Contents
- Our Commitment to Data Protection
- Data Controller Information
- Legal Framework
- Data We Process
- Data Processing for Schools
- Technical and Organisational Measures
- International Data Transfers
- Your Rights Under UK GDPR
- Data Protection Impact Assessment
- Data Breach Notification
- Children's Data
- Changes to This Policy
- Making a Complaint
- Contact Us
1Our Commitment to Data Protection
The School Governance Assurance Framework (SGAF) is committed to protecting the privacy and security of all personal data we process. We understand that data protection is not just a legal requirement under UK GDPR and the Data Protection Act 2018, but a fundamental responsibility that underpins confidence in our service.
This Data Protection Policy explains how we collect, use, store, and protect personal data when you use the School Governance Assurance Framework. It describes your rights under UK GDPR and how we ensure compliance with data protection legislation.
We apply data protection principles by design and by default, meaning privacy and security considerations are built into every stage of our service delivery, from initial service design through to ongoing operations and eventual deletion of data.
2Data Controller Information
About Us
The School Governance Assurance Framework is operated by Joshua Mangas, a sole trader registered in the United Kingdom. For data protection purposes, Joshua Mangas is the Data Controller for the School Governance Assurance Framework service.
Data Controller Details
| Name | Joshua Mangas |
| Trading Name | The School Governance Assurance Framework |
| Business Address | United Kingdom |
| info@governanceassurance.co.uk | |
| Website | https://governanceassurance.co.uk |
Data Protection Officer
As a small organisation, we do not have a dedicated Data Protection Officer. However, all data protection queries can be directed to the Data Controller contact details above.
ICO Registration
Joshua Mangas is registered with the Information Commissioner's Office (ICO) as a Data Controller under UK GDPR. Registration details are publicly verifiable on the ICO register. We share the registration number directly on the Data Processing Agreement and other commercial documents issued to customers.
3Legal Framework
The School Governance Assurance Framework's data protection practices are governed by the following UK legislation:
UK General Data Protection Regulation (UK GDPR)
The UK GDPR applies to all processing of personal data. This regulation provides individuals with comprehensive rights over their data and requires organisations to process data lawfully, fairly, and transparently.
Data Protection Act 2018
The Data Protection Act 2018 supplements the UK GDPR by setting out specific rules for sensitive personal data processing and provides exemptions in certain circumstances, particularly relevant to education and public authorities.
Other Relevant Legislation
- Education (Pupil Information) (England) Regulations 2005 – Where governance data involves pupil information, this statutory framework applies
- UK GDPR Article 6 – Lawful basis for processing personal data
- UK GDPR Article 9 – Processing of special category data where applicable
- Privacy and Electronic Communications Regulations 2003 – For any direct marketing communications
Our Obligations
As a Data Controller, we must:
- Process personal data lawfully, fairly, and transparently
- Collect data for specified, explicit, and legitimate purposes
- Ensure data is adequate, relevant, and limited to what is necessary
- Keep data accurate and up to date
- Keep data in a form which permits identification of data subjects for no longer than necessary
- Process data securely and maintain integrity and confidentiality
- Be accountable and demonstrate compliance with these principles
4Data We Process
The School Governance Assurance Framework processes personal data across 15 platform tools: Quality Standard, Website Check, AI Readiness Audit, Faith Inspection Readiness, School Data Check, Website Compliance, Board Intelligence Report, Meeting Agendas, School Improvement, Statutory & Core, Headteacher Report, CES Assurance, SIAMS Assurance, Trust Dashboard, and Agenda Builder. The table below outlines the types of data, purposes, legal basis, and retention periods:
| Data Category | Examples | Purpose | Legal Basis | Retention Period |
|---|---|---|---|---|
| Authentication Data | Email address, authentication tokens | User identification and account access control | Performance of contract (service provision) | Deleted within 30 days of account closure request |
| Account Information | Full name, job title, school/organisation name, role in governance | Account administration, user profile, service delivery | Performance of contract and legitimate interests | Deleted within 30 days of account closure request |
| Assessment Data | Responses to governance assessment questions, Quality Standard scores, governance area ratings, evidence notes | Provision of Quality Standard tool, recommendations, governance improvement planning | Performance of contract and school's legitimate interests in governance improvement | Duration of active use plus 2 years |
