EOLAS holds a small amount of information about each child so teachers can see how they're learning and what to do next. We treat that responsibility as a first-order requirement. Here, in plain English, is what we hold, where it lives, who can see it, and the rights you have.
The General Data Protection Regulation (GDPR) came into force on 25 May 2018. It sets out how schools โ and the systems they use โ must handle personal data. In short:
Under data protection law your school is the Data Controller โ it decides what goes into EOLAS. EOLAS is the Data Processor: we only ever handle the data on your school's instructions, and only to provide the service. Here is how that works in practice.
Your school is the Data Controller and decides what is held. EOLAS only processes that data on the school's instructions โ never for its own purposes.
All data is hosted within the European Economic Area โ that is, in the EU. It never leaves the EEA.
A child's name, date of birth, class, enrolment and assessment results โ and nothing more. No health, family or other special-category data is ever collected or stored.
Access is restricted by role, so each staff member sees only the pupils and information their role requires.
Every connection is encrypted in transit (HTTPS/TLS), regular tested backups are kept, and administrative access is limited to authorised EOLAS personnel.
Staff are automatically signed out after a period of inactivity โ protecting your child's data on the shared devices schools often use.
Access, correction and erasure. Because your school is the Controller, you exercise these rights through the school โ and EOLAS helps the school respond.
Schools set a retention period. When a pupil leaves or a school stops using EOLAS, the data can be exported and is then securely deleted.
In the unlikely event of a data breach, EOLAS notifies your school without undue delay, so it can meet its duty to inform the Data Protection Commission within 72 hours.
Only authorised staff at your school, and only the information their role requires โ a class teacher sees their own class, for example. EOLAS's own access is limited to authorised personnel for support and maintenance.
No. EOLAS never sells personal data and never uses it for advertising or for any purpose other than providing the assessment service to your school.
Within the European Economic Area โ in the EU. It does not leave the EEA.
No. EOLAS does not request, import or store special-category data such as health or family information. It holds only what is needed to run the assessments.
Contact your school. As the Data Controller, your school can access, correct or delete the information, and EOLAS will assist it in responding to your request.
It is encrypted in transit, access is restricted by staff role, staff are automatically signed out after inactivity, and regular, tested backups are maintained.
The complete legal terms, including our Article 28 Data Processing Agreement, are available on our Terms & Data Processing Agreement page. This page is a plain-English summary for parents and is not legal advice; a school with specific questions should consult its own data protection advisor.