How do we ensure data security and compliance with GDPR?
Ensuring data security and GDPR compliance in POGO Progress is a shared responsibility between the platform and your school.
Here’s a full breakdown of how it works, what POGO does, and what your school should do to stay compliant:
1. POGO’s Data Security Responsibilities
POGO Progress (developed by POGO Education Ltd) is designed to meet UK GDPR and Data Protection Act 2018 requirements.
Here’s how POGO typically handles compliance:
Data Storage & Security
-
UK/EU Data Hosting: All student and staff data are stored on secure UK-based servers (usually ISO 27001–certified data centres).
Encryption:
- Data in transit → encrypted via HTTPS / SSL.
-
Data at rest → encrypted on servers using industry-standard algorithms (AES-256 or equivalent).
Access Control:
- Role-based permissions — staff only see what they need to.
-
Audit logs track who accessed or changed data.
Regular Backups:
- Automated daily backups and redundancy to prevent data loss.
2. GDPR Principles Applied by POGO
| GDPR Principle | How POGO Applies It |
|---|---|
| Lawfulness, Fairness, Transparency | POGO acts as a Data Processor, processing data under your school’s instructions and providing a Data Processing Agreement (DPA). |
| Purpose Limitation | Data is only used for assessment, tracking, and reporting — not for marketing or external analytics. |
| Data Minimisation | Only essential pupil and staff details are imported from your MIS. |
| Accuracy | Sync with MIS ensures data accuracy and allows corrections when needed. |
| Storage Limitation | Data is retained only for the duration agreed in your DPA or until requested deletion. |
| Integrity & Confidentiality | Encryption, role-based access, and secure login protect against unauthorised access. |
| Accountability | POGO provides audit logs and DPA documentation for compliance evidence. |
3. Your School’s Responsibilities (Data Controller)
Even though POGO is GDPR-compliant, your school is the Data Controller, which means you must also follow best practices:
Best Practices for Schools
- Have a Data Processing Agreement (DPA) with POGO Progress.
-
This defines how pupil data is processed and protected.
Restrict Access:
- Use staff roles and permissions carefully.
-
Remove accounts for leavers or staff changes promptly.
Train Staff:
-
Remind teachers and admins about GDPR basics — especially handling pupil reports or exporting data.
Monitor Data Syncs:
-
Check MIS integrations to ensure only necessary data is shared.
Password Security:
-
Require strong passwords and enable two-step verification (if available).
Export Safely:
-
When exporting reports (PDF, Excel), store them securely and delete old files when no longer needed.
Respond to Subject Access Requests (SARs):
- You can export a student’s data from POGO to respond to GDPR requests.
-
2. Incident Management
POGO follows strict incident response procedures:
- If a data breach is detected, they will notify your school’s Data Protection Officer (DPO) without undue delay.
- Logs and access data help trace and contain breaches.
- You, as the Data Controller, are responsible for notifying the ICO (Information Commissioner’s Office) if required.
Contact & Documentation
For compliance confirmation or documentation:
-
Contact help@pogoprogress.co.uk — request their Data Processing Agreement (DPA) or GDPR compliance statement.
🧾 They can also provide:
- Information Security Policy
- Privacy Impact Assessment (PIA)
- Data Retention Policy