GDPR, Data and Privacy Information

This article is designed to support schools and groups to complete a Data Protection Impact Assessment about their use of Pobble.

Please refer to our Legal Introduction for links to our full Terms of Service, Privacy Policy, Child friendly privacy policy and DPA.

This list is alive and growing, so if there's any questions not answered here that you need to know, please email 


Please provide an introduction to Pobble

Pobble is an online platform that supports the teaching of writing in schools. As a BETT award winning supplier, supported by the Department of Education through the EdTech Innovation Fund, Pobble is well known and used in UK and international schools with tens of thousands of teacher and pupil users every week.

Pobble provides two main packages, Teaching and Learning (T&L) and Moderation. Pobble also has a free account for teachers to try out various aspects of both these packages. 

The T&L tools are designed to support writing in schools, reducing teacher workload and engaging pupils in writing, leading to improved attainment. As well as tools internal to a school (such as accessing resources and example texts, creating and sending lessons to pupils, receiving work submissions, peer and self-feedback etc.), Pobble also enables teachers to publish work to an external school celebration page. Published work can be viewed and commented on by registered Pobble users from all around the world, providing a real audience and purpose for pupils’ work.

The moderation tool is designed to support schools, groups and Local Authorities with their statutory and non-statutory moderation requirements. Using the tool, teachers can share pupils’ writing outside of their school setting with other teachers and moderators, to support assessment and moderation.

In order for the platform to function, Pobble has teacher, pupil and parent accounts, each with various levels of access.

As part of Pobble's funded work with the Department for Education, Pobble successfully applied to the Information Commissioner's Office (ICO), Innovation Hub to support in the development of our terms and privacy policy. As such, Pobble relies on Legitimate Interest as the legal basis for processing user data. 

Although nearly all of Pobble's features can be used by teachers and schools immediately upon sign up, we highly recommend that schools notify parents prior to using Publishing (where pupils' work is shared on a school celebration page, viewable by anyone in the Pobble community). Please note any work shared outside of the school community for publishing and moderation is anonymised and so should not contain any personal data.  

Parents can sign up for an account directly through the landing page and their accounts can be connected to a pupil account through a code. Once connected, a parent will receive an email directly from Pobble linking to their child’s work every time a piece of work is published on Pobble.

Only verified teachers on the platform can select work to be published, and any comments left by non-verified teachers are centrally moderated by Pobble. 

Schools, school groups or teachers may purchase Pobble directly to enhance teaching and learning or assessment and moderation. 

Local Authorities, who have a statutory requirement to deliver moderation and moderation training may purchase Pobble's T&L and Moderation tools on behalf of schools. 

What pupil information is needed to operate Pobble?

Pobble requires the following information in order to create a pupil account, required for the correct operation of the platform:

  • First name
  • Second name
  • Age group
  • Groups 

This information can be provided through a manual upload, or via synchronisation with an MIS via Wonde.

Is any personally identifiable data held?

Yes, we store pupils' names, age group and any other groups the school wishes to add. All data provided will be stored, unless a user specifically requests us to delete some data. We use AWS PostgreSQL product to store data. We use S3 to store uploaded media (works of students).

What is a Group?

Groups allow you to group your pupils in Pobble, for example to identify classes or similar. Groups can be added manually, or synced from your MIS.

If a child’s work is uploaded, where does it go? 

When a teacher uploads work (or has work submitted to them after being uploaded by a child) via the Pobble platform, it is stored in Pobble's database which is located on Amazon Web Services cloud databases. All work can be found in the school "evidence bank" on the Pobble platform which is only accessible by verified teachers of that school. All work is attached to pupils in the platform, so teachers within the pupils' school can identify who created the work. 

A teacher can create a moderation file, which contains a selection of pieces of work for a particular child. This can then be shared with another teacher or moderator outside of their school for moderation purposes. The platform anonymises the work when shared outside of the school it originated from (i.e. the person who receives the moderation file cannot tell the name of the child). The work remains stored in the Pobble database. 
When a piece of work is published, it will be shown on a school's celebration page. The work will be anonymised for Pobble users outside of the child's school community.  

Is it possible to identify the child from published work or moderation files?

No, although every piece of work in Pobble is tagged to an individual child this connection is only viewable by teachers within the child's school (so teachers know which work belongs to which pupil). For pieces of work that are published, or part of a moderation file, the child's name cannot be viewed by users outside of the school and as such that piece of work is anonymised. 

Are any comments/notes recorded against the child’s work?

Notes and comments can be recorded against a moderation file. However, since moderation files are anonymous, no personally identifiable information should be added to moderation files (as they simply discuss the level of progress made by that child). 
Comments can be left on published work, and we remind all users not to use personally identifiable information in these comments. As a double safety measure, all comments left by un-verified teachers are centrally moderated by the Pobble team. 

How long is data retained once a school has ceased using Pobble?

As per clause 10 of our privacy policy, personal data (including content uploaded to the platform) is retained for 5 years. However, any teacher can remove a piece of work from their own school whenever needed, and a user can request the deletion of their data (and work) at any time.

Is access to pupil data restricted for Pobble staff bar the select few who administer the system?

Only Pobble employees who have a need to access the data to administer the system can access any user data. All employees are DBS checked and employ 2FA on their machines.

Is the data hosted in the UK?

Our data is hosted in Europe with Amazon Web Services (AWS).

Is school's data backed up when using the system?

Data, including backups, are encrypted on disk, including the temporary files created while running queries. We use standard daily AWS RDS backups.

Is data encrypted in transit and at rest?
All Managed Disks, Snapshots, and Images are encrypted using Storage Service Encryption using a service-managed key in AWS. The Database for PostgreSQL service uses the FIPS 140-2 validated cryptographic module for storage encryption of data at-rest. Data, including backups, are encrypted on disk, including the temporary files created while running queries. All data in-transit is encrypted with Transport Layer Security (SSL/TLS). 
Is there any extra security for areas where back ups are stored?
Storage encryption is always on and can’t be disabled. All Managed Disks, Snapshots, and Images are encrypted using Storage Service Encryption using a service-managed key in AWS. All data in-transit is encrypted with Transport Layer Security (SSL/TLS). 
Is the portal which schools will log into encrypted? 
The connection is encrypted with https.

What are the Business Continuity and Disaster Recovery time scales?

We have our own in-house development team who can be available 24 hours a day to deal with any critical issues. As a result, we will start working immediately on solutions as soon as any critical issue is brought to our attention. Since we serve schools all over the world, the platform is only taken down for maintenance in exceptional circumstances, and always for very short timescales. Pobble's uptime was higher than 99.9% over the last 12 months.

How is data deleted?  Is it cryptographic erasure? (where instead of deleting, data in the cloud is rendered unreadable by deleting the encryption keys needed to decrypt it).
It is not cryptographic erasure. We do a regular delete whereby data is fully recoverable, and upon a GDPR request we either hard delete data (on PostgreSQL level) or when we are not able to delete the data (due to reliance of SQL associations) we override the data values with different faked values. 

Is there any requirement for visitor escorts when visitors are on site at Pobble HQ?
No. All Pobble employees work remotely, therefore no files/data are stored 'offline' in the company headquarters.
Do Pobble staff have training on data security?

Yes, we have mandatory onboarding training on data security for new employees and we conduct annual refresher training for all employees on data security. 

Are there internal policies which dictate how staff should handle personal information such as a data security policy?

Yes, we have an internal data security policy which outlines for staff how the measure they should take when handling personal information (although as mentioned, most staff do not have access to the personal data of users).