Privacy and data protection

At ImpactEd we work with both schools and education organisations to help them evaluate the impact of their initiatives, interventions and programmes. To do so, we process different types of data. This page covers some common FAQs about privacy and data protection at ImpactEd.

The guidance here is general and specific details may vary from partner to partner - please get in touch with us at if you have questions relating to how your data is processed.

Jump right to:

Security and compliance at ImpactEd: overview

To deliver our work helping schools and education organisations better evaluate their impact, we often need to process personal data. We take protecting data very seriously and have in place a number of safeguards to ensure that we are adhering to security and data protection best practices. These include:

  1. All personal data transfer and storage takes place through encrypted services (at least 256-bit SSL/TLS encryption in motion and 128-bit AES at rest).

  2. We process personal data only within the UK or European Economic Area or under equivalent adequacy arrangements approved by the European Commission, unless you have consented otherwise.

  3. We process pupil data only in an anonymised format (i.e. with identifying information such as names removed) unless you have instructed us otherwise.

  4. Once the reason for processing your data has ended, it will be anonymised or deleted.

  5. All team members are in possession of a valid DBS certificate.

ImpactEd is Cyber Essentials Plus certified and registered with the ICO (number: ZB373629).

How exactly we process your data depends on how you partner with us. There are three main ways this might happen:

  1. You are a school that is subscribing to us directly as a school partner.

  2. You are a school that we are working with as part of a wider research project (for example, a tutoring charity that you work with has commissioned us to look at its impact in its partner schools).

  3. You are an education organisation that we are working with directly.

If you have received a data request from ImpactEd and you are unsure of the reason, please get in touch with us at and a team member will respond within 48 hours.

The ImpactEd platform: security and data protection

Many of our projects take place using the ImpactEd platform. This is a digital platform that makes it easier to monitor and evaluate the impact of any intervention or initiative you might be running in your educational setting.

The ImpactEd platform connects with school information systems such as SIMs through a tool called Wonde. Wonde allows schools to directly share data from their management information systems (MIS) through a secure and encrypted connection. This means that your information is always up to date, you can control the data which is accessed, and you can revoke our access to your data at any time. You can find out more about Wonde's security here.

As well as accessing data from your MIS, the ImpactEd platform can be used to administer questionnaires. Responses to these questionnaires are held directly in the ImpactEd platform. We run these through a tool called Typeform. No personally identifiable information is shared from the ImpactEd platform to Typeform.

The ImpactEd platform is fully secure, compliant with the UK GDPR and Data Protection Act 2018, and can only be accessed through secure usernames and passwords. Our example Data Sharing Agreement outlines the protections we take through the ImpactEd platform, which include:

  1. All pupil data on the ImpactEd platform is fully anonymised by default for ImpactEd staff unless you explicitly grant us access to view personal data (for example, to provide technical support).

  2. All data is protected by encryption, including 256-bit SSL/TLS encryption in motion and 128-bit AES at rest.

  3. All personal data is processed only within the UK or European Economic Area or under equivalent adequacy arrangements approved by the European Commission, unless you have consented otherwise.

  4. The data we access through the ImpactEd platform can be controlled via the Wonde portal. If you wish to revoke our access to data, this can be done instantly.


For more details on how data is used in the ImpactEd platform specifically, please refer to our example platform Data Sharing Agreement. If you have questions which haven't been answered by this page, don't hesitate to get in touch at

Where do you store and process personal data?

All personal data we handle is processed and stored within the UK or European Economic Area or under equivalent adequacy arrangements approved by the European Commission, unless you have consented otherwise.

Why do you use Wonde to process data through the ImpactEd platform?

Wonde is a secure service that enables you to control access to your data and revoke it at any time. Use of Wonde allows us to avoid the need for unsecure file sharing mechanisms such as email, and means that you are in control of the data you share, with the ability to remove access at any point. Although Wonde processes personal data, ImpactEd staff will only be able to view data in an anonymised format unless you grant us access to view personal data (for example, to solve a technical issue). More details on Wonde’s security procedures are available here.

How can I manage the data accessed through Wonde?

If you are using Wonde to share data with ImpactEd, you can accept or withdraw our access to your school’s data as a whole at any time through the Wonde portal.

In addition, Wonde provides you with options to control access to specific datapoints. Some data permissions (such as pupil year group) we require for the ImpactEd platform to function. These are marked as required. Other permissions which are required for some projects but not others are marked as optional, and your school can choose whether these are shared or not. We will advise the data contact within your school if these optional permissions are required.

Finally, if there is a particular pupil that you are not able to share data for, they can be marked within Wonde and data will not be processed for that pupil.

