Our Legal Obligations
We must make sure that information we collect and use about pupils is in line with the UK GDPR and Data Proection Act. This means that we must have a lawful reason to collect the data, and that if we share that with another organisation or individual we must have a legal basis to do so.
The lawful basis for schools to collect information comes from a variety of sources, such as the Education Act 1996, Regulation 5 of The Education (Information About Individual Pupils) (England) Regulations 2013, Article 6 and Article 9 of the UK GDPR.
Data stored for use of Futures Award
For each student registered on the Futures Award App, the following data is stored:
- Name
- Email Address
- Year Group
- Class Name
- Evidence uploaded by student
- PP and SEND flag (Yes/No)
Data Access
Students can access only their own data after log in. Teachers can access the uploaded evidence files of any student in their tutor group or year groups depending on their role. Senior Leaders and Administrators can access the uploaded evidence and check the progress of any student in any year group. Student accounts are accessed using school Google login details. These are managed in house by school IT managers. The host school administrator account holders can access data across all partner schools who use the Futures Award app to ensure the smooth running of the app. The current lead is Matthew Hurford Their access is covered by a data sharing agreement in place between the partner schools. All staff have full DBS clearance. All administrators and processors of the data by Futures Award are subject to confidentiality for all data from all schools who participate. Confidentiality will remain throughout the use of the App. Should a school cease use, data stored will be downloaded, given back to the school and the cloud storage will be deleted. The host school administrator may from time to time collate anonymised data to form metrics around user activity that may form the basis of marketing or communication about the effectiveness of the APP.
Data Processor
We define ‘partner school’ to mean staff and students at a participating school. The schools acknowledge that Woodbrook Vale School is the ‘host’ school and acts as ‘Processor’. The Partner School acts as the ‘Controller’ Futures Award App only creates accounts upon the explicit instruction of the Partner School and with their consent. Evidence in the form of files such as PDFs, MP4s, JPEGs is uploaded by students using the app. These files are reviewed by the partner school’s staff only. Responsibility for monitoring the appropriateness of these submissions remains with the partner school at all times.
Verification of Partner School Accounts
- Partner School submit their student and staff data to the host school via safe data transfer means. EG The data will only be accepted if is is comprised solely of school email addresses associated with the partner school's domain name, and clearly where the email address is in a teacher or student format.
- The partner school undertakes as part of the data sharing agreement to ensure ONLY this data is received and to manage the database for ‘leavers’ and ‘new’ accounts themselves. Partner School administrator accounts enable this to be done easily.
Fair Usage Policy
We reserve the right to either temporarily or permanently suspend the partner school’s accounts in the event that:
- A Denial of Service attack takes place, where the site is flooded with traffic with the specific intent to cause disruption to services.
- There is excessive amounts of data uploaded beyond that required for the number of students using the APP to sufficiently evidence their achievement.
- Where a partner school account has been suspended and needs to be reinstated, contact Woodbrook Vale School or mhurford@wbvs.co.uk
Use of Data by Third Parties
- Partner School data is stored within the cloud using ‘Digital Ocean’. No data is passed on to any third parties.
Your right to delete stored data and account deletion
- Student accounts can be deleted by administrators in partner schools. Administrators can also remove and add teachers in their own school. Any student request to have an account deleted must go to the partner school and their adminstrators.
- On deletion of an account and or multiple accounts or a whole partner school. Uploaded data will be downloaded, archived and offered to the partner school. The data held in the Cloud storage for the partner school will be deleted
- The host school will only hold the archived data for 2 years.
- It is the school's responsibility to delete the accounts of students and staff who have left the school. Uploaded data for students who have left the Partner school will be treated in the same way as for students still on roll.
How your data is protected
- The site is hosted using services supplied by DigitalOcean, a hosting provider used by many EdTech companies/organisations. The data is stored in the EU and Digital Ocean's compliance documentation can be found here.
- All data accessed via user accounts have appropriate checks to ensure the account has the correct permissions to view the data.
- In the unlikely event of a data breach, the nature of the breach, in addition to the resulting action to remedy such a breach, will be clearly communicated.
- The server has an SSL certificate so data is transmitted securely.
- Partner schools have the right to request an audit of data stored about the school, staff and students.
- Data for each partner school is stored in an isolated database to ensure data cannot leak between parter school accounts.
- The host school will provide assistance to the best of its capacity should there be an issue surrounding data.
- The Data Protection Officer for the Futures Award App is the same as the DPO for the host school (Woodbrook Vale School). Their role is to:
- inform and advise the controller or the processor and the employees who carry out processing of their obligations under the GDPR
- monitor compliance with the GDPR and DPA
- provide advice where requested about the data protection impact assessment and monitor its performance
- be the point of contact for Data Subjects if there are concerns about data protection
- cooperate with the supervisory authority and manage the breach procedure
- advise about training and CPD for the GDPR
- DPO is: J A Walker, Solicitor,PO Box 10778, Leicester
Disaster Recovery Plan
- The personal data stored is email address and name, along with uploaded evidence purely based on usage of the app. Passwords are encrypted and cannot be unencrypted.
- Any code which accesses the database ensures appropriate permissions to view/modify/delete the data, as per "Who can access what data". The server is managed at a secure data centre by Digital Ocean.
- Backups are made daily by the server administrator, which can be restored as necessary.
- We review code to ensure access to data is appropriately restricted as described. With regards to the effectiveness of the server, this is as per the host provider's Digital Ocean's own GDPR compliance.
Complaints & the information commissioner office (ICO)
The School Complaints Policy for each school deals with complaints about Data protection issues. There is a right to complain if you feel that data has been shared without consent or lawful authority. You can complain if you have asked to us to erase, rectify, not process data and we have not agreed to your request. Schools will always try to resolve issues on an informal basis, and then through their formal complaints procedure. Please complete the relevant form for the relevant school and they will contact you with more details about the timescale and process. In the UK it is the ICO who has responsibility for safeguarding and enforcing the DPA obligations. Email: casework@ico.org.uk Review Helpline: 0303 123 1113 web: www.ico.org.uk
Last Updated on 05/01/2023