| Usage Data | Timestamps, pages visited, sections completed, time spent on assessments, feature usage patterns | Service improvement, analytics, feature development, user experience optimisation | Legitimate interests (service improvement) | 24 months |
| Communication Data | Email correspondence, support tickets, feedback submitted through the platform | Customer support, feature requests, complaints handling, service improvements | Performance of contract and legitimate interests | 3 years (for complaints and evidence) |
| Payment Data | School name, billing address, invoice references, payment status. We do not store bank details. | Invoice generation, billing, payment reconciliation | Performance of contract | 7 years (HMRC requirement) |
| Website Scan Data | School website URL, crawl data, page content, compliance findings, termly scores | Provision of Website Check and Website Compliance tools | Performance of contract (membership) and legitimate interests (free check) | Duration of active use plus 2 years |
| Governance Intelligence Data | Aggregated GIAS records, Ofsted history, Companies House filings, DfE performance data, AI-generated recommendations | Provision of Board Intelligence Report | Performance of contract | Duration of active use plus 2 years |
| Governor Assignment Data | Governor names, statutory monitoring role assignments, SIP priority assignments, visit report content | Provision of School Improvement and Statutory & Core tools | Performance of contract | Duration of active use plus 2 years |
| Headteacher Report Data | Aggregate school data: attendance rates, exclusion numbers, staffing figures, budget summary, SIP progress, safeguarding updates | Provision of Headteacher Report and Board Intelligence Report | Performance of contract | Duration of active use plus 2 years |
| SIP Document Data | Uploaded SIP files, AI-extracted priorities, named priority leads, school identity data | Provision of School Improvement tool | Performance of contract | Duration of active use plus 2 years |
| Faith Module Data | CES and SIAMS module responses, faith readiness self-assessment answers, generated action plans and visit records | Provision of CES Assurance, SIAMS Assurance, and Faith Inspection Readiness tools | Performance of contract (membership) and legitimate interests (free readiness tool) | Duration of active use plus 2 years |
| Trust Dashboard Data | Aggregated governance data across schools within a multi-academy trust, heatmap views, trust-level reports | Provision of Trust Dashboard for MATs | Performance of contract | Duration of active use plus 2 years |
| School Data Check Data | School URN submitted for lookup, retrieved published DfE data (attendance, behaviour, performance, staffing) | Provision of School Data Check free tool | Legitimate interests (providing free governance intelligence) | Not stored beyond the session unless the user saves results to their account |
| Agenda Builder Data | Meeting type selections, framework element mappings, generated agenda content | Provision of Agenda Builder tool | Performance of contract | Duration of active use plus 2 years |
| Technical Data | IP address, browser information, device type, log files, error reports | Service security, troubleshooting, system administration, fraud prevention | Legitimate interests (security and service operation) | 12 months |
Basis for Processing
We process personal data based on the following lawful bases:
- Performance of Contract (Article 6(1)(b)): Processing necessary to provide the School Governance Assurance Framework service to schools and governors
- Legitimate Interests (Article 6(1)(f)): Where processing supports service improvement, security, fraud prevention, and analytics
- Legal Obligation (Article 6(1)(c)): Where required by law, such as HMRC record-keeping and ICO compliance
- Consent (Article 6(1)(a)): Where explicitly provided by users for specific purposes, such as marketing communications
We do not process special category data (sensitive personal data) under Article 9 of UK GDPR. The Headteacher Report collects aggregate school-level data (attendance rates, exclusion numbers, staffing figures) rather than individual pupil records. Any school-level data entered remains under the school's control as Data Controller.
5Data Processing for Schools
Our Role as Data Processor
When schools use the School Governance Assurance Framework, the school (or its governing board) is the Data Controller of governance-related data entered into the platform. The School Governance Assurance Framework acts as a Data Processor on behalf of the school across all 15 platform tools: Quality Standard, Website Check, AI Readiness Audit, Faith Inspection Readiness, School Data Check, Website Compliance, Board Intelligence Report, Meeting Agendas, School Improvement, Statutory & Core, Headteacher Report, CES Assurance, SIAMS Assurance, Trust Dashboard, and Agenda Builder.
