GDPR – How does Talis process personal data?

This document explains how we (Talis Education Ltd) process personal data in connection with our relationship with our customers and in relation to our customers’ use of our products.

In the processing of personal data, we may be acting as a data controller or data processor, depending on the circumstances.  In connection with the use of our products by our customers, we will normally act as a data processor, with the customer being the data controller in relation to any personal data that the product processes in the course of its use by the customer.

This document provides a brief description of how we process personal data relating to our customers and their users, and explains when we are acting as a data controller and when we are acting as a data processor.

When do we act as a data processor?

We will be acting as a data processor where we process personal data in the following circumstances:

  • Our products store, manage and collect personal data about users (students, customer staff or academics) in order to operate key functions.  For example, in relation to user profile pages and associated functionality, user reports, personalisation features, and displaying user information in administrative workflows. This data may also be used to support the collection of user analytics relevant to reports usable by the customer as part of the products’ features.
  • Where we are engaged by customers to perform consultancy, or as part of the roll out or deployment of our products, to create bespoke reports or features based on user data stored in our products or to amend, import or export such user data.
  • In the course of the provision of beta or pilot functionality for new products or services that are being developed or considered for implemented by the customer.
  • In order to help us operate, support and troubleshoot the system. For example, information may be captured in log files.
  • In making backups of the data required to support application functions.

What personal data are processed by us as a data processor?

The following personal data attributes are processed in this way:

  • Name
  • Email address
  • Job title (if applicable)
  • Persistent ID issued at sign in time by the institution
  • Talis user IDs
  • IP address

How long do we hold personal data when we are acting as a data processor?

Personal data processed in this way is held for as long as the customer contracts with us (unless earlier deletion occurs because retention of the personal data is no longer necessary to support the provision of the relevant services by us), or in the case of pilot or beta features which are discontinued, consulting or roll out assignments as long as those projects remain active.  In particular:

  • Log file data is kept for 90 days and then deleted.
  • Backup data is kept for 90 days and then deleted.

 

When do we act as a data controller?

We will be acting as a data controller where we process personal data in the following circumstances:

  • We collect and store data from customer staff involved in the roll out and deployment of our products at their institution and the on-going management of the institution’s relationship with us, including requesting customer support or consulting services. This is used to communicate with the customer during activities, as well as allowing the customer to provide ongoing feedback on and obtain information about our products.
  • Where we provide direct end-user support via in-application communication between Talis and the customer’s end-users. This is not applicable to all customers.
  • Some consulting engagements may involve us acting as a data controller (other than merely in respect of data concerning customer staff involved in the engagement). This will depend on the requirement and where we consider this could be the case, the status will be clarified with customers at the point of engagement.
  • We provide regular information updates about our products and services to customers, including for marketing purposes.

What personal data are processed by us when acting as data controller?

The following personal data are processed in this way:

  • Name
  • Email address
  • Work address (if relevant)
  • Job title (if applicable)
  • Role in the application
  • Persistent ID issued at sign in time by the institution
  • Talis user IDs
  • IP address

How long do we hold personal data when we are acting as a data controller?

Data is kept for as long as is required in order to provide the relevant services or support or otherwise as necessary for our legitimate interests in connection with our relationship with the customer.

Who has access to personal data processed by us?

The Talis engineering and customer services teams have access to this data, together with any sub-contractors or sub-processors who we use to provide services in support of our provision of our products to our customers (see list below).

Where is personal data processed by us?

Data directly processed by us is managed within ISO27001 certified data centres situated within the EU.

Who are our third party sub-contractors and/or sub-processors?

Third party contractors to us (who are managed by us) may have access to this data to the extent necessary to enable them to provide the relevant services to us.  Current relevant third party service providers include:

  • Amazon Web Services (AWS)
  • New Relic
  • PagerDuty
  • Zendesk
  • Intercom
  • Google G-Suite
  • User Voice
  • Google Analytics
  • Basecamp
  • Vitalsource (only for users where customers are piloting the Talis Textbook service)

How do you contact us if you have any questions?

Our details are:

By post: Talis Education Ltd, 48 Frederick Street, Birmingham, B1 3HN

Email: data.protection@talis.com