Privacy and Data Protection


The GDPR requires that all people are informed of the legal basis for collecting and using personal information, and that it is done in plain language. When using this system, the data is processed on behalf of Thurrock District Council by Creative Learning Systems Ltd (CLS). 

The following describes what we do when we collect and process your data.

  1. We collect a range of personal data from you, including your name and email address, as well as your computer's IP address because without it we cannot operate this system and provide personalised online learning, or create .meaningful reports on your progress and achievements if we do not know who you are.
  2. There is a legitimate interest to collect and use your data for this system because the system requires your data for it to work. We do not ask for your consent to use your data to run this system unless we are wanting to send out a marketing mail or similar.
  3. If we do want to use your data in ways not covered by this statement we will ask for your consent to do so before we do anything.
  4. If there are changes to this policy that also fall under 'legitimate interest' then we will inform you as you log in to the system to let you know.
  5. We do not collect or use any data that is not required.
  6. We do not keep your data for longer than needed in order to fulfil our contractual obligations and commitments. Your organisation will have agreed a data retention policy with us, and we will adhere to that policy.
  7. We do not pass your data to anyone who is not directly employed or engaged as a sub contractor for the purpose of running and maintaining this site, unless we are obliged to do so as part of our legal responsibilities.
  8. You can review the data that we process by visiting your profile page in the system You can change your personal data at any time by requesting that it gets changed, if you cannot change it yourself.
  9. You have rights about how and when your data can be used, these are detailed below. Not all of them will apply in all circumstances.
  10. You can raise an objection at any time about how we use your data.

1. Background

This online learning system is for the use of employees and other persons at the organisation relevant to this site.  Each person needs a unique account when using the system so that it is possible to provide relevant content and a personalised experience for online training and development.  To be effective, each account must contain details that are personal, such as a name or email address. these will have been provided to us by the organisation, or you will have filled in a form to provide those details. You cannot access the content of the site without having done so, and the site cannot operate effectively without having unique accounts per user.

This privacy notice lets you know what happens to any personal data that you have given, or any that we have collected from or about you. It applies to all instances where we collect your personal data.

This privacy notice applies to all personal information processed on behalf of your organisation by Creative Learning Systems Ltd. Our address is Creative Learning Systems, Moulsham Mill, Parkway, Chelmsford Essex CM2 7PX

2. Changes to this privacy notice

We may change this privacy notice from time to time by updating this page in order to reflect changes in the law and/or our privacy practices. We encourage you to check this privacy notice for changes whenever you visit this website.

3. Who are we?

We are the Data Processor for Thurrock District Council. Our job is to use your data to make sure that the site works for you as you expect, and that reports and details about your progress are available to your managers. We are based at Moulsham Mill, Parkway, Chelmsford Essex CM2 7PX.

4. What kinds of personal information about you do we process?

Personal information that we’ll process in connection with our systems, if relevant, includes:

  • Personal and contact details, such as your name and contact details, including your email address;
  • Records of your support queries such as via the ticket based help desk and will include your computer's IP address at the time you contact us;
  • Products that you have selected within the library/shop, and the associated payment made, if any;
  • The usage of the products (and details related to this, such as your score or achievements).

5. What is the source of your personal information?

We’ll collect personal information from the following general sources:

  • From registration forms on the web site, or, if this system is used by your employer and we are acting as their data processor, we may have been given your data by them in order to create your account so that you can access the website and the elearning in it.
  • Information generated about you when you use the products and services, such as your achievements, progress within a course or your date and time of accessing our systems.
  • From log files on the server which record activities by IP address, or record email addresses of each email that gets sent out.

6. What do we use your personal data for?

We use your personal data, including any of the personal data listed in section 1 above, for the following purposes:

  • To run the online system and provide the different aspects that it offers you, such as finding your courses, or seeing how well you are doing;
  • To perform and/or test the performance of, our products, services and internal processes;
  • To improve the operation of our online learning system;
  • To follow guidance and best practice under the change to rules of governmental and regulatory bodies;
  • To monitor and to keep records of our communications with you and our staff (see below);
  • To provide personalised content and services to you, such as relevant products suited to your job role or as a result of having passed or completed a piece of online learning;
  • To develop new products and services and to review and improve current products and services;
  • To comply with legal and regulatory obligations, requirements and guidance;
  • To provide insight and analysis of our users helping us improve our systems, or to assess or improve the operating of our businesses.

7. What are the legal grounds for our processing of your personal information?

We rely on the following legal bases to use your personal data for:

  • the online learning platform (CLMS), or any other system we may be managing as part of your overall solution, such as the Composica online content authoring system.
  • Managing products and services you hold with us, or an application for one
  • Updating your records
  • All stages and activities relevant to managing the product or service including searching, application for a course, enrolling in a course, administration and management of course records
Where it is in our legitimate interests to do so, such as:
  • Managing your products and services relating to that, updating your records, producing reports and emailing responses and course related communications
  • To perform and/or test the performance of, our products, services and internal processes
  • To follow guidance and recommended best practice of government and regulatory bodies
  • For management and audit of our business operations
  • To carry out monitoring and to keep records of our communications with you and our staff (see below)
  • Where we need to share your personal information with people or organisations in order to run our business or comply with any legal and/or regulatory obligations
  • To comply with our legal obligations

Only with your consent or explicit consent:

  • For any direct marketing communications that are not directly related to your products and services, progress or achievements within the online courses, or any communications related directly to your learning and development within the system.

