What is Smartgrade?

Smartgrade is a secure, cloud-based platform that helps schools and school systems to create, share and analyse more reliable assessments (referred to in this policy as “our services”). The platform is owned and operated by Smartgrade Ltd, a company in the UK

1. Introduction

Privacy and security are at the heart of everything we do at Smartgrade, and our approach incorporates data protection by design and default. This statement explains the key measures we’ve put in place to ensure that a school’s data (including the personal information of students and school personnel) is kept secure and collected, handled and used  appropriately at all times. It also covers our commitments to you  in terms of privacy and data protection.

In this policy, ‘personal information’ has the meaning given by the Privacy Act 1988, and includes any information or opinion about an identified individual (or who can be reasonably identified from the information or opinion).

2. How we collect, use, disclose your personal information

We:

• Collect personal information via the schools to which we provide our services.  The types of information the school will typically provide us with depends on your relationship to the school (for example whether you are a student or teacher) and is set out in more detail in paragraph 8 below. 
• Use  personal information received from schools for the purpose of providing our  services to schools, to improve such services, and for other purposes mentioned in this policy (including in paragraph 8) or as required by law.
• Aim to comply with the Australian Privacy Principles contained in the Privacy Act 1988.
• Only store and process the minimum amount of personal information required to provide our services.
• Transport and store all personal information originating from schools using modern and best practice encryption technologies. This includes Secure Socket Layers (SSL/TLS) for encrypted data transfer over the internet, encryption of all data at rest, password-protected identities for all end users, and variable permissions according to the user's role.
• Respond to all access and correction requests relating to personal information we store within a reasonable period, as required under the Australian Privacy Principles.
• Ensure the personal information We hold about you is correct.
• Only retain personal information for as long as required for our services, subject to legal requirements and our routine back-ups as described in paragraph 6 below
• Ensure that all data is held securely by taking steps so that data is not corrupted or lost.
• Aggregate and analyse anonymised data for the purposes of standardising assessments, to improve the quality of assessments on the platform, to offer benchmarking information to other schools, or to contribute to important assessment research.
• Regularly review and audit our privacy compliance.
• Report any significant breaches of security to the school as the APP entity, and any eligible data breaches to the Office of the Australian Information Commissioner (OAIC).
• Cooperate with the school to notify affected individuals within any timeframe required under the Privacy Act 1988.
• Make this Privacy Policy clearly and publicly available on our website.

We may disclose personal information for purposes relating to our services or educational and administrative purposes, for other purposes that are related and reasonably expected, or with your consent. This may include disclosure to: 

• Government departments (including for policy and funding purposes), assessment and educational authorities;
• Anyone you authorise us or the school to disclose information to;
• The companies listed in section 9 of this Privacy Policy who provide administrative, technology or financial services to us;
• Anyone to whom we are required or authorised to disclose the information by law, including child protection laws, or to exercise a duty of care or defend our legal interests; and 
• Third party providers of the AI systems used by schools. 

We DO NOT:

• Store or transport personal information outside of Australia unless necessary to provide our services and after taking steps required by the Australian Privacy Principles to protect it.
• Share your data with any third parties except where explicitly authorised by you or as permitted or required by law.
• Use Your personal information (that you provide to us via the Smartgrade platform), for the purposes of advertising or marketing, or for any purpose other than the service explicitly provided to You, or purposes contemplated within this policy, that you consent to or as otherwise permitted or required by law.
• Transport personal data originating from schools in an unencrypted format.
• Claim ownership or exclusive rights over any of the data processed or created as part of services provided to You.
• Offer the option of anonymity or pseudonymity due to both the impracticability of providing our assessment and reporting service without identified user records, and because Australian law requires the schools we service to deal with identified individuals for educational purposes.
  

3. Security and Encryption

• All personal information that Smartgrade collects from individuals in Australia,  is stored and transmitted within Australia by default. If any personal information is disclosed overseas (primarily to the EU or UK, for example, to provide technical support), we will take reasonable steps to ensure recipients handle it in accordance with the Australian Privacy Principles.
• All internal and external data transmissions to and from the Smartgrade Platform are encrypted using modern SSL/TLS protocols and ciphers via secure REST APIs.
• Data is encrypted at rest (i.e. when stored on a disk or laptop).
• We use encrypted passwords with variable permissions according to the user’s role for access to all personal information.
  

4. Staff access to data

Smartgrade does not look "under the hood" or inspect any of the data we store. The only exceptions to this are where a school has explicitly given us permission to inspect their data; to provide technical support following an enquiry from a school; or to correct a technical problem. If you believe that we hold personal information about you that is inaccurate or out-of-date, you may contact us to access it or correct it as set out in paragraph 5 below.  

All our staff and subcontractors are required to agree that they will abide by a Security and Data Protection Policy at all times.

5. Access to and correction of your personal information 

You may request access to or correction of personal information that we hold about you by contacting us directly. Our contact details are set out below. Please understand there are some circumstances in which we are not required or permitted to give you access to your personal information, but we will advise you if these circumstances apply.   

There is no charge for requesting access to your personal information, but we may require you to meet our reasonable costs in providing you with access (such as photocopying costs or costs for time spent on collating large amounts of material). 

We will respond to your requests to access or correct personal information in a reasonable time and will take all reasonable steps to ensure that the personal information we hold about you remains accurate, up-to-date and correct.  