Data Processing Agreement
Schools using the School Governance Assurance Framework enter into our terms of service, which establish our relationship and set out data processing arrangements. Key points include:
- The school remains the Data Controller of all data entered into the assessment
- SGAF processes data only on the school's instructions and in accordance with their data protection obligations
- SGAF implements appropriate technical and organisational security measures
- SGAF does not share school data with third parties except as necessary for service provision
- Schools retain the right to access, export, and delete their data
- SGAF cooperates with Data Subject Access Requests (DSARs) initiated by individuals
School Responsibilities
As Data Controllers, schools are responsible for:
- Ensuring they have lawful basis for processing data they input into the assessment
- Obtaining necessary consents from governors and staff whose data is included
- Providing privacy notices to data subjects about how their data is processed
- Complying with their own data protection obligations under UK GDPR
- Keeping their user account secure
- Notifying SGAF of any data breaches involving data processed through the platform
Sub-processors
The School Governance Assurance Framework engages a small number of sub-processors to provide infrastructure, security, and service delivery, in the following categories:
- Cloud database and authentication: EU-hosted database, file storage and sign-in
- Application and website hosting / CDN: School Portal (EU, London region) and marketing site (global CDN)
- AI processing: document analysis, compliance assessment, scoring, and report and content generation
- Transactional email delivery: sign-in codes and account notifications
- Payment link processing: invoice payment via an FCA-authorised provider (UK/EU)
- Identity providers (OAuth): optional sign-in with a Google or Microsoft account
- Marketing-site services: contact-form delivery (website only; fonts are self-hosted)
A current, named list of our sub-processors and their data-processing locations is provided to schools and trusts in the Data Processing Agreement and is available to anyone on request from info@governanceassurance.co.uk. We notify customers of any intended change and give an opportunity to object.
Data Ownership and Portability
Schools retain full ownership of all assessment data they input into the platform. Schools can request data export in machine-readable format (typically CSV or JSON) at any time. Upon request or account closure, schools can retrieve all their data or request deletion subject to applicable retention requirements.
6Technical and Organisational Measures
We implement comprehensive technical and organisational security measures to protect personal data against unauthorised access, alteration, disclosure, or destruction.
Technical Security Measures
- Encryption in Transit: All data transmitted between your device and our servers is encrypted using TLS 1.2 or higher protocol
- Encryption at Rest: Sensitive data stored in our database is encrypted at rest using industry-standard encryption algorithms
- Database Security: Our database is hosted on EU-based infrastructure with automatic backups and disaster recovery capabilities
- Access Control: User authentication uses passwordless methods: email one-time codes, or OAuth sign-in through Google or Microsoft. No passwords are stored
- Session Management: User sessions are protected with secure tokens and expire after periods of inactivity
- API Security: All API endpoints are secured with authentication tokens and rate limiting to prevent abuse
- HTTPS Only: The entire platform operates over HTTPS with HSTS headers enabled
- Web Application Firewall: Our infrastructure includes DDoS protection and web application firewall rules
- Security Logging: All access to sensitive systems is logged for audit and security monitoring purposes
- Vulnerability Management: We conduct regular security assessments and promptly patch known vulnerabilities
Organisational Security Measures
- Data Protection Awareness: The data controller ensures appropriate data protection awareness and maintains confidentiality obligations for all personnel with access to personal data
- Access Control Policies: Personnel access to personal data is restricted to those with a legitimate need and appropriate role-based permissions
- Data Processing Instructions: Clear data processing policies and procedures govern how personal data is handled
- Incident Response Plan: We maintain documented procedures for responding to and reporting data breaches
- Privacy by Design: Data protection is considered during the design and development of all features and updates
- Regular Audits: We conduct periodic security reviews and vulnerability assessments
- Third-party Vetting: Any sub-processors and third-party providers are assessed for data security capabilities before engagement
Database Infrastructure
Our managed cloud database and authentication provider is hosted in EU data centres and provides:
- PostgreSQL hosting with data residency in the EU
- Recognised independent security certification (such as SOC 2 Type II)
- Automated daily backups with recovery
- Network-level isolation
- Comprehensive audit logging of database access
- Row-level security policies for granular access control
We never use your data to train AI models. Your governance data, uploaded documents and assessment responses are never used to train any AI model. AI processing is carried out by our AI provider through a private API on a transient basis: inputs and outputs are not used for model training, are retained only briefly for trust-and-safety purposes (typically no more than 30 days) and are then deleted. Our AI provider holds recognised independent security certification (currently SOC 2 Type II) and is bound by appropriate UK transfer safeguards (the IDTA or the EU SCCs with the UK Addendum).
