GDPR Compliance Statement
The new General Data Protection Regulation (GDPR) brings new responsibilities to both data controllers and data processors who offer services to people within the European Union (EU).
SchoolCloud are committed to high standards of data security and privacy. We have taken steps to ensure our services comply with the GDPR as of 25th May 2018.
In this article
Overview
We've always taken data security and data privacy very seriously. We welcome the new GDPR as we believe it clarifies individual privacy rights and brings greater responsibilities onto organisations who control or process data.
The GDPR brings new regulations on how organisations manage personal data. Personal data is any information which could be used directory or indirectly to identify a person.
How we've prepared for GDPR
We've identified the personal data held and collected on our systems and undertaken a review to ensure this is appropriate for the service we offer.
For example: we've removed the parent phone number from the system. Although it was useful to see in order to follow-up with parents, it wasn't directly used by the system.
- We've made changes to how data is removed from SchoolCloud Clubs & Events to satisfy the Right to Erasure.
- We've updated our Terms & Conditions, and Privacy Notice to include appropriate clauses for GDPR which is effective from 25th May 2018.
- We've introduced a new End-User Privacy Notice which is effective from 25th May 2018.
- We've coordinated with our suppliers to ensure we have agreements with them which include appropriate clauses for GDPR.
Data held on SchoolCloud Clubs & Events
We act as data processors for any data held on SchoolCloud Clubs & Events by you, your school, or end-users of your school (such as parents or teachers). Personal data includes, but is not limited to: student data, teacher data, and parent data. It is your obligation as the data controller to ensure there is lawful basis for processing. We do not share this data with third-parties, though we may access this data as part of making improvements to our service and providing support to schools when requested.
We also act as data controllers when we create aggregated statistical data which may be derived from personal data, but is not considered personal data in law as it cannot be used directly or indirectly to identify a person.
What personal data we hold
- Student Data: first name, surname, registration class, date of birth, year group, MIS ID
- Contact Data: title, first name, surname, relationship to student, parental responsibility to student, contact priority to student, email address, MIS ID
- Teacher Data: title, first name, surname, email address, MIS ID
Where data is held
All data held on SchoolCloud Clubs & Events is within the European Economic Area (EEA). We do not transfer this data outside of the EEA.
We host with one of the top managed hosting providers in the United Kingdom. We maintain a rolling three months of backups which are encrypted using AES-256.
Please click here for a list of sub-processors.
How data is kept secure
We employ appropriate technical and organisational security measures for the types of data we store. Our managed hosting provider, ANS, is ISO 27001 & ISO 9001 accredited and ranks amongst the very best in the industry. They offer physical security such as 24/7 security staff, extensive CCTV covering the building and each aisle, intruder alarms, proximity card readers and perimeter prison fencing.
Subject access requests from end-users
As data processors, we are obliged to pass on to the school any subject access request by an end-user and not respond directly to the end-user. An end-user could be a parent, student, teacher or administrator of the system. We will assist the school in responding to any subject access request.
What happens if you stop using the system
This section takes effect as of 25th May 2018
While it's rare for a school to stop using SchoolCloud Clubs & Events, we only retain personal data for as long as necessary. You can retrieve a copy of all personal data using the export features within the administration panel while the system remains active during your trial period or paid licence period.
We delete personal data 30 days following termination of your licence or after six months of inactivity if you have a trial system. We terminate the licence 60 days after the renewal date if no payment has been received for the renewal.
Features to help comply with GDPR
Syncing data with your school management system
Whenever you choose to sync data from your school management information system (MIS), we add new data, update existing records with the latest information from your MIS, and delete records which are no longer relevant or no longer appear in your MIS. Most MIS suppliers are implementing controls to restrict sharing personal data via their API's where you, as the data controller, do not wish it to be shared with third parties. Please contact your MIS supplier directly with any questions.
Exports for data portability
It's possible to export data added to SchoolCloud Clubs & Events to spreadsheets to satisfy data portability. You can export all bookings for a particular parents' evening or event from the Appointments or Bookings pages retrospectively. This process can be repeated for each parents' evening & event for which you wish to export data for. It's also possible to export a list of parent details, including links to students.
Data held about Schools
We act as data controllers for any data we collect about customers in order to provide SchoolCloud Clubs & Events service and support to your school. Customer personal data includes, but is not limited to: technical contact details, finance contact details, phone call details, and the content & attachments of any emails sent to us.
Where data is held
Data is stored on production systems hosted by AWS and in backups hosted by AWS. Please click here for a list of sub-processors.
Transfers of customer personal data
While we're based in the UK, we use suppliers outside the EEA to run our business. Customer personal data (though not end-users such as parents, students or teachers) may be transferred outside the EEA to suppliers who demonstrate sufficient safeguards on data using agreements containing Standard Contractual Clauses.
Where a legal basis of processing applies, we may share your personal information with a third-party processor, FreshDesk, that we engage with to provide you with products and services you required. This third party may need to process your personal information on our behalf to provide such services.