Are you a data controller or processor?

Whether we are a data controller or processor can depend on the specific project orpartnership. In the vast majority of our partnerships, we are the data processor withthe data controller being the school or education organisation that we are workingwith. This means that our use of personal data is restricted to the purposes the data controller instructs us to fulfil. If you are unsure of the data processing relationship for your partnership with ImpactEd, please contact us at

Do you share personal data with any third parties or commercial providers?

We do not share personal data for commercial purposes. We have a small number of authorised subprocessors that we use to assist us in delivering projects (for example, our email service providers). Typically no sensitive data is shared with any of these providers. These subprocessors are held to the same data protection standards that we hold ourselves to. Further details are provided in our example Platform Data Sharing Agreement.

What legal basis should be used for sharing data with you?

Where we are the data processor and you are the data controller, it is your responsibility to decide on the grounds you will use for processing. The most common grounds used by our partners are ‘Public Task’ (in the case of schools and other public bodies), legitimate interests or contractual obligation. If you use these reasons for processing, collecting parental or pupil consent is not necessarily required.

What safeguards do you take for data privacy and security?

ImpactEd takes privacy and security very seriously. We are Cyber Essentials Plus certified and registered with the ICO (number: ZB373629). All data we process is transferred through encrypted mechanisms and we anonymise data by default where personal data access is not required. If personal data access is required, this is on an ‘as needed’ basis and for a fixed time period only until data can be anonymised.

Further details are provided on our privacy page and in our example platform Data Sharing Agreement.

For how long do you retain personal data?

This can vary by the type of partnership and details will be provided in any data sharing or contractual agreements. Typically for school subscriptions we retain personal data only for the course of a subscription; following the end of a subscription all data is fully anonymised and retained for research purposes. For partnerships with education organisations, personal data is typically retained for six months following the end of a project and then fully anonymised.

How do you manage risks of data being unavailable? (e.g. in the event of a service outage)

We have automated and encrypted backups on the ImpactEd platform, keeping at least a month of retrospective data (by day and week), guarding against unintentional data destruction. We also keep a rolling internal audit log which allows for inspection of data flows and actions. Our cloud service providers also have multiple redundancies and failsafes to guard against any outage periods. In the event of any service outage, we will contact any affected parties directly with any mitigations and solutions. We also have a business continuity plan which covers arrangements in the event of systems failure.

How do you ensure the data shared is only what is required, and that it is accurate and up to date?

This is managed through your Wonde portal, through which you can approve or remove access to data at any time. All data sharing which is required for the platform to work is marked as a core permission in Wonde, so is accepted when you accept the Wonde request. Any data sharing which varies by project are marked as "optional" permissions in Wonde so you can accept or reject these on a field by field basis. When we set you up we will provide guidance on which of those to accept/reject. As with all our data access, this access can be removed at any time through the Wonde portal.

All data comes directly from your school Management Information System and is updated every 24 hours. So provided the records in your MIS are accurate this data should always present the most up to date and accurate record of any information.

How does anonymisation of personal data work on the ImpactEd platform?

We have access controls in place on the ImpactEd platform to limit access to personal data. School users will typically have access to unanonymised data for all pupils in the school as they would in their MIS. This is to enable schools to analyse data at a whole-school level, look at results for individual pupils, or to select the pupils who are participating in a particular intervention.

Unless we have specified otherwise, ImpactEd will not access this personal data. We have technical access controls in place such that potentially identifying information is suppressed and not available to ImpactEd users. The exception to this is where ImpactEd access to personal data is required for purposes of evaluation delivery or to solve a technical issue, in which case the relevant subscriber is asked to grant access and our usage of personal data ceases once the issue is resolved.

Where you are using the ImpactEd platform to share data with a third party (e.g. a charity who supports some of your students), this data will be shared on the basis you have agreed with them (which could be in identifiable or anonymous format).

Can I exclude a specific individual from having data shared by Wonde?

Yes. In the event of a parent or pupil requesting their data is not shared with Wonde or ImpactEd, you can use your Wonde dashboard to control access. To do this, the Wonde admin at your school should select ImpactEd on their Wonde dashboard and go to “Access Controls”. From there, they can select the filter method they require and then choose the pupils, teachers or contacts they wish to exclude/include.

Get in touch

Want to hear more about ImpactEd Evaluation? Get in touch for a conversation with a member of our team.

Get in touch

Contact us

Want to find out more? Arrange a conversation with a member of our team

*Required fields
Thank you! Your submission has been received!
Oops! Something went wrong while submitting the form.
See more