7International Data Transfers
Data Location
The primary database is hosted within the European Union. The school portal application is configured to the London region. However, some processing does involve international data transfers to the United States, as detailed below.
International Transfers
Certain sub-processor categories transfer data outside the UK and EU:
- AI processing (United States), inference for governance document analysis, compliance assessment, and report generation. Data is processed via a private API and retained by the provider typically no more than 30 days for trust-and-safety purposes, then deleted. The provider does not use API data to train its models. Covered by appropriate UK transfer safeguards (the IDTA or the EU SCCs with the UK Addendum) and the provider's independent security certification.
- Transactional email delivery (United States), for account notifications and one-time codes. Covered by appropriate UK transfer safeguards (the IDTA or the EU SCCs with the UK Addendum) and a data processing agreement.
- Identity providers (OAuth) (United States / Global), optional sign-in. Authentication tokens are processed through the provider's global infrastructure. Covered by appropriate UK transfer safeguards (the IDTA or the EU SCCs with the UK Addendum) and data processing terms.
- Payment link processing (UK/EU), you are redirected to an FCA-authorised provider's hosted payment page. We do not transfer your bank details, and any transfer by the provider is governed by its own data protection terms.
The current, named providers behind each category are listed in the Data Processing Agreement and available on request.
Safeguards
All international transfers are protected by:
- The UK International Data Transfer Agreement (IDTA), or the EU Standard Contractual Clauses together with the UK Addendum issued by the Information Commissioner
- Each provider's own compliance frameworks and data processing agreements
- Technical measures including encryption in transit and at rest
- Where applicable, data minimisation to limit the volume of data transferred
EU-UK Data Flows
Where data is stored in EU infrastructure, such transfers are permitted under UK GDPR because the EEA is currently covered by UK adequacy regulations.
Changes to Data Location
Should we change our infrastructure providers or data locations in future, we will notify existing users and ensure appropriate safeguards are in place before any new transfer begins. Any such changes will be made in compliance with UK GDPR requirements and users will be given reasonable notice.
8Your Rights Under UK GDPR
Under UK GDPR, individuals have the following rights in relation to personal data held about them:
Right of Access (Subject Access Request)
You have the right to request confirmation of whether we hold personal data about you and, if so, to obtain a copy of that data. Subject Access Requests (SARs) should be made in writing to info@governanceassurance.co.uk. We will respond within 30 calendar days. If your request is complex, we may extend this to 60 days with written notice.
Right to Rectification
If you believe personal data we hold about you is inaccurate or incomplete, you have the right to request correction or completion. You may be able to update certain information directly through your account dashboard. For other updates, please contact info@governanceassurance.co.uk.
Right to Erasure ("Right to be Forgotten")
In certain circumstances, you have the right to request deletion of personal data. This right applies when:
- The data is no longer necessary for its original purpose
- You withdraw consent (where consent was the lawful basis)
- You object to processing and we have no overriding legitimate interest
- The data has been unlawfully processed
- Deletion is required by law
However, erasure may be restricted where data must be retained for legal, compliance, or legitimate business reasons. Contact info@governanceassurance.co.uk to exercise this right.
Right to Restrict Processing
You may request that we limit how we process your personal data. This is useful when you believe data is inaccurate (while we verify), when processing is unlawful (but you prefer restriction to deletion), or when you contest the processing. During restriction, we will store the data but not actively process it beyond keeping it secure.
Right to Data Portability
You have the right to request your personal data in a structured, commonly used, machine-readable format (such as CSV or JSON) and to transmit that data to another service. This right applies where processing is based on consent or contract. To exercise this right, contact info@governanceassurance.co.uk.
Right to Object
You have the right to object to processing of your personal data on the basis of legitimate interests. Following a valid objection, we will cease processing unless we can demonstrate compelling legitimate grounds that override your interests and rights. Contact info@governanceassurance.co.uk to lodge an objection.
Rights Related to Automated Decision-Making
You have rights in relation to automated decision-making, including profiling, that produces legal or similarly significant effects. The School Governance Assurance Framework does not use automated decision-making to make decisions that affect users' legal status or significant interests. However, we provide assessment scores and recommendations generated algorithmically from responses you provide. These are intended as guidance to support human decision-making by governance boards, not to replace human judgment.
