GDPR Policy

Data Protection and Transfer Agreement

You can view EDClass's GDPR policy by clicking here.

You can view EDClass's DPIA document by clicking here.

EDClass Ltd covering all its production entities of the EDClass online alternative provision platform:

EDClass Ltd operates a SaaS (Software as a Service) by way of EDClass. EDClass is an online education service to help students engage in their learning when not attending their mainstream classes.

EDClass offers students the opportunity to engage in education away from the traditional classroom by providing online support and supervision from UK qualified teachers. EDClass teaching, support and supervisory colleagues will work with students/ pupils to help raise their attainment levels, improve engagement and subsequently increase attendance.

Use of student data will be to help educate, engage, safeguard, supervise and monitor students at home and at school.  This will be through the access to an online web system which requires the use of a device web cam, speakers and microphone.


DATA Protection Agreement Ensures:

EDClass Ltd complies with Data Protection Act 2018 Including UK GDPR Protects rights of Staff, Customers and our partners in business Transparent in the handling of data

Ensure good practice regards data handling


RISK:

Responsibilities of Data within EDClass Ltd is the responsibility of all staff, knowing and understanding data policy. Main responsibility will be with the board of directors, and the data protection officer will continually inform the board of directors of any risk and will be responsible for continual risk assessment. With the office of EDClass Ltd, or any 3rd party businesses premises.

Product Development Manager will be responsible for all future system upgrades, and safe integration of any data transfer.


DATA TRANSFER/ DATA PROCESSING AGREEMENT, REQUIREMENTS & PURPOSE:

EDClass Ltd operate under the auspices of Article 6 of the UK GDPR 2018: the lawful basis for processing data is for contractual purposes.

All current EDClass Ltd employees hold GDPR level 2 certificates, future employees undergo basic GDPR awareness courses during induction and will be expected to undergo Level 2 training by the end of any probationary period. ALL EDClass Ltd colleagues, as part of their onboarding and contractual obligations follow the company’s policies and procedures handbook, which includes, but not limited to, safeguarding, internet usage, conduct and standards, GDPR and confidentiality policies and procedures.

The data required is to create user accounts in the EDClass system, the users have chance to create and or update information including usernames and passwords.

The student data can only be viewed and edited by authorised users who are given this level of access permissions, by the consent of the establishment, i.e. teaching staff. Teaching staff however, can only be defined to particular individuals and/or groups, if desired. All user events are comprehensively logged, allowing an audit trail of what events have been completed and by which user. 

The data currently requested is a student profile is to enhance the correct level of teaching for that student. As a preferred alternative provision its invaluable an educational establishment and EDClass Ltd communicate and share data to achieve best outcomes and the upmost safeguarding for students using the provision.

Required details and reason why are outlined below and the reasons this data is needed. Date is requested via WONDE, these can be found at www.wonde.com , (WONDE GDPR document also supplied) Data needed includes Forename, Middle Name, Surname, Date of Birth, Year group, Language, Special Educational Needs, predicted subject levels/grades, achieved subject levels/grades. https://www.wonde.com/wp-content/uploads/Data-Processing-Agreement-Wonde.pdf 

Student Profiles are manually added by school and are not mandatory fields when adding to offsite seats only: Both EDClass Ltd and educational establishments aim to work for best results and student profiling is key.

Additional information requested is only for the purpose of essential data for students on offsite “seats.” This includes academic levels, SEN needs, SEMH, attendance, behaviour. (Mid-term development this information will be loaded automatically via MIS integration with secure connection via WONDE)

Additional Safeguarding information will be requested to protect staff from the allocating school, staff from EDClass Ltd as well as increasing the protection of the student concerned. This data is to be collated under legitimate intentions and communication will be via a recorded phone call or via institute emails only.

Data captured will be retained in a fully secure environment, with privileged access.

All identifiable data will be soft deleted when no longer required or requested by the school in writing. “No longer required” will be September 1st following leaving year 6, year 11 or Year 13 dependent on type of academic establishment. Schools will be responsible to back up all their data prior to deletion and will be responsible for the data based on their own GDPR policy.

The benefits of data being used by the EDClass system:

  • To identify users
  • To help mass upload the data to create accurate and correct user accounts (reduces human error)
  • To help track and monitor attendance, performance and attainment of all users
  • The data would help with the filtering of user cohorts to save time for the end user to input individual accounts
  • Using WONDE: Ensures encrypted data between MIS system and EDClass Ltd for staff and students.
  • Accounts can be manually configured anonymously
  • As an AP it’s invaluable to have a continuous working partnership with schools aiming for the best

EDClass Ltd aim not to print out any sensitive data, in the event of this happening all paper will be stored safely until shredded or passed to the person who the data refers to.

