Introduction

The EU General Data Protection Regulation (“GDPR”) came into force across the European Union on 25^th May 2018 and brought with it the most significant changes to data protection law in two decades. Based on privacy by design and taking a risk-based approach, the GDPR has been designed to meet the requirements of the digital age.

ReallySchool is NetSupport’s cloud-based solution for schools to use to evidence learning, assessment and progress, as well as communicate with parents.  School staff can access ReallySchool via an app which is available on Android and iOS tablet devices, and via a portal which is available on laptops, PCs, Macs etc. Additionally, parents can access their own version of the portal and app. The parent app is also compatible with mobile devices, so they can receive information about their child on-the-go.

ReallySchool stores and processes Personal Data and, as such, is impacted by the GDPR. The aim of this document is to provide you with all the information you need relating to the use of ReallySchool to ensure that Personal Data is processed in accordance with these new regulations.

How does ReallySchool process Personal Data?

Authorised users enter or import data into ReallySchool either via our secure portal or mobile app. All data is transferred over a secure HTTPS/SSL channel.

Access to any (Personal) Data requires username/password authentication. Access to specific data is restricted by a centralised policy based on the user’s role. For example, a parent of one child would not be authorised to see data pertaining to another child.

Where is the Personal Data stored?

Data is stored in Microsoft Azure Cloud datacentres based in the EU.

The data is stored in various data repositories:
 – Personal (textual) Data is stored on SQL Databases (encrypted, password-protected, firewalled)
 – Observations are stored in a MongoDB database (not encrypted, firewalled, not password-protected)
 – Images and other media are stored on a file system (not encrypted, firewalled and password-protected)

The NetSupport cloud is hosted on Microsoft Azure in the UK south region. For information on the physical security of the Microsoft Azure Datacentres, please see
https://docs.microsoft.com/en-GB/azure/security/azure-physical-security

What Data is collected and stored?

The tables below list all the personal information that is stored by ReallySchool.

Relational and static data

Dynamic Data and documentation

ReallySchool and the GDPR Data subject rights

The GDPR defines 8 rights of the individual with regard to the processing of Personal Data. Part of complying with the new regulations is to ensure that you can comply with these individual rights. In this section, we explain each right and how it affects ReallySchool.

The right to be informed

Individuals have the right to be informed about the collection and use of their Personal Data. This is a key transparency requirement under the GDPR. For further information and guidance, see https://ico.org.uk/for-organisations/guide-to-the-general-data-protection-regulation-gdpr/individual-rights/right-to-be-informed/

How does ReallySchool comply?

Schools and establishments using the product are responsible for ensuring that those to whom they give access use ReallySchool in a way that complies with their own policies and procedures.

This document provides all the information that the organisation using ReallySchool would need to inform their users on what Personal Data is being collected and how it is used. We recommend that this information is used to update Acceptable Use Policies in use in the organisation.

The right of access

Under GDPR, individuals have the right to access their personal data. This allows individuals to be aware of and verify the lawfulness of the processing.

See https://ico.org.uk/for-organisations/guide-to-the-general-data-protection-regulation-gdpr/individual-rights/right-of-access/

How does ReallySchool comply?

The interested party can make a subject access request to NetSupport (via their school). Once verified, we will export data for the individual in a commonly viewable format. Parents have access to their own version of ReallySchool where they can view information about their child. This includes observations, profile information and their online journal. One logged into ReallySchool they can easily access information about their child.

The right to rectification

Under Article 16 of the GDPR, individuals have the right to have inaccurate Personal Data rectified. See https://ico.org.uk/for-organisations/guide-to-the-general-data-protection-regulation-gdpr/individual-rights/right-to-rectification/

How does ReallySchool comply?

The interested party can request the school to update their data either via the portal or the app.  As the school is the data controller, a parent may get in touch with their child’s school to request their child’s or their own data is updated.

The right to erasure

Under Article 17 of the GDPR, individuals have the right to have Personal Data erased. This is also known as the ‘right to be forgotten’. The right is not absolute and only applies in certain circumstances. For information on when this right is applicable, see the ICO guidance at: https://ico.org.uk/for-organisations/guide-to-the-general-data-protection-regulation-gdpr/individual-rights/right-to-erasure/

How does ReallySchool comply?

An individual can make a request to the school to have their data erased. The administrator will then archive the individual’s data. The school administrator will then make a request to NetSupport to have the individual’s data completely erased from the system.  

