Policies and Practices

The boring but important stuff!



Our policies and practices are designed to comply with both the DPA (Data Protection Act 1998) and the GDPR (General Data Protection Regulation) in force as of May 25th 2018. For a summary of your rights under the GDPR visit the ICO website.

If you use the service as a part of a trial or pilot programme not subject to a contract, then you will receive an email asking you to read the policies and practicies contained herein and give explicit consent for eFirst to use and process data on your behalf via a return email. Consent can no longer be verbal or implied.

If you have any concerns or questions then email the nominated DPO (Data Protection Officer) at eFirst: dpo@efirst.org.uk

Please note that this site does not use cookies to store any kind of personal information. We want you to browse our site in freedom and safety without ads or annoying pop-ups.

We only collect and process customer information when there are lawful reasons for doing so. Similarly any data processing is confined to published product functionality at a point in time. Any other use of data would only be lawful and with customer consent.

We will ensure that erasure of customer data, either at the end of a given retention period or upon cancellation, will be conducted without undue delay according to article 17 of the GDPR. A dedicated email is provided for cancellations (cancel@efirst.org.uk). Erasure is complete and covers not just the Check Online service but also any backups in existence. Customers can request that a data archive be conducted before erasure in keeping with portability according to article 20 of the GDPR. That archive can be transmitted to a customer via a chosen secure medium before being erased.

When we outsource services such as, but not limited to data transmission and hosting, it is both an expectation and a requirement that they comply with the GDPR and operate in keeping with our privacy principles.

We will update our policies and practices in line with any regulatory changes and train our staff accordingly.


The data we collect would include:
  • Personal identifiers such as name and date of birth.
  • Contact details such as addresses, email addresses and telephone numbers.
  • Date, time and details of any login to the Check Online service.
  • Student learning checklists, both historical and current, together with any assessor responses to them.
  • Evidence documents uploaded by service users against checklist descriptors.
  • Assignment data, assignments and any related assessor grades and/or feedback. Assignment data can include the responses to, and outcomes of, online or adaptive testing.
  • Notices or notice documents posted or uploaded by service users.
  • Any other communication with customers such as emails.

Check Online as a service will not transfer data outside of the EU unless the customer accessing said data is also based outside of the EU, in which case transferral will be restricted to customer specific data.


We take necessary security measures to protect against unauthorised access to data and systems. Our practices pertaining to data collection, storage, processing and security are subject to periodic internal review. This includes any physical security necessary to safeguard sensitive or personal data.

Access to personal or sensitive information is restricted to eFirst employees and contractors. Where appropriate or relevant those individuals are DBS checked. We use secure data centres to host the Check Online service and have completed the Department for Education self-assessment checklist for cloud based software provision. We recommend that any school considering cloud based provision ensures that relevant suppliers have completed and published this checklist. View the Department for Education guidelines here . Now read through the eFirst checklist.


eFirst Software services is responsible for data in transit to and stored / processed by the Check Online service. It is not responsible for other IT systems and solutions used by service users (referred to as Shadow IT) when preparing data bound for Check Online or subsequent processing of data once downloaded from Check Online. It is recommended that data is de-sensitised or de-personalised wherever possible before transmission.