Data Protection Impact Assessment (DPIA):

The establishments who wish to commission the EDClass SaaS can send the relevant questionnaire and due diligence checks to the EDClass DPO and all relevant information will be submitted. To help any establishment with this process EDClass has not only conducted its own DPIA (available on request), but external organisations have also audited and published a DPIA of the EDClass SaaS.

Visit: https://school.wonde.com/application/edclass/security?signature=545fdbe7536b959ae4f2d2936b4f2a0f1a27b830cbda952de1dc3c1a319011f4 

EDClass Data Protection Policy for MIS Integration:

For EDClass to work effectively the system requires student and teacher information from the MIS to allow the resource to help track each student’s performance, activity and progress.

The data given by schools is fully under their control, and we abide by very stringent policies and procedures in storing and processing any data received. The processing of such data is for daily running and usage by school/ academy users (both student and teacher) and the processing to identify user and deliver good effective customer service and technical help when users require. This document highlights and details what data is captured, along with the reasoning for such a capture. This policy specifically targets the account creation on the EDClass system for both students and teachers who will use the resource.

We capture and store the following student data also highlighting why the system requires this particular piece of data:

  • Preferred Forename - Identifying reasons
  • Middle Name(s) - Identifying reasons                    Names help to create a default username to access the system
  • Preferred Surname – Identifying reasons
  • Gender – To help with filtering and monitoring of performance and progression i.e. filter all Year 9 girls in Maths
  • Date of Birth – To help with identifying those students with the same name and to create a default password to access the system dd/mm/yyyy
  • Behaviour - Enable students to receive behaviour repair work lessons
  • Groups Classed and Subjects – Enable staff to allocate supporting work to all students quickly and efficiently
  • SEN – to help teaching staff best assist any student using the virtual classroom
  • Timetable – Speed up processes, identify bandings, enable school EDClass to have a closer working relationship Photo – this is optional, and will only be visible with students within the virtual classroom, this is to identify the students online are who they say they are, and gives an extra layer of safeguarding.

If EDClass will form the only education for a student during a school week/ month/ term or is more than 16 hours per week, then students will be expected to onboard/ register on EDClass that conforms with the newly created Accreditation for Online Education Providers (OEAS) by the DfE . Should a student be formally admitted as part of the OEAS then further information from the schools/ academies MIS is required as compliance measures with the DfE standards. EDClass then takes on the roles and responsibilities as an unregistered alternative provision.


 The school still has the right to deny any these fields from being processed as compliance with both EDClass and WONDE policies which states:

“No information will be transmitted to a third party application (Data Processor) without approval from a school (the Data Controller). Third party applications are only permitted to request access of school data if they have a signed or agreed contract in place.”

https://www.wonde.com/wp-content/uploads/School-Data-Information-Security-Overview-V1.0.pdf

The teacher data captured by EDClass is:

  •  Title – Addressing communications correctly
  •  Preferred Forename
  • Middle Name(s)                                   Names are used to identify user and help to create username
  • Preferred Surname
  • Initials
  • Position – To allow for escalation of concerns with students
  • Class Groups – To show and permit teachers to view their own groups, and highlight to SLT who supervises this group. This helps with reports and assessment.
  • Subject Specialism – Indicates what subject the above class is studying

 Passwords: Teachers will be asked to set new passwords at the first-time log in.

Passwords: Students are unable to change passwords once set at integration.

Additional teacher data is given for those school/ academy colleagues who have a responsibility with the delivery of EDClass. This data is processed using Zoho CRM will be to provide effective customer service, help, advice and guidance when using or enquiring about the EDClass system.

https://www.zoho.com/crm/gdpr/

https://www.zoho.com/security.html

The student and teacher data is collected via an export from your designated MIS program using WONDE (Data Protection Policy, supplied separately) all data is up-to-date according to the MIS data gathered and stored from the school. The update isn’t 24/7 it is only requested once per week and will ensure keeping the EDClass system up to date, with new students or leavers. EDClass ltd will require written conformation to delete any school leavers.

Students and teachers are assigned usernames and passwords that protect access to the EDClass system and ensure that students only access the relevant area, and that teachers can only access the student data relevant to them and their school.

