Positively MAD, which stands for Positively Making a Difference, are committed to respecting your privacy and ensuring that we only communicate with you because we feel that you have a legitimate interest in our services.
We are the UK’s largest and longest standing provider of student workshops, alongside inspirational and supportive sessions for parents and teachers.
We are fully compliant with the PECR, Data Protection Act 1998, GDPR and are understand the guidance set out by the ICO and DMA. Our lawful basis for processing is ‘legitimate interest’. We will never share your information with any third parties.
Why and how we contact you and our lawful basis for processing.
Our ethos is to ‘inspire empowered learning’ by positively making a difference to as many students, teachers and parents as we can.
The reason for our contact is to make you (schools) aware of our services. We are an educational training provider who have delivered in the marketplace for the past 18 years, we provide accelerated learning and personal development workshops for students, teachers and parents. Our workshops provide benefit to many schools across the country (we have testimonials, case studies and quantitative data to support this) therefore it is in the best interest of the schools that we inform them of what we can offer their students and staff.
There are 3 steps we take in order to fulfil our ethos:
1. Collect contact information from schools in the UK, so that we can send them direct marketing in the form of emails.
2. Promote our brand to schools, in the hope that they will invite us to deliver our workshops.
3. Ensure that we send excellent presenters to provide outstanding workshops
The direct marketing we carry out is via email or occasionally via post. We do not ‘cold call’ - the only time an individual would hear from us via telephone is if they had showed interest in our services by clicking on our emails, enquiring with us or by meeting the conditions our any third party partners deem as legitimate interest. For further information about our partners, please see the section stating ‘how we work with our partners’.
Lawful basis for processing
We have recently conducted an Information Audit along with a legitimate Interest Assessment to ensure that we are fully compliant with the new rules around personal data.
The DMA, summarising instructions from the GDPR update, states that -
‘You can send individuals a marketing email/text as long as you provide an easy way to opt-out of future communications from you.’ 
We operate under a ‘soft opt-in’ policy relating to previous customers, which is approved by the ICO. This means that if you have bought from us in the past, we can assume that you are interested in hearing about our services still.
'The term ‘soft opt-in’ is sometimes used to describe the rule about existing customers. The idea is that if an individual bought something from you recently, gave you their details, and did not opt out of marketing messages, they are probably happy to receive marketing from you about similar products or services even if they haven’t specifically consented. However, you must have given them a clear chance to opt out – both when you first collected their details, and in every message you send.’ 
We provide an ‘unsubscribe’ link (which is considered to be an ‘opt out’) at the bottom of all of our marketing emails.
Please refer to the ‘what to do if you do not wish to be contacted by us’ section for information about unsubscribing from our marketing mails and your rights.
How we collect and store your data
The data we collect is readily available in the public domain and can be requested legally in accordance with the Freedom of Information Act 2000. Schools have a legal obligation to update their details on ‘Get information about schools’ under the Education Act 1996. The information we collect is indicated beneath:
School name, contact name, school address, job title, school email address, school phone number.
The ICO defines the contact name and job title as being ‘personal data’ because, ‘any information relating to an identifiable person who can be directly or indirectly identified in particular by reference to an identifier’. 
From our understanding, this means that any information we hold which can be directly related back to the person is considered to be ‘personal data’. For example, if we just collected contact names without school name, job title, school email address, school address, school phone number and stored them on our CRM system, it would be very unlikely that the person could be identified.
However, if we were to collect the contact name and school name, it is more likely that the individual could be identified.
We do not hold or store any information about the contacts home address, personal phone number of any special category data, we simply hold information about the contacts role in the school so we can send targeted marketing to them.
We collect this in two ways:
1. Internally – we have a Business Administration Apprentice who uses ‘Get information about schools’ formerly Edubase (GOV.UK website) to search for schools.
2. Externally – we have worked with 3 companies in the past:
- Hamilton House T/A Websites and Blogs Ltd
- The Education Company (Spirit)
- Sprint Education
We store schools financial information in 2 ways:
We invoice schools electronically via Sage 50 Accounting software (which only the Finance Manager has access to and is password secured) and post a hard copy of the invoice directly to the schools.
1) If schools send us a remittance via post, this information is stored in a locked cabinet, which only the Finance Manager has access to, before it is taken to our Accountants (MacKenzies Chartered Accountants).
2) If schools send us remittance via email, the details are stored in a secure folder on our Finance Manager’s computer, which only the Finance Manager has access to.
3) It is very rare that schools send us their bank details, because we do not pay them. However, if they do, the details are stored in either the locked cabinet or file on the computer. No bank details are stored on our CRM.
Name, school name, job title, email address, phone number
Where we find your information
We search for schools’ information using 2 methods:
1) ‘Get information about schools’
We search ‘all establishments’ and select either – primary, secondary or further education. We then look for 3 factors:
- OFSTED grade: We are more interested in schools who are graded Requires Improvement or Inadequate in ‘achievement’ and ‘quality of teaching’ because we believe that they will be most in need of our support in comparison to schools graded Good or Outstanding.
- Pupil roll: Because we are able to deliver to up to 300 different students per day, we ensure that we target large schools who are more likely to possess the budget to invite us to deliver.