The right to restrict processing

Article 18 of the GDPR gives individuals the right to restrict the processing of their Personal Data in certain circumstances. The right is not absolute and only applies in certain circumstances. In most cases, you will not be required to restrict an individual’s Personal Data indefinitely, but will need to have the restriction in place for a certain period of time.

See https://ico.org.uk/for-organisations/guide-to-the-general-data-protection-regulation-gdpr/individual-rights/right-to-restrict-processing/

How does ReallySchool comply?

The interested party can request the school to restrict what data is collected and ultimately processed in ReallySchool.

The right to data portability

The right to data portability only applies:

• to Personal Data an individual has provided to a controller;
• where the processing is based on the individual’s consent or for the performance of a contract; and
• when processing is carried out by automated means.

See https://ico.org.uk/for-organisations/guide-to-the-general-data-protection-regulation-gdpr/individual-rights/right-to-data-portability/

How does ReallySchool comply?

A subject access request may be made in writing (can be emailed) to NetSupport. The data will be exported using an industry standard format. The zip file will contain a JSON file of all the individuals personal data along with audio, video and images.

The right to object

The guidance from the ICO states that:

“Individuals must have an objection on ‘grounds relating to his or her particular situation’. And that you must stop processing the personal data unless you can demonstrate compelling legitimate grounds for the processing, which override the interests, rights and freedoms of the individual“.

See https://ico.org.uk/for-organisations/guide-to-the-general-data-protection-regulation-gdpr/individual-rights/right-to-object/

How does ReallySchool comply?

As the data within ReallySchool is created and managed by the account administrator, whether through integration, importing or manually inputting data, individuals should make their objection to the establishment’s administrator. If for any reason, an individual wants to query the use of this data by ReallySchool then they can contact us directly for clarification.

Rights in relation to automated decision making and profiling

The GDPR has provisions on:

• automated individual decision-making (making a decision solely by automated means without any human involvement); and
• profiling (automated processing of personal data to evaluate certain things about an individual). Profiling can be part of an automated decision-making process.

See https://ico.org.uk/for-organisations/guide-to-the-general-data-protection-regulation-gdpr/individual-rights/rights-related-to-automated-decision-making-including-profiling/

How does ReallySchool Comply?

ReallySchool does not perform any automated decision making or profiling that is part of automated decision making,

Some common questions

1. Does ReallySchool store and process personal information?

Yes. This may include names, addresses, dates of birth, emails, phone numbers and student academic performance.

2. Does ReallySchool store user sign-in and sign-out events?

Yes. This information is obtained for the purpose of troubleshooting. In future, we will use this information to inform users as to when they previously signed in. This could help users to identify potential account breaches.

3. Does ReallySchool track which parts of the service are used?

We use Google Analytics to monitor site traffic. This data does not include personal information about individuals, but it does hold statistics such as the number of visitors to our website over a prescribed period in different areas of the world. 

4. Does ReallySchool contain photos, video or media that could be personally sensitive?

Yes. It includes evidence of child activity during school. There is also the option for schools to add profile photos of students, staff and parents.

5. Where does ReallySchool stored Personal Data?

• Data is stored in Microsoft Azure Cloud datacentres based in the EU. The data is stored in various data repositories:
• Personal (textual) Data is stored on SQL Databases (encrypted, password-protected, firewalled)
• Observations are stored in a MongoDB database (not encrypted, firewalled, not password-protected)
• Images and other media are stored on a file system (not encrypted, firewalled and password-protected).

6. How does ReallySchool transmit data between users and the service?

All data between the user and the service is transmitted using SSL encryption.

7. Is ReallySchool a Data Processor or the Data Controller?

1. We are the Data Processor. The school is the Data Controller.

9. Does ReallySchool share data with third parties?

No. However, schools can request for a third-party integrator to import their data into ReallySchool.

10. Does ReallySchool publish personally sensitive data?

Schools choose which data is published. For example, they may want to print out child journals or share these digitally with parents.

11. Does ReallySchool require user authentication?

A user is required to authenticate using a username and password to use the service and access data that is specific to their role.

12. Do ReallySchool or NetSupport have any recognised security certifications?

Yes. We are Cyber Essentials certified.

If you have any further questions regarding this document or any other queries regarding ReallySchool, please contact us.