The National Foundation for Educational Research (NFER) is committed to safeguarding the privacy of all research participants, customers and others whose data we process in the course of our work.
NFER is registered with the Information Commissioner’s Office for its data processing activities (NFER Z6183035 and NFER Trading – Z8400098). We also work to a strict Code of Practice and Data Security Policy (available on request) and ensure all research is undertaken with the highest possible levels of integrity, as detailed in our research integrity statement. All staff are required to adhere to these policies as part of our terms and conditions of employment.
This page sums up NFER’s approach to data protection; it outlines, in broad terms, how we collect, store, use, share and dispose of personal information. It sets out how you may access and seek correction of your personal information or complain about a misuse of your personal information. We provide activity specific privacy notices for our research projects with primary data collections (under the heading Participate in our Research on the website), sale and use of our educational resources and for stakeholder communications. If you have any queries about our processing of personal data, please contact our Compliance Officer (firstname.lastname@example.org).
NFER complies with the six principles of the General Data Protection Regulation. Personal data is:
- processed fairly, lawfully and transparently (a legal basis for processing activities has been chosen and communicated alongside all other relevant information in a privacy notice which is made available to data subjects)
- only used for the specified, clearly explained purpose it was collected for
- adequate, relevant and limited to what is necessary in relation to the purposes for which they are processed
- kept accurate and up-to-date
- only kept for as long as it is needed (usually until a project or activity is complete) and is then removed and securely deleted
- processed in a manner that ensures appropriate security of the personal data; it is stored in secure systems and only transferred by secure means.
We are also responsible for complying with and demonstrating this compliance with data protection legislation. This accountability takes the form of adopting and implementing data protection policies, taking a data protection by design and default approach, having written contracts with organisations that process personal data on our behalf, documenting the data we hold, carrying out data protection impact assessments, and having an individual (the Head of Data Security) who carries out the tasks of a Data Protection Officer (DPO).
What kinds of personal information do we collect and how?
We collect personal data for the following purposes:
- NFER’s research, assessment and evaluation projects around the world
- Data about teachers or pupils or other respondents
- Survey responses via online or paper surveys
- Interviews and case studies
- Third party data from other sources (such as National Pupil Database)
- Data on teachers who have agreed to be part of special panels or other groups
- NFER’s range of products and services for schools
- Customer contact information and order details to fulfil products and services
- Data on individuals who receive our marketing and information communications (see the stakeholder communications privacy notice)
- Data on individuals as part of their use of a product or service
- NFER’s business operations
- Staff and temporary staff (including associates, markers, test administrators and volunteers) data
What do we do with personal data?
NFER ensures that it protects data that is has collected or received from a third person. We only use it for the purpose for which it was collected and store it in appropriately secure systems. We only keep data for as long as it is needed (usually until the specific project is complete), and then it is securely disposed of.
We do not sell any personal data collected during to the course of our work to third parties. If personal data is being shared with a third party, then this activity will be covered in an activity specific privacy notice.
No data is transferred outside of the European Economic Area (EEA) unless appropriate safeguards are in place.
We do not use personal data to take automated decisions. If this situation changes, details will be made available.
How do we ensure individual’s data rights are met?
NFER handles your personal data in accordance with the rights given to individuals under data protection legislation. We make available specific privacy notices for each project or activity that we undertake. If at any time you wish us to withdraw your data or correct errors in it, please contact us. In certain circumstances, data subjects have the right to restrict or object processing. They also have the right to see information held about them. If you want to make a request for access to data or to have other data rights observed, please contact our Compliance Officer (email@example.com). We will also cooperate fully when a subject access request is made of any data controller we are working with.
If you have a concern about the way NFER processes personal data, we request that you raise your concern with us in the first instance (see the details above). If you remain dissatisfied, you can contact the Information Commissioner’s Office, the body responsible for enforcing data protection legislation in the UK, at www.ico.org.uk.
There are a number of large datasets in the education sector and the labour market (including but not limited to the National Pupil Database, the School Workforce Census, and the Longitudinal Education Outcomes) which contain a rich set of information that we can use to answer important policy and practice questions.
NFER applies for extracts of these to support its research activities. Such extracts will contain personal data such as educational attainment, background characteristics and employment outcomes (salaries and benefit dependency for example) but will not contain direct identifiers. It is considered pseudonymised or de-identified (depending on how much personal data has been eliminated or transformed). In this situation, we will not have data subjects names or contacts and will not be possible to provide them with an activity specific privacy notice.
When NFER is the data controller for such secondary analysis, our legal basis for processing general personal data is legitimate interests (UK GDPR Article 6 (1) (f). We have carried out legitimate interest assessment which demonstrates that the processing fulfils one of NFER’s core business purpose (undertaking research, evaluation and information activities). It has broader societal benefits as the output of the research will contribute to a strong evidence base and help to improve the lives of learners. The evaluation cannot be done without processing personal data but processing does not override the data subject’s interests.
If any special category data is processed as part of the second analysis, our legal basis is UK GDPR Article 9 (2) (j) which states ‘that processing is necessary for archiving purposes in the public interest, scientific or historical research purposes or statistical purposes in accordance with Article 89(1) based on domestic law which shall be proportionate to the aim pursued, respect the essence of the right to data protection and provide for suitable and specific measures to safeguard the fundamental rights and the interests of the data subject’.
Access to such datasets is strictly controlled and their owners have put in place appropriate technical and organisational measures to maintain its security.
Visiting the NFER website
When you visit NFER site, we may store or retrieve information on your browser; generally in small text files known as ‘cookies.’ This information might be about you, your preferences or your device and is mostly used to make our site work as you expect it to. The information does not usually directly identify you, but it can give you a more personalized web experience.
From time to time, we will offer visitors to the website the opportunity to be notified about the publication of reports or opportunities to participate in research studies. Any personal data collected to do this will only be used for this purpose; it will not be used for any other marketing activities, shared with third parties and will be deleted once notification has been sent. Full details are in our marketing activity privacy notice.
Social media interactions
We use a number of third party services, for example Vuelio and Twitter’s Analytics software, to monitor social media interactions. This helps us to respond to your comments and feedback, understand how NFER is perceived outside of the organisation and gain additional insight into how to share our research outputs to ever larger audiences. Although these tools collect personal data (your name and username), we do not use this information. We only analysis and report on the volume of interactions (comments, likes, re-tweets etc.). For further details, see our marketing activity privacy notice.
How do we keep school data up to date?
NFER holds a database of all schools in the United Kingdom, we use this database to
- select groups of schools to invite to take part in research or test development exercises
- inform schools about the range of services products and resources that NFER offers which may be useful to schools.
- share the outcomes and results of research that the NFER has carried out.
We keep the database up to date through the use of national datasets and through the ongoing communication we have with schools. It will also be updated:
- through matching to Government schools data sources and other available school data sources
- through the use of enquiry and registration forms on NFER-managed websites
- when schools purchase any of our products or services through our online booking system.
- when schools voluntarily provide of details to us either online or offline, for example attending an event.
We endeavour to update data on schools within a week of notification of a change; if you notice that our data is out of date at any point, please let us know by emailing firstname.lastname@example.org
NFER staff and the data protection and security
NFER visits schools and other settings to undertake research or test development projects. All staff working directly with children, young people or vulnerable adults will have a current Enhanced Disclosure and Barring Service Check (DBS). DBS checks are updated at least every three years.
Any visitors from NFER will have previously contacted you personally before visiting and will have an ID badge.
From time to time, we will update the information in this statement so we recommend that you revisit this information from time to time. It was last updated in July 2021.