8. When do we share your personal information with other organisations?

We may share information with the following third parties for the purposes listed above:

  • back up and server hosting providers, IT software and maintenance providers, document storage providers if relevant and suppliers of other back office functions that enable us to continue to provide the services;
  • when there is a request from a legitimate law enforcement agency, or it would breach our legal obligations to not do so.

9. How and when can you withdraw your consent?

Where we’re relying upon your consent to process personal data (such as any marketing email), you can withdraw this at any time by contacting us using the details below.

10. Is your personal information transferred outside the UK or the EEA?

As the data processor for your organisation, we make sure that our servers and hosting provider are also within the UK.  We do not transfer your personal data to any organisation or individual outside of the UK for any reason. 

However, the nature of the internet means that during your normal operation of the system we cannot guarantee that information doesn’t get automatically routed outside of the UK or European Economic Area as part of the process of you navigating or using the site. That will depend on the global internet infrastructure, over which we have no control. 

11. What should you do if your personal information changes?

You should check your details on your profile page and tell us if anything has changed so that we can update our records.  You may use the helpdesk to do this or, if you have an administrator for your organisation’s use of this system, you should alert them. They, or we, will update your records if we can.

12. Do you have to provide your personal information to us?

We’re unable to provide you with our products or services if you do not provide certain information to us. In cases where providing some personal information is optional, we’ll make this clear. 

13. What about 'Cookies' and 'Log Files'?

Cookies: A 'cookie' is a text file that is sent to your computer when you open a web page. It can be used for many things but we use just two that are essential to your use of this system. Both of the cookies we send you help us to identify you when you log in so that you see the pages and content that you are allowed to see. There is nothing in the cookie that identifies you as such, but it is associated with your IP address so we know that it comes from a particular place and we can authenticate your account. It will contain just a string of characters which helps us confirm that we are sending the right content to the right places.

Cookies are deleted when you log out of the system, unless the Data Controller has implemented any analytics or tracking tools, or added in any social media features, such as their 'Twitter' feed.

Log Files: Log files are automatically created by the web server whenever there is an event such as someone requesting a web page or if there is an error when a web page is served. Each time a person visits a new page or clicks a link the log file will record that as an event. Additionally, log files are created whenever an email is sent from the server and will record whether it was sent successfully.

Log files therefore do contain some personal data. In the case of a mail log, it will record the email address for outgoing mail. In an access or error log it will contain an IP address. We keep log files for a maximum of one month after which they are deleted.

14. Do we do any monitoring involving processing of your personal information?

In this section monitoring means any: listening to, recording of, viewing of, intercepting of, or taking and keeping records (as the case may be) of calls, email, text messages, social media messages, in person (face to face) meetings and other communications.

We may monitor where permitted by law and we’ll do this where the law requires it, or to comply with regulatory rules, to prevent or detect crime, in the interests of protecting the security of our systems and for quality control and staff training purposes. This information may be shared for the purposes described above.

15. For how long is your personal information retained by us?

Unless we explain otherwise to you, we’ll hold your personal information based on the following criteria:

  • For as long as we have reasonable business needs, such as managing your account and access to the system
  • For as long as we provide goods and/or services to you and then for as long as someone could bring a claim against us; and/or
  • For as long as your organisation requires it to be retained so that you (or they) can continue to use the site and operate their policies and procedures relating to data retention.
  • For as long as is necessary to keep in line with legal and regulatory requirements or guidance.

In general, we have got to retain your data for as long as you have an account in the system, and for as long as the Data Controller asks us to after that so that they can comply with their employment policies. In general, we won't keep your data for more than 12 months after you leave the system, but we will stop processing it as soon as we are notified that you have left. 

This means that any emails or other communications that would normally get sent out to you will cease, that you will not be able to log in and, whilst your scores and results may still be visible to the administrators, your personal data will not be visible in the system at all.

After the specified time that the Data Controller sets has elapsed we will securely delete all reference to you on our system.

16. What are your rights under data protection laws?

Here is a list of the rights that all individuals have under data protection laws. They don’t apply in all circumstances. If you wish to use any of them, we’ll explain at that time if they are engaged or not. The right of data portability is only relevant from May 2018.

  • The right to be informed about the processing of your personal information
  • The right to have your personal information corrected if it is inaccurate and to have incomplete personal information completed
  • The right to object to processing of your personal information
  • The right to restrict processing of your personal information
  • The right to have your personal information erased (the “right to be forgotten”)
  • The right to request access to your personal information and to obtain information about how we process it
  • The right to move, copy or transfer your personal information (“data portability”)
  • Rights in relation to automated decision making which has a legal effect or otherwise significantly affects you

You have the right to complain to the Information Commissioner’s Office which enforces data protection laws: You can contact us using the details below.

17. Your right to object

You have the right to object to certain purposes for processing, in particular to data processed for direct marketing purposes and to data processed for certain reasons based on our legitimate interests. You can contact us by going to the Helpdesk, or the Contact Us section of our website to exercise these rights.

18. Contact Us

If you have any questions about this privacy notice, or if you wish to exercise your rights, you should contact your organisation's learning and development, or admin team. They will then contact us as the data processor concerned. 

Last modified: Thursday, 17 May 2018, 1:40 PM