Data will be taken upon commencement of the annual contract term and any other collection during the contract term when there is a significant change or additional services required. The school/ academy would request this additional collection via verbal/ written consent.

All data is stored and backed up using secure AWS (Amazon Web Services) server (based in UK and/ or EEA territory), which features SALT encryption technologies and firewalls to protect the information being accessible by any other party. The EDClass team are all certified and trained to the latest policies for data protection; certificates can be viewed upon request.

All teaching interaction is recorded for safeguarding purposes. These recordings are processed and saved in the school/ academy’s own AWS S3 bucket provided by EDClass Ltd to help with the retrieval and or where

Schools/ academies have the ability to place student and teacher accounts directly on to their database version of the EDClass software. Entries can be made anonymously, however this will limit the functionality and features (especially safeguarding mechanism) of the EDClass service and platform.

Encryption: 

All data exchanged with Wonde Ltd and EDClass Ltd application and API is always transmitted via HTTPS using Secure Sockets Layer (SSL), a cryptographic protocol that is designed to protect against eavesdropping, tampering, and message forgery.

All data is encrypted at rest and during transit. Amazon Web Services uses the techniques detailed in DoD 5220.22-M (“National Industrial Security Program Operating Manual “) or NIST 800-88 (“Guidelines for Media Sanitization”) to destroy data as part of the decommissioning process.

Data servers used by EDClass Ltd are an Amazon Web Services (AWS) platform with further advanced encryption, meaning all data is encrypted during transit and at rest. The system has managed threat detection and enhanced firewall protection.

Security Resources can be found at the following address https://aws.amazon.com/security/security- resources/

AWS servers, SQL databases. Locked to authorisation from 2 IP locations with SALT encryption. Authorised personnel need to make an Access Request from 2 IP locations in order to access data. Which comes with traceable date and time stamped.

The data viewed by the EDClass team is to locate a student/teacher username and password, should any information be forgotten and help to the user(s) is required. Again, all user events are comprehensively logged, allowing an audit trail of what events have been completed and by which user.

WONDE Data Protection Policies if not attached can be found on their website. This document should help specifically:

https://www.wonde.com/wp-conte...

Other documents available on www.wonde.com/documents. With these, you'll be able to find more details regarding where data is stored (AWS Ireland) and reassurance that data is encrypted end to end at both transit and at rest. There will be more information to come that will be released to schools in due course.

Student and staff data will be added to the system via and encrypted service through WONDE offering the highest protection.

EDClass Data Officers then make sure that information is destroyed under the EDClass Ltd Data Protection Policy, breach of such policy leads to disciplinary procedures.

The alternative for the educational establishment is to enter data into the system themselves, and/or create anonymous accounts.

Data Audits:

EDClass Ltd endeavours to be fully compliant with all elements of the ISO certification frameworks 9001, 21001 and 27001. These       certifications mandate that audits are completed at least annually by an external agency Clear Quality Ltd (at time of publishing). Each ISO standard requires that internal audits are conducted more frequently and especially when a significant change has occurred within the business. At time of publishing EDClass Ltd conducts internal ISO audits monthly. Outcomes and assessments of said audits can be sent upon receipt of written request by the commissioner and contract holder of the EDClass system.

EDClass Ltd will, insofar as this is possible, allow for and contribute with the educational establishments (controller) obligations to demonstrate compliance via audits and/ or inspections conducted by the controller or another auditor mandated by the controller. EDClass Ltd must be made aware of the 3rd party auditor and evidence must be provided by the controller showing proof of due diligence of said auditing organisation.    

Staff Homeworking:

EDClass Ltd enforces high level security and all access is monitored and recorded. Limited authorised staff has access to the system to be able to work from home. EDClass Ltd has strict criteria for this to be allowed.

Laptops / Desktops are EDClass Ltd owned and password protected for entry. There is also MFA to accept individuals to work from home locations and access to cloud-based services contracted to EDClass Ltd.

The only student data available from home will be Student name and school name for marking purposes, all other data is unavailable.

EDClass Ltd has a fully tracked auditing system, for the protection of all staff and data.

DATA Breach:

EDClass Ltd will immediately on recognition of a breach assess the level and consequence of the breach. Where a serious breach has occurred, the ICO will be immediately informed and the people affected will be informed.

Where a data breach will not harm the end user a public notice will be released. The response for data breaches will be within 72 hours.