- Location: We are aware that there are certain ‘opportunity areas’ in the country who are deemed as requiring more support for various reasons including – proportion of disadvantaged students in comparison to the national average. Because we are able to provide workshops which focus on upskilling and raising standards, we focus on gathering information from these areas in the first instance.
2) School websites
After gathering a list of school names from ‘Get information about schools’, our Business Admin Apprentice searches for the schools using a popular search engine and looks on the school websites for the information we collect:
School name, contact name, school address, job title, school email address, school phone number
If we cannot find the above information on the schools website, we add the schools generic email address and contact details into our system and send our marketing emails to them. In most cases, we receive a response from a contact who is interested, who we then add onto the system.
How we work with our partners
We no longer work with any third party companies, however, the agreements we had with our partners, Sprint Education and Hamilton House, were the same.
We provided them with the product we wanted them to promote and they sent email marketing on our behalf. Their privacy policies are compliant with the GDPR and their policies can be found on their respective websites. Sprint Education have created a number of documents relating to the GDPR which have ensured us, as customers, that they are fully aware of the implications.
Sprint Education – https://www.sprint-education.co.uk/legal
Hamilton House - http://www.schools.co.uk/Privacy Statement.pdf / http://www.schools.co.uk/Data Protection Policy Document.pdf
After sending the emails on our behalf, the only data we received from them was:
School name, contact name, job title, school email address, school phone number
We received this data if we met these conditions:
1) The individual had viewed the email for more than 30 seconds
2) The individual had clicked on a link
3) The individual had responded to the email
We would then contact the individual via telephone in the first instance, then via email to inform them that we have information to state that they are interested in our product and ask them if they require any further information.
The agreement we had with Spirit (the Education Company) is that we were provided with access to their ‘datamining’ platform which allowed us to send marketing campaigns to their database.
What to do if you do not wish to be contacted by us
All of our emails have an unsubscribe link, please click on this and it will automatically unsubscribe you from any future marketing mail. Alternately, please send an email with the subject line ‘UNSUBSCRIBE’ to firstname.lastname@example.org and we will manually unsubscribe you.
After you have unsubscribed from all future marketing mail, we remove your email address from our system but we keep your name with email@example.com as the email address. This is because we want to make sure that you are not added to our system again at any point in the future. If you would like us to completely remove all of your details, please let us know using the email address above and we will happily do this. However, when we come to update our database in the future, because we would have no evidence of you in our system, we could not guarantee that you would stay out of our database.
You have the right to be informed why we are processing your data and the right to ask to be removed from our marketing emails.
How we would handle security breaches
We do not collect or process any ‘special category data’ (sensitive data) which is defined by the ICO as being related to:
Race, ethnic origin, politics, religion, trade union membership, genetics, biometrics (where used for ID purposes), health, sex life, sexual orientation
All data we collect is stored on our CRM system, Salesforce. Salesforce is considered as being the most trusted cloud CRM platform. School financial information is stored by our Finance Manager on Sage 50 Accounting, which ensures that ‘Your data is secure and protected with encryption and secure sign in’.
In accordance with Article 33 of the GDPR:
‘In the case of a personal data breach, the controller shall without undue delay and, where feasible, not later than 72 hours after having become aware of it, notify the personal data breach to the supervisory authority competent in accordance with Article 55, unless the personal data breach is unlikely to result in a risk to the rights and freedoms of natural persons’.
We are confident that a personal data breach would be unlikely to result in a risk to the rights and freedoms of natural persons. Therefore, if a breach occurred, we would be sure to document the breach in alignment with the terms set out on the ICO website:
‘However, if you decide you don’t need to report the breach, you need to be able to justify this decision, so you should document it’.
In the 18 years since our company was founded, we have never experienced a security breach. The impact of a breach on our system would be minimal because the only data which could be stolen is already available in the public domain. Data stored on Sage 50 accounting is encrypted, therefore, the only information which would be at risk is on Salesforce, which would show any correspondence between a contact at a school using their school email address and our Head Office team. Obviously, this isn’t ideal as we pride ourselves on building relationships with customers and providing a personal service and we would not want anyone else to have access to this kind of information. However, the only matters discussed in emails are relating directly to our services, so they cannot be deemed as sensitive. Individual students are not discussed, so we hold no information related to children of any kind.
The only individuals with access to Salesforce are our Head Office team, which consists of:
Managing Director, Operations Manager, Finance Manager, Events Co-ordinator and our Business Administration Apprentice.
Each individual has their own password to access Salesforce and the platform is never accessed from a shared computer. All computers in the Head Office and Finance Office have inbuilt security software which covers malware, viruses and any potential security breaches.
This policy was reviewed on 18 April 2018, by Laura Moran, Operations Manager, Positively MAD.
Positively MAD, Osborne Stable Block, York Road, East Cowes, Isle of Wight, PO32 6JU.
‘You’ refers to the customer
‘We’ refers to Positively MAD as a company
‘Our workshops’ refers to the personal development and accelerated learning workshops we provide. Details of which can be found on our website – www.positivelymad.com