether any of your personal data is being processed;

    • provide a description of the personal data, the reasons it is being processed and whether it is given to any other organisations; and

    • if it is not disproportionate to do so, provide copies of the information comprising the data.

    If the request is particularly complex or numerous, RM may extend the period for repose by up to two (2) months.

    If the request is manifestly unfounded or excessive, RM may charge a fee or refuse to respond.

    If disclosing the personal data will adversely affect the rights and freedoms of others, RM may withhold such personal data. This may extend to intellectual property and trade secrets.

  10. CHANGES TO OUR PRIVACY POLICY

    Any changes we make to the Privacy Policy in the future will be posted on each website. Please check back frequently to see any updates or changes to this Privacy Policy.

  11. CONTACT

    If you have any questions or comments about this Privacy Policy, please contact our Data Protection Officer:

    RM Data Protection Officer
    142B Park Drive
    Milton Park Abingdon, Oxfordshire
    OX14 4SE
    United Kingdom

    Telephone: +44 (0) 8450 700300
    Fax: +44 (0) 8450 700400
    Email: dataprotection@rm.com

  12. EU REPRESENTATIVE

    As RM processes personal data of EU nationals, and in compliance with the UK GDPR Article 27, we have appointed Willans Data Protection Services as our representative in the EU. They can be contacted as follows:

    Address: Willans Data Protection Limited, 2 Pembroke House, 28-32 Upper Pembroke Street, Dublin, Ireland D02 EK84.

    Email: https://www.willansdataprotectionservices.com/make-a-data-request/

    Telephone: 00 353 1 447 0402

  13. RM CAREERS PRIVACY STATEMENT

    RM publishes a separate Privacy Policy for job candidates.

    The policy is available here: https://careers.rm.com/careers-home

back to top button


Back to top

Registered office: 142B Park Drive, Milton Park, Milton, Abingdon, Oxfordshire, OX14 4SE

Registered in England and Wales No 1749877

Tel: +44 (0)1235 645 316

Investor relations

Regulatory announcements

Financial reports

Shareholder services

Corporate governance

Board of Directors

RM plc share price

Group contact details

RM Plc Fact sheet

Group websites

RM Technology

RM Assessment

TTS UK

TTS International

RM India

Careers

Policy

RM and cookies

Privacy

GDPR

Tax strategy

Modern slavery statement

Code of conduct

Equality, diversity and inclusion

Environmental policy

Group carbon reduction plan

Health and safety statement of intent

© RM 1997 - 2024