The MathemaTIC team considers data security to be our top priority and we are committed to maintaining the highest standards in accordance with established best practices and legal requirements. We strive to hold your data in a secure manner while helping you attain your educational goals.

For your reference, we have compiled the following information providing you with an overview of our current data policy and answers to frequently asked questions regarding the General Data Protection Regulation (GDPR).

WHAT IS THE GENERAL DATA PROTECTION REGULATION?

The GDPR is a strong move forward in the protection of data across the European Union. Effective May 25 2018, it has replaced the EC Data Protection Directive (EC/95/46), bringing new legal rights for individuals, extending the scope of responsibilities for data controllers and data processors while enhancing the regime for enforcement.

The new regulations in the GDPR enhance the protection of personal data (any information that can identify a person, from names and emails to identification numbers). Personal data of a more sensitive nature (such as ethnicity or sexual orientation) is given even higher protection in the GDPR and requires stronger grounds to collect.

The GDPR applies to any organization that collects personal data from an individual residing in the European Union. This means individual rights are protected no matter where the organization is located. The right of consent has also been strengthened. In order to acquire personal information, consent must be an active process, separate from other processing, involving clear and plain language.

WHAT ARE YOUR RIGHTS UNDER THE GDPR?

In addition to regulating the behavior of organizations, the GDPR also grants new rights for individuals. These rights aim to give individuals more control over their data and how it is processed. The information below should help individuals familiarize themselves with what rights they have under the GDPR:

• The right to be informed: Individuals have the right to know what kind of processing is happening to their data.
• The right to access data: Organizations must be able to, free of charge, confirm that an individual’s data is being held as well as notifying them of the type of data.
• Rectification or correction of inaccuracies: If any personal data is either inaccurate or incomplete, an individual can request this to be fixed.
• Restricting the processing of personal data: If an individual feels the processing of their data is either inaccurate or unlawful, they have the right to stop processing activities.
• Data portability: Individuals have the right to move their data from one organization to another, without any loss of usability.
• Objecting to processing activities: Individuals can object to their personal data being used for scientific or historical research, direct marketing, processing based on official authority, legitimate interests or in the public interest.
• The right not to be subject to automated decision-making: Individuals have the right not to be subject to profiling. Organizations may not analyze an individual’s personal information to predict their economic situation, health, location, or personal preferences.
• Erasing personal data: Individuals have the right to have their data erased if the data was processed unlawfully, if they withdraw consent, or if their data is no longer necessary for the original purpose in which it was collected.

WHAT IS OUR ROLE AS OUTLINED BY THE GDPR?

The GDPR distinguishes two important roles that classify what an organization must to do comply with the regulation. Your ministry of education, academic institution, or organization decides the purpose and method of data processing on MathemaTIC and are therefore considered data controllers. Vretta, as the learning technology partner for MathemaTIC, is considered a data processor since the data is processed on behalf of the data controller, as per its instructions.

HOW IS DATA CURRENTLY BEING MANAGED?

Vretta has implemented rigorous safeguards to protect your data. An encryption configuration necessary to achieve an ‘A’ grade on Qualys SSL Labs Report is maintained. All personal data is kept strictly confidential, meaning only those authorized for access may process it and personal data is processed only as per instructions from the data controller.

Protocols have been established to handle data processing. Just as Vretta guarantees the confidentiality and security of data, you can be assured that at the end of the service any personal data processed will be erased. Additionally, should a data breach occur, Vretta will immediately report the event and its details to the data controller upon its identification

Vretta has a team of highly specialized data personnel responsible to process data and to ensure that it is fully compliant with data protection regulations. Its data team monitors data integrity, accuracy and confidentiality and performs regular security reviews. The team keeps a record of all processing activities. When an inaccuracy is discovered, the data is updated without undue delay.

Vretta’s Data Protection Officer (DPO) keeps Vretta’s management fully updated on data protection responsibilities, risks and issues. The DPO also deals with access requests and approvals of any contracts with third parties that may handle sensitive data. Since large amounts of data is handled on a regular basis, the DPO oversees the compliance with the GDPR.

Vretta's Data Management Framework details the policies concerning the usage, storage, dissemination, and deletion of all data that is collected. If you would like to know more, download the Data Management Framework by clicking the link or the icon below.

HOW DO I REQUEST DATA?

If you would like to request any of your data from MathemaTIC, download the Data Request Form by clicking the link or the icon below, fill in the details, and send the document as an email attachment to dpo@vretta.com.

WHAT DATA CAN MY DATA CONTROLLER VIEW?

A Data Governance Agreement is maintained between your Data Controller (the data department at the Ministry of Education) and Vretta to share data that is requested. Your Data Controller will not have visibility of names of students, teachers, or schools. Here is a snapshot of what they can see when data is sent to them:

The data we share with your Data Controller is created when you use the MathemaTIC app. The data we send includes user identifiers, which are needed to ensure data is accurately associated to the right user across all events on the system. The app creates a unique identifier for each time a user starts a new activity, as well as what time an activity is started and when it ends. The app also tracks how much time is spent in each of the available languages, which makes it easier for the Data Controller to identify languages that need more inclusion. Finally, the score for each activity is available (ranging from 0 to 1), which makes it possible for the data department of your Data Controller to assess student performance.

WHO DO I CONTACT IF I HAVE ANY QUESTIONS?

If you have any questions or concerns, feel free to contact Vretta’s Data Protection Officer at dpo@vretta.com.