Our approach to data privacy
We care about privacy. We believe that privacy is a fundamental right for all individuals. Our clients entrust us with the personal information of their employees and their users, who are often students. We take the obligations that are attached to this information very seriously. We are ISO 27701 certified, EU – U.S. Data Privacy Framework certified, and a member of the Future of Privacy Forum.
Our data privacy commitments
- Our clients own their data. We understand that personal information of our clients’ users is only entrusted to us. We have a responsibility to protect it vigilantly and only use it in accordance with all applicable data privacy laws and as agreed with our clients.
- We believe data privacy is a fundamental right for all individuals. We were therefore among the first to adopt the high EU data privacy standards globally.
- We do not sell student data. We do not sell student personal information to third parties or data brokers or use or disclose student personal information for targeted advertising purposes.
- Innovation guided by privacy by design. We help our clients with data-driven insights and personalization. Our privacy team works closely with our product teams on these innovations, and we apply a privacy by design approach.
Our data privacy program
We have a dedicated Global Data Privacy Program that uses the high EU GDPR standards as a global baseline to ensure we can meet our obligations and can assist our clients with their obligations. Our key products are also ISO 27001, 27017, 27018 and 27701 certified.
Good data privacy practices require a solid governance model. At Anthology, data privacy and security are a Board priority, and our data privacy governance model ensures that senior management oversees and supports our data privacy and security efforts through the Compliance Committee and the Security and Privacy Risk Council, a subcommittee of the Compliance Committee. A network of Data Privacy Champions supports our Global Privacy Officer and the Privacy Team. Staff are made aware of the importance of data privacy and their responsibilities under our internal data privacy policies through initial and regular data privacy and security training and awareness campaigns.
Privacy by design
Our privacy by design process helps ensure that material changes to how we use personal information in our products are reviewed from a data privacy perspective from the start and that the impact on the privacy of individuals is minimized. This is achieved through product privacy requirements, our internal privacy by design, data protection impact assessments and close cooperation between the privacy and product teams.
Responsibility for our Vendors
Anthology is responsible for the data privacy practices of our vendors. Our vendor risk management processes help ensure that:
- We have robust contracts that include a data processing addendum in place with our subprocessors imposing materially equivalent provisions that we have in place with our clients.
- New vendors with access to personal information need to complete vendor security and data privacy due diligence questionnaire which allows us to understand their security and privacy practices, risks and standards.
- Vendors with access to Anthology-managed systems are required to follow Anthology-internal access control and identity and authorization policies.
- Vendors need to access Anthology resources through approved mechanisms.
- Vendors have restricted access controls on traffic, users, and assets.
You can find the list of our subprocessors at www.anthology.com/trust-center/sub-processors.
Further Information
Our Privacy Statement explains in detail how we process personal information for our own purposes (as a controller) and how we typically process personal information of our clients and their end users (as a processor). You can also find more details about our data privacy approach program in our Data Privacy White Paper.
For any questions or feedback, please email us at [email protected]