GDPR Policy

Data Protection and Transfer Agreement

Change Date

Changed By:

Change Description

Changed Authorised by:

26/03/2014          

Ian Hargreaves          

Creation of Data Protection and Transfer Agreement          

Sam Warnes

04/05/2016

Ian Hargreaves

Addition of EDClass and SIMS integration

Sam Warnes

15/09/2016

Ian Hargreaves

Addition of EDVirtual 

Sam Warnes 

01/12/2017

Lee Bell

Addition of EDCLass +

Sam Warnes

02/02/2018

Lee Bell

GDPR Amendments v1

Cara Radford

23/02/2019

Lee Bell

GDPR Amendments v1.3

Cara Radford

19/04/2019

Lee Bell

GDPR Amendments v1.4

Ian Hargreaves

14/05/2019

Lee Bell

GDPR Amendments v1.5 AWS Encrypted server at rest installation

All Staff GDPR Level 2 complete.

AWS security resources

Ian Hargreaves

26/06/2018

Cara Radford

Amendments to WONDE data requests 

Lee Bell

30/11/2018

Lee Bell

Removed old server information and added AWS security

Ian Hargreaves

10/01/2019

Lee Bell

Section Added: Homeworking

Ian Hargreaves

EDClass Ltd covering businesses EDClass and EDQuals EDClass is an online e-learning resource that requires the procurement of student and teacher data to help create user accounts effectively and efficiently.

DATA Protection Agreement Ensures: Edclass Ltd complies with GDPR May 25th 2018 Protects rights of Staff, Customers and our partners in business

Transparent in the handling of data Ensure good practice regards data handling

RISK:

Responsibilities of Data within Edclass Ltd is the responsibility of all staff, knowing and understanding data policy. Main responsibility will be with the board of directors, and the data protection officer will continually inform the board of directors of any risk and will be responsible for continual risk assessment. With the office of Edclass Ltd, or any 3rd party businesses premises. Product Development Manager will be responsible for all future system upgrades, and safe integration of any data transfer. All current Edclass Ltd employees hold GDPR level 2 certificates, future employees undergo basic GDPR awareness courses during induction and will be expected to undergo Level 2 training by the end of any probationary period. 

DATA REQUIRED & PURPOSE:

The data required is to create user accounts in the Edclass system, the users have chance to create and or update information including usernames and passwords.

The student data can only be viewed and edited by authorised users who are given this level of access permissions, by the consent of the establishment, i.e. teaching staff. Teaching staff however, can only be defined to particular individuals and/or groups, if desired. All user events are comprehensively logged, allowing an audit trail of what events have been completed and by which user.

The data currently requested is a student profile is to enhance the correct level of teaching for that student. As a preferred alternative provision its invaluable an educational establishment and Edclass Ltd communicate and share data to achieve best outcomes and the upmost safeguarding for students using the provision.  Required details and reason why are outlined below and the reasons this data is needed.  Date is requested via WONDE, these can be found at www.wonde.com , (WONDE GDPR document also supplied) Data needed includes Forename, Middle Name, Surname, Date of Birth, Year group, Language, Special Educational Needs, predicted subject levels/grades, achieved subject levels/grades. 

Student Profiles are manually added by school and are not mandatory fields when adding to offsite seats only: Both Edclass Ltd and Academic establishments aim to work for best results and student profiling is key. Additional information requested is only for the purpose of essential data for students on offsite “seats.” This includes academic levels, SEN needs, SEMH, attendance, behaviour. (Mid-term development this information will be loaded automatically via MIS integration with secure connection via WONDE) 

Additional Safeguarding information will be requested to protect staff from the allocating school, staff from Edclass Ltd as well as increasing the protection of the student concerned. This data is to be collated under legitimate intentions and communication will be via a recorded phone call or via institute emails only. Data captured will be retained in a fully secure environment, with privileged access. All identifiable data will be soft deleted when no longer required or requested by the school in writing. “No longer required” will be September 1st following leaving year 6, year 11 or Year 13 dependent on type of academic establishment. Schools will be responsible to back up all their data prior to deletion and will be responsible for the data based on their own GDPR policy. 

The benefits of data being used by the Edclass system: 

  • To identify users

  • To help mass upload the data to create accurate and correct user accounts (reduces human error)

  • To help track and monitor attendance, performance and attainment of all users

  • The data would help with the filtering of user cohorts

  • To save time for the end user to input individual accounts

  • Using WONDE: Ensures encrypted data between MIS system and Edclass Ltd for staff and students. 

  • Accounts can be manually configured anonymously

  • All electronic data will require a password to access, when stored on local PC’s, they will be password protected for access, as well as the corresponding data having additional password protection. 

  • No encrypted data to be transferred at the same time with access passwords. 

  • As an AP it’s invaluable to have a continuous working partnership with schools aiming for the best outcomes of their students. 

Edclass Ltd aim not to print out any sensitive data, in the event of this happening all paper will be stored safely until shredded or passed to the person who the data refers to.

Edclass Data Protection Policy for MIS Integration

For Edclass to work effectively the system requires student and teacher information from the MIS to allow the resource to help track each student’s performance, activity and progress.

The data given by schools is fully under their control, and we abide by very stringent policies and procedures in storing and processing any data received. This document highlights and details what data is captured, along with the reasoning for such a capture. This policy specifically targets the account creation on the Edclass system for both students and teachers who will use the resource.