6. Deleting and Retaining Data

We retain personal information on our platform only as long as necessary to provide the Smartgrade service and to meet our legal obligations. If a school ceases to use Smartgrade, we will delete or de-identify personal information of individuals associated with that school within a reasonable period (for example, within 4 months after the contract concludes or within 5 working days of a deletion request), unless retention is required by law. We do not automatically delete student data at a specific age; instead, we follow the school's instructions or legal requirements. We keep point-in-time backups for up to 30 days and weekly backups for up to 150 days, and audit logs of user interactions for up to 18 months, after which they are securely destroyed.

7. Security Breaches

We take all reasonable and necessary precautions to ensure that your personal information is secure and to recognise and then mitigate the risks to security and privacy. However, it is not possible to 100% guarantee the security of any data transmitted or stored electronically. In the event that a significant breach of security or privacy did occur and it is likely to result in serious harm to one or more individuals, Smartgrade will notify the school as the APP entity and assess whether it constitutes an eligible data breach under the Privacy Act 1988. If so, we will notify the Office of the Australian Information Commissioner (OAIC) and the at-risk individuals as soon as practicable in collaboration with the school.

We will also cooperate with the school or education department in any required internal reporting and remediation process.

8. Categories of Data

If you are a school providing Smartgrade access to individual users (such as teachers), you must ensure all such individuals are suitably informed about how their personal information may be collected, used and disclosed by Smartgrade. A summary of these arrangements is set out below.  

The categories of personal information we process and the purposes for doing so are as follows:

‍Staff names and contact information

• To provision accounts.
• To distinguish between teachers in school and school system accounts.
• To assist with the provision of an education to students.
• To contact you with important updates regarding the product.

Student names

• To distinguish between students in a teacher's class.
• To assist with the provision of an education to students.

Student emails

• To provision online student accounts and allow students access to accounts.

Student demographic information (gender):

• To allow for grouping and analysis in the markbook and analytics module.
• To assist with standardisation.

Student teaching group / Year Group / Subject

• To allow for grouping and analysis in the markbook and analytics module.

Student number issued by the school / School Management System ID

• To allow for matching of students in the Smartgrade database with school records on export.

Student Prior Attainment

• To allow for grouping and analysis in the markbook and analytics module.
• To assist with standardisation.

IP addresses

• To identify trusted and frequently used devices.
• To track a user’s interaction with the website for analytics, support and product optimisation.
• To assist with the provision of an education to students.
• To monitor and prevent malicious usage or attacks.

9. Data sharing

We may share data (which does not include personal information, unless specified below) with the following companies if such a need arises and within the terms laid out by this policy:

• Amazon Web Services (cloud hosting) for the purposes of application hosting.
• Aircury (software development agency) for the purposes of product development and support.
• Google Analytics (marketing website analytics) for the purposes of analysing website traffic.
• Clarity (marketing website analytics) for the purposes of analysing website traffic.

We access MIS information from schools either via Wonde, the third party School Management System integration service, or in the case of Compass, via direct connection with the MIS itself.

Providing an administrator has enabled the feature, you can log in to Smartgrade via School or school system account with Google or Microsoft. We will not collect the password that you use for the relevant platform, but we may send and receive access details from your account with the platform, such as username and email address.

If your organisation is using our AI marking features, anonymised responses may be shared with the following companies:

• OpenRouter (AI model aggregation) for the purposes of model interaction.
• Google (Gemini - Large language models) for the purposes of AI marking.
• Open AI (ChatGPT - Large language models) for the purposes of AI marking.
• Anthropic (Claude - Large language models) for the purposes of AI marking.

This list of third-party processors is maintained and updated regularly.

No personally identifiable or pupil-level data will be shared with these providers. Data is never used for model training and no solely automated decisions are made that have a legal or similarly significant effect on an individual.

10. Information for students and parents/guardians

Smartgrade, as a contracted service provider, only accesses personal information as permitted by the school and only for the purposes of performing our services on the school's behalf. Your child's school, school system or education department is also responsible for any student or parent personal information that they collect and provide to Smartgrade for the purposes of our services. If you have questions about your or your child's personal information or how your school uses Smartgrade, please contact the school directly. Any enquiries we receive from students or parents/guardians may need to be directed to the relevant entity, if more appropriate.

General 

11. Cookies

A cookie is a string of information that a website stores on a visitor’s computer. Smartgrade uses cookies for purposes such as helping us to identify and track visitors’ usage and preferences. You can disable cookies in your browser if you wish to, although this may mean that some features of our website do not work as they should.

12. Communication

If you have expressed interest in Smartgrade or signed up as a Smartgrade customer and provided your email address, we may occasionally send you information about new features, feedback requests or updates to our products. These communications are directed to teachers, administrators and other adult users, not to students. You can opt out at any time using the links in those emails or by emailing privacy@smartgrade.net, and we will remove you from our list.‍

13. Third Party Websites

Our website may contain links to other sites. We cannot be responsible for the privacy policies and practices of other sites even if you access them using links on our website. We recommend that you check the privacy policy of each site you visit and contact the owner or operator if you have any questions or concerns.

14. Questions and Grievances

If you have any questions or grievances in relation to security or privacy, please email us at privacy@smartgrade.net. If you are not satisfied with our response, you may contact the Office of the Australian Information Commissioner (oaic.gov.au).

15. Changes to this policy 

We may update this policy from time to time. The updated version will be posted on our website with the effective date. Please check this page periodically for any changes. 

‍

This work is licensed under a Creative Commons Attribution-ShareAlike 4.0 International License.

‍