EDClass Ltd (in accordance with UK GDPR Article 28) will take into account the nature of the processing, assist the controller by appropriate technical and organisational measures, insofar as this is possible, for the fulfilment of the controller’s obligation to respond to requests for exercising the data subject’s rights which directly involves EDClass Ltd and its products.

Sharing Safeguarding information:

The sharing of safeguarding data supersedes GDPR If it’s believed gaining consent regards the sharing of a child’s personal data would put that child at risk; consent does not have to be gained. It is expected that professional agencies (i.e. social services) and regulatory organisations (i.e. OFSTED) that the data will be shared with as a necessity for the protection and welfare of a child to have all safeguarding practices in place.

Sub Processors of Data:

The data used for the delivery and interaction of the online learning system is housed and stored within data servers with Amazon Web Services (AWS). This data is SALT encrypted in transit and at rest, this is detailed in the EDClass GDPR policy and stated previously in this document.

Institutional contact data of school/ academy colleagues is processed in Zoho CRM for customer service purposes, to help deliver effective customer service, advice and guidance on the EDClass system. For this to be achieved the data held is educational colleague:

  • Forename
  • Surname
  • Contact Telephone Number/ extension during school working hours (if different from school/ academy telephone number
  • Contact Institutional email address (for example name@school/academy.org)
  • School Address
  • School/ Academy Telephone Number

EDClass Ltd has conducted thorough due diligence checks and a DPIA with Zoho Inc as part of the onboarding process and for ISO preferred suppliers’ standards. More information regarding Zoho Inc can be seen via the website.

https://www.zoho.com/security.html

https://www.zoho.com/crm/gdpr/

Right to be forgotten:

People under the age of 16 cannot directly ask EDClass Ltd to have the right to be forgotten, but the contract holder (controller) can ask on behalf of an individual. Being an educational establishment where data may be needed in a legal defence, this data will be stored in a safe encrypted at rest area for 7 years. If known the student is a LAC (looked after child) this data will be kept for 75 years, in accordance with The Limitations Act 1980. All data is soft deleted and archived on September 1st after leaving their educational establishment, and only selected individuals with enhanced security access within EDClass Ltd will be able to recover data. After the allotted time span explained in this policy, the data is then permanently deleted and evidence of the database deletion/ destruction certificate and log can be viewed up on request. (Safeguarding will always overrule GDPR and this is given priority for the protection of the learner, school staff and EDClass staff).

Returning of records:

ALL teacher/ teaching interaction and engagement is recorded and saved by EDClass Ltd. These recordings are saved using the AWS S3 bucket structures. Each contract/ school/ academy will be provided with an AWS S3 bucket. Access credentials for the S3 bucket will be granted to the authorised personnel named by the school/ academy. ALL processing with the S3 buckets are logged.

The S3 buckets are archived for the timespan as outlined under the “right to be forgotten” sub heading within this GDPR policy. 

End of contract and Deletion of records:

The following steps can be found in the EDClass Ltd “Life Cycle and Disposal Policy”.

The first step taken by EDClass Ltd is to archive ALL data once an educational establishment has been relinquished from or has ended their contract, this complies with the EDClass Ltd safeguarding policy and “right to be forgotten” clause within this document. When the term has lapsed, the next stage is for permanent deletion of records within the database.

When a database is permanently deleted from the EDClass Ltd databases a copy of the steps to ensure deletion are copied/ print screen and shown as evidence, because once an item from the database is deleted it is not possible to show an instance of data which subsequently is not present.

 

Subject Access Request:

At any point an individual or company have rights under section 7 of the DPA to request from EDClass Ltd all information held on them as a company or individual. EDClass Ltd will acknowledge this request within 5 days and supply the information within 28 days. Where data is supplied electronically there will be no additional cost, however if requested hard copy, this will be sent by special delivery and there will be a standard administration charge of £10 and a maximum of £50 dependent on the amount of data.

Data can only be requested in writing by the controller and commissioner of the EDClass Ltd Service Level Agreement, which can be supplied encrypted in .pdf format or sent as hard paper copy.

This data is not shared with any other party.

ICO registered 

Registration Number ZA783019

Cyber Essentials Certified https://edclass.com/cyber-essentials

ISO Standards: (certificates can be seen upon request)

ISO 9001

ISO 21001

ISO 27001

 

Up-to-date Data GDPR certificates for staff can be viewed on request. 

All hardware and software security incidents incurred by users are those set-out and adhered to by the establishment’s policies.

Yours Sincerely

Sam Warnes

Managing Director and Creator of EDClass Ltd