We capture and store the following student data also highlighting why the system requires this particular piece of data:

  • Preferred Forename - Identifying reasons

  • Middle Name(s) - Identifying reasons       Names help to create a default username to access the system

  • Preferred Surname – Identifying reasons

  • Gender – To help with filtering and monitoring of performance and progression i.e. filter all Year 9 girls in Maths

  • Date of Birth – To help with identifying those students with the same name and to create a default password to access the system dd/mm/yyyy

  • Behaviour -  Enable students to receive behaviour repair work lessons

  • Groups Classed and Subjects – Enable staff to allocate supporting work to all students quickly and efficiently

  • SEN – to help teaching staff best assist any student using the virtual classroom

  • Timetable – Speed up processes, identify bandings, enable school Edclass to have a closer working relationship 

  • Photo – this is optional, and will only be visible with students within the virtual classroom, this is to identify the students online are who they say they are, and gives an extra layer of safeguarding.  

The teacher data captured by Edclass is:

  • Title – Addressing communications correctly

  • Preferred Forename

  • Middle Name(s)   Names are used to identify user and help to create username

  • Preferred Surname

  • Initials  

  • Position

  • Class – To show and permit teachers to view their own groups, and highlight to SLT who supervises this group. This helps with reports and assessment.

  • Subject – Indicates what subject the above class is studying

Passwords: Teachers will be asked to set new passwords at the first time log in. Passwords: Students are unable to change passwords once set at integration. 

The student and teacher data is collected via an export from your designated MIS programme using WONDE (Data Protection Policy, supplied separately) all data is up-to-date according to the MIS data gathered and stored from the school. The update isn’t 24/7 it is only requested once per week and will ensure keeping the Edclass system up to date, with new students or leavers. Edclass ltd will require written conformation to delete any school leavers.

Students and teachers are assigned usernames and passwords that protect access to the Edclass system and ensure that students only access the relevant area, and that teachers can only access the student data relevant to them and their school.

All data is stored and backed up using a secure server, which features SALT encryption technologies and firewalls to protect the information being accessible by any other party. The Edclass team are all certified and trained to the latest policies for data protection; certificates can be viewed upon request.

All data is stored and backed up using a secure server, which features SALT encryption technologies and firewalls to protect the information being accessible by any other party. The Edclass team are all certified and trained to the latest policies for data protection; certificates can be viewed upon request. 

Data servers used by Edclass Ltd are an AWS platform with further advanced encryption, means all data is encrypted during transit and at rest. The system has managed threat detection and enhanced firewall protection.

Security Resources can be found at the following address https://aws.amazon.com/security/security-resources/ 

AWS servers, SQL databases. Locked to authorisation from 2 IP locations with SALT encryption. Authorised personnel need to make an Access Request from 2 IP locations in order to access data. Which comes with traceable date and time stamped.

The data viewed by the Edclass team is to locate a student/teacher username and password, should any information be forgotten and help to the user(s) is required. Again, all user events are comprehensively logged, allowing an audit trail of what events have been completed and by which user.

WONDE Data Protection Policies if not attached can be found at web addresses below

This document should help specifically:

https://www.wonde.com/downloads/Wonde%20-%20Security%20Information.pdf 

Other documents available on www.wonde.com/documents. With these, you'll be able to find more details regarding where data is stored (AWS Ireland) and reassurance that data is encrypted end to end at both transit and at rest. There will be more information to come that will be released to schools in due course.

Student and staff data will be added to the system via and encrypted service through WONDE offering the highest protection.

Edclass Data Officers then make sure that information is destroyed under the Edclass Ltd Data Protection Policy, breach of such policy leads to disciplinary procedures.

The alternative for the educational establishment is to enter data into the system themselves, and/or create anonymous accounts.

Staff Homeworking Edclass Ltd enforces high level security and all access is monitored and recorded. Limited authorised staff has access to the system to be able to work from home. Edclass Ltd has strict criteria for this to be allowed. Laptops / Desktops must be password protected for entry. Only two areas to be accessed from home:

Mark sheet Content creation The only student data available from home will be Student name and school name for marking purposes, all other data is unavailable. Edclass Ltd has a fully tracked auditing system, for the protection of all staff and data.

DATA Breach

Edclass Ltd will immediately on recognition of a breach assess the level and consequence of the breach and notify any affected parties. Where a serious breach has occurred, the ICO will be immediately informed and the people affected will also get notification instantly. Where a data breach will not harm the end user a public notice will be released.  The response for data breaches will be within 72 hours.

Sharing Safeguarding information

The sharing of safeguarding data supersedes GDPR If it’s believed gaining consent regards the sharing of a child’s personal data would put that child at risk; consent does not have to be gained. It is expected that professional agencies and organisations that the data will be shared with as a necessity for the protection and welfare of a child to have all safeguarding practices in place. 

Right to be forgotten People under the age of 16 will not have the right to be forgotten, but being an educational establishment where data may be needed in a legal defence, this data will be stored in a safe encrypted at rest area for 7 years. If known the student is a LAC (looked after child) this data will be kept for 75 years. All data is soft deleted on September 1st after leaving their educational establishment, and only selected individuals with enhanced security access will be able to recover data. (Safeguarding will always overrule GDPR and this is given priority for the protection of the learner, school staff and Edclass staff)

ICO registered Registration Number A8729113 Expires 27/08/21

Subject Access Request

At any point an individual or company have rights under section 7 of the DPA to request from Edclass Ltd all information held on them as a company or individual. Edclass Ltd will acknowledge this request within 5 days and supply the information within 28 days. Where data is supplied electronically there will be no additional cost, however if requested hard copy , this will be sent by special delivery and there will be a standard administration charge of £10 and a maximum of £50 dependent on the amount of data. Data can only be requested in writing and can be supplied encrypted in .pdf format or sent as hard paper copy. 

The data is not shared with any other party.

Up-to-date Data GDPR certificates for staff can be viewed on request. 

All hardware and software security incidents incurred by users are those set out and adhered to by the establishment’s policies.

Yours Sincerely

Sam Warnes

Managing Director and Creator of Edclass Ltd