Right to Withdraw Consent
Where we process data based on your consent, you have the right to withdraw that consent at any time. Withdrawal does not affect the lawfulness of processing based on consent given before withdrawal. To withdraw consent, contact info@governanceassurance.co.uk.
Exercising Your Rights
To exercise any of the above rights, please contact us at info@governanceassurance.co.uk with clear details of your request and the right you are exercising. We will respond within 30 calendar days and may ask for proof of identity to verify your request. There is no charge for exercising these rights unless your request is manifestly unfounded or excessive, in which case we may charge a reasonable fee or decline to respond.
9Data Protection Impact Assessment
DPIA Overview
A Data Protection Impact Assessment (DPIA) is a process for identifying and mitigating risks associated with data processing. Given the nature of the School Governance Assurance Framework and the types of data processed, we have conducted a DPIA covering the following areas:
Processing Activities Assessed
- Collection and storage of governor personal data and governance assessment responses
- Use of authentication data for account access and identification
- Analytics and usage tracking for service improvement
- Sub-processing through our cloud database infrastructure
- Data retention and eventual deletion procedures
Risk Assessment
Our DPIA identified the following risks and corresponding mitigation measures:
- Risk: Unauthorised access to assessment data. Mitigation: Encryption in transit and at rest, access controls, authentication requirements, audit logging
- Risk: Data loss due to system failure. Mitigation: Automated daily backups, multi-region redundancy, disaster recovery procedures
- Risk: Unintended data sharing or disclosure. Mitigation: Data minimisation practices, sub-processor agreements, access control policies, staff training
- Risk: Retention of data beyond necessary period. Mitigation: Documented retention schedule, automated deletion procedures, audit trails
- Risk: Insufficient transparency. Mitigation: Clear privacy notices, detailed data protection policies, easy access to data subject rights
Conclusion
The DPIA concludes that processing by the School Governance Assurance Framework presents a low to medium residual risk level, with identified risks adequately mitigated by the technical and organisational measures in place. The processing is proportionate to the legitimate aims of providing a governance Quality Standard tool to UK schools.
DPIA Review
We review our DPIA annually and following any significant changes to our processing activities, infrastructure, or sub-processors. A detailed DPIA document is available on request from info@governanceassurance.co.uk.
10Data Breach Notification
Our Breach Response Procedure
We take data security very seriously and maintain documented procedures for responding to any data breach or suspected breach of personal data security. A data breach is any incident where personal data is lost, stolen, corrupted, or accessed by unauthorised individuals.
Breach Detection and Notification Timeline
Upon becoming aware of a data breach, we will:
- Immediately: Isolate affected systems and prevent further unauthorised access
- Without undue delay: Conduct a preliminary investigation to determine the scope, nature, and likely consequences of the breach
- Within 72 hours: Notify the Information Commissioner's Office (ICO) where a breach is likely to pose a risk to rights and freedoms of individuals
- Without undue delay: Notify affected data subjects where a breach is likely to result in high risk to their rights and freedoms
Breach Assessment
When determining whether to notify, we assess whether a breach is "likely to result in a risk to the rights and freedoms of natural persons," considering factors such as:
- The nature and scope of the data compromised
- The number of individuals affected
- Whether identification is possible
- The likelihood and severity of the harm
- Whether the data was encrypted or otherwise protected
- Whether the breach has already caused demonstrable harm
Notification Content
Where notification to data subjects is required, we will provide clear information including:
- The name and contact of our Data Controller
- A description of the likely consequences of the breach
- Measures taken or proposed to address the breach and mitigate harm
- The contact point for further information
School Notification
For schools using the School Governance Assurance Framework, we will notify the school's nominated contact immediately upon discovery of any breach affecting their data, regardless of whether ICO notification is required. Schools are responsible for assessing whether they must notify their own data subjects (governors, staff, or pupils) based on their obligations as Data Controller.
Investigation and Records
All suspected and confirmed data breaches are investigated and documented. We maintain a breach register recording the date, facts, effects, and remedial actions for each incident. This information is available to the ICO upon request and is used to identify patterns and improve security over time.
Reporting a Breach
If you suspect a data breach or security incident affecting the School Governance Assurance Framework, please report it immediately to info@governanceassurance.co.uk with as much detail as possible.
