The National Foundation for Educational Research (NFER) is committed to safeguarding the privacy of all research participants, customers and others whose data we process in the course of our work.

NFER is registered with the Information Commissioner’s Office for its data processing activities. We also work to a strict Code of Practice and Data Security Policy (available on request) which all staff are required to adhere to as part of our terms and conditions of employment.

This page sums up NFER’s approach to data protection; activity specific privacy notices are provided for the different types processing we undertake (under the heading Participate in Research on the website). It outlines, in broad terms, how we collect, store, use, share and dispose of personal information. It sets out how you may access and seek correction of your personal information or complain about a misuse of your personal information. We also provide specific information about how we manage personal data in our stakeholder communications. If you have any queries about our processing of personal data, please contact our Compliance Officer (

NFER complies with the six principles of the General Data Protection Regulation. Personal data is:

  • processed fairly, lawfully and transparently (a legal basis for processing activities has been chosen and communicated alongside all other relevant information in a privacy notice which is made available to data subjects)
  • only used for the specified, clearly explained purpose it was collected for
  • adequate, relevant and limited to what is necessary in relation to the purposes for which they are processed
  • kept accurate and up-to-date
  • only kept for as long as it is needed (usually until a project or activity is complete) and is then removed and securely deleted
  • processed in a manner that ensures appropriate security of the personal data; it is stored in secure systems and only transferred by secure means.

We are also responsible for complying with and demonstrating this compliance with data protection legislation.  This accountability (the seventh data protection principle) takes the form of adopting and implementing data protection policies, taking a data protection by design and default approach, having written contracts with organisations that process personal data on our behalf, documenting the data we hold, carrying out data protection impact assessments, and having an individual (the Head of Data Security) who carries out the tasks of a Data Protection Officer (DPO).

What kinds of personal information do we collect and how?

We collect personally identifiable information for the following purposes:

  • NFER’s research, assessment and evaluation projects
  • Data collected on questionnaires
  • Data about teachers or pupils or other respondents
  • Survey responses via online or paper surveys
  • Interviews and case studies
  • Third party data from other sources (such as National Pupil Database)
  • Data on teachers who have agreed to be part of special panels or other groups
  • NFER’s range of products and services for schools
  • Customer contact information and order details to fulfil products and services
  • Data on individuals who receive our marketing and information communications (see the stakeholder communications privacy notice)
  • Data on individuals as part of their participation in a product or service
  • NFER’s business operations
  • Job application data
  • Staff and temporary staff (including associates, markers and test administrators) data
  • Client contact information
  • Monitor usage of our website (see the Cookie Policy).

What do we do with personal data?

NFER ensures that it protects data that is has collected or received from a third person. We only uses it for the purpose for which it was collected, stores it in appropriately secure systems. We only keep data for as long as it is needed (usually until the specific project is complete), and then it is securely disposed of.

We do not sell any personal data collected during to the course of our work to third parties. If personal data is being shared with a third party, then this activity will be covered in an activity specific privacy notice.

No data is transferred outside of the European Economic Area (EEA) unless appropriate safeguards are in place.

We do not use personal data to take automated decisions. If this situation changes, details will be made available.

How do we ensure individual’s data rights are met?

NFER handles your personal data in accordance with the rights given to individuals under data protection legislation. We make available specific privacy notices for each project or activity that we undertake. If at any time you wish us to withdraw your data or correct errors in it, please contact us.  In certain circumstances, data subjects have the right to restrict or object processing. They also have the right to see information held about them. If you want to make a request for access to data or to have other data rights observed, please contact our Compliance Officer ( We will also cooperate fully when a subject access request is made of any data controller we are working with.

If you have a concern about the way NFER processes personal data, we request that you raise your concern with us in the first instance (see the details above). Alternatively, you can contact the Information Commissioner’s Office, the body responsible for enforcing data protection legislation in the UK.

Visiting the NFER website 

When you visit the NFER website (, we use a third party service, Google Analytics to collect standard internet log information and details of visitor behaviour patterns. We do this to find out such things as the number of visitors to the various parts of the site. This information is only processed in a way which does not identify anyone. We do not make, and do not allow Google to make, any attempt to find out the identities of those visiting our website. See the Cookie Policy for further details. In addition, you can consult Google Analytics privacy policy.

From time to time, we will offer visitors to the website the opportunity to be notified about the publication of reports or opportunities to participate in research studies. Any personal data collected to do this will only be used for this purpose; it will not be used for any other marketing activities or shared with third parties. Once the notification has been sent or passed to the team responsible for the research, data is securely deleted from the website. The lawful basis for such processing activity is legitimate interest (GDPR Article 6 (1) (f).

Social media interactions

We use a number of third party services, for example Meltwater, Twitter’s Analytics software, to monitor social media interactions. This helps us to respond to your comments and feedback, understand how NFER is perceived outside of the organisation and gain additional insight into how to share our research outputs to ever larger audiences. Although these tools collect personal data (your name and username), we do not use this information. We only analysis and report on the volume of interactions (comments, likes, re-tweets etc.). For further details, see our marketing activity privacy notice.

How do we keep school data up to date?

NFER holds a database of all schools in the United Kingdom, we use this database to

  • select groups of schools to invite to take part in research or test development exercises
  • inform schools about the range of services products and resources that NFER offers which may be useful to schools.
  • share the outcomes and results of research that the NFER has carried out

We keep the database up to date through the use of national datasets and through the ongoing communication we have with schools. It will also be updated:

  • through matching to Government schools data sources and other available school data sources
  • through the use of enquiry and registration forms on NFER-managed websites
  • when schools purchase any of our products or services through our online booking system.
  • when schools voluntarily provide of details to us either online or offline, for example attending an event.

We endeavour to update data on schools within a week of notification of a change; if you notice that our data is out of date at any point, please let us know by emailing

NFER staff and the data protection and security

NFER visits schools and other settings to undertake research or test development projects. All staff working directly with children, young people or vulnerable adults will have a current Disclosure and Barring Service Check (DBS). DBS checks are updated at least every three years.

Any visitors from NFER will have previously contacted you personally before visiting and will have an ID badge.