For our full breach response procedure, including notification timelines and the breach register, see Data Breach Procedure.
11Children's Data
Direct Processing of Children's Data
The School Governance Assurance Framework does not directly collect or process personal data from children. The primary users of the platform are governors and school leaders aged 18 and over. We do not knowingly process information that directly identifies children.
Indirect References to School Performance Data
The Headteacher Report and Board Intelligence Report may contain aggregate school performance data such as attendance rates, exclusion numbers, and progress measures. This data:
- Is aggregated at whole-school level and does not identify individual pupils
- Is entered by the school (as Data Controller) or sourced from publicly available DfE datasets
- Remains under the school's control and responsibility as Data Controller
School Responsibilities
Schools using the School Governance Assurance Framework remain responsible for:
- Ensuring they have appropriate lawful basis to enter any school performance data into the platform
- Only entering aggregate school-level data, not individual pupil records
- Complying with the Education (Pupil Information) (England) Regulations 2005 where applicable
Children's Access to Accounts
Governance accounts are created for school staff aged 18 and over. If we become aware that a child has created an account or provided personal information, we will take steps to delete such information and notify appropriate parties. Schools should ensure governance portals are accessed only by authorised adults.
Age Verification
By creating an account and using the School Governance Assurance Framework, you confirm that you are aged 18 or over. We do not intentionally collect data from anyone under 18 for the purpose of providing the service.
12Changes to This Policy
Policy Updates
We may update this Data Protection Policy from time to time to reflect changes in our processing activities, legal requirements, or security practices. The date at the top of this policy indicates when it was last updated.
Notification of Changes
When we make material changes to this policy, we will notify users of the School Governance Assurance Framework by email or through an in-app notification. Material changes include those that:
- Alter our processing purposes or legal basis
- Introduce new sub-processors or third-party services
- Change data retention periods
- Affect users' rights or our security practices
- Require user action or consent
Continued Use
Your continued use of the School Governance Assurance Framework following notification of changes constitutes your acceptance of the updated policy. If you do not accept changes, you have the option to delete your account and cease using the service.
Policy Versions
Previous versions of this policy are available on request from info@governanceassurance.co.uk.
13Making a Complaint
Internal Complaint Process
If you have concerns about how the School Governance Assurance Framework processes your personal data or believe we have breached UK GDPR or the Data Protection Act 2018, please contact us first:
Data Controller:
Joshua Mangas
Email: info@governanceassurance.co.uk
We will acknowledge your complaint within 7 business days and provide a substantive response within 30 days. If your complaint is complex or requires investigation, we may extend our response timeline and will notify you of the revised timeframe.
Information Commissioner's Office (ICO)
You have the right to lodge a complaint with the Information Commissioner's Office, the UK's independent data protection authority. This right exists regardless of any internal complaint process:
Information Commissioner's Office
Wycliffe House
Water Lane
Wilmslow
Cheshire
SK9 5AF
Telephone: +44 1625 545745
Email: casework@ico.org.uk
Website: https://ico.org.uk
Cooperation with ICO
We fully cooperate with ICO investigations and will provide requested information and documentation to assist the ICO in investigating complaints. We will not hinder or obstruct any ICO investigation.
Other Regulatory Bodies
If your complaint relates to education law or school governance more broadly, you may also wish to contact:
- Ofsted (Office of Standards in Education) for concerns about school governance standards
- Department for Education for policies affecting school governance
- Your local authority for local school governance issues
14Contact Us
For any questions, requests, or concerns relating to this Data Protection Policy or our data protection practices, please contact the Data Controller:
Data Controller Contact
Joshua Mangas
School Governance Assurance Framework
Email: info@governanceassurance.co.uk
Website: https://governanceassurance.co.uk
We aim to respond to all data protection queries within 5 business days. For Subject Access Requests and other formal GDPR requests, please allow up to 30 calendar days for our response.
Data Protection Queries
The following types of queries can be directed to the contact above:
- Questions about this Data Protection Policy
- Requests to exercise GDPR rights (access, rectification, erasure, portability, etc.)
- Subject Access Requests (SARs)
- Data breach reports or security concerns
- Complaints about data processing practices
- Requests for information about sub-processors or data locations
- Requests to review Data Protection Impact Assessment documents
- Feedback on our privacy and data security practices