This guide has been designed to answer all of your questions relating to GDPR and ScholarPack.
What is GDPR?
The General Data Protection Regulation (GDPR) is a European privacy law approved by the European Commission in 2016. The GDPR regulates how individuals and organisations may obtain, use, store and eliminate personal data.
When does GDPR come into effect?
The GDPR was adopted in April 2016, but will officially be enforceable from May 25th 2018.
Is ScholarPack GDPR compliant?
Yes, and we have engaged an external company that specialise in data governance and privacy to assist us in complying with the General Data Protection Regulation (GDPR). We are already accredited under the ISO 27001 Information Security framework and are working with our advisors to identify any improvements based on the GDPR expectations should they be required in advance of the aforementioned date.
How do you use our data?
As a Data Processor we commit to only storing and displaying the information you provide. We do not use it for any other purpose.
Where exactly does ScholarPack store our data?
Data is held securely on Amazon Web Services (AWS) within the UK.
What access does ScholarPack have to our data?
Access to schools’ data is strictly controlled and monitored at ScholarPack, and we employ a 'least privilege' code of practice within our organisation. We have various security procedures in place which ensure the safety of your data within our ISO 27001 system, and the database is only accessed with express permission from the school.
How is my data backed up?
Data is backed up to multiple geographical locations within the UK on an ongoing basis and point in time recovery to the minute is available. We use Amazon RDS SaaS. In short, your data is safe!
Is the data encrypted in transit and at rest?
ScholarPack uses industry standard encryption to protect user and student data in transit and at rest.
How long does ScholarPack hold data / What is ScholarPack's data retention policy?
Currently all student and staff data will remain on the system unless deleted by yourselves or instructed by you (the data controller).
ScholarPack will work with schools to implement their data retention policy.
A common question we are asked is what happens when a student is deleted; if you delete a student via the extended tab (you may do this if they were meant to attend your school and never turned up, for example) then this data will be completely removed.
Are there any instances where our data is passed to other organisations outside of ScholarPack’s sub processors?
An API is available for use to schools in order to integrate with popular external services such as Wonde or ParentPay. At all times the school/data controller is in charge of their data. More on our API functionality is available here.
How does ScholarPack ensure the safety of our data through the vetting of employees?
Each ScholarPack employee is required to hold a DBS and comply to company regulations on data sharing and confidentiality. They are trained in strict compliance to ISO 27001 and receive refresher training to ensure retention and active practice.
How is data transferred between 3rd Parties and ScholarPack using the API?
Our API links are over SSL encrypted HTTPS and we enforce that it cannot be accessed through any other route.
How does ScholarPack deal with data breaches?
ScholarPack takes the security and consistency of users data very seriously. If we become aware of a breach, we will work to ascertain the limits of such breach and notify affected Schools as soon as we become aware who those Schools are. We will work with the schools to communicate with affected parties, and determine if such a breach should be reported to ICO.
Where a breach is reportable we will work with affected schools Data Protection Officer to help submit the declaration and manage the enquiry.
Who can authorise the destruction of any data on ScholarPack?
The systems operations team can undertake the deletion of this data if requested by the school. Single records can be deleted from the front end system by the Sysadmin user. All data that is erased is non recoverable and overwritten immediately.
What internal audits are in place to ensure that there is no unauthorised access of ScholarPack data?
ScholarPack records all user logins to schools and these are regularly audited at an operating system level. We have systems and processes in place to monitor unauthorised access to ScholarPack. If a school notifies us of suspicion of unauthorised access, we can work with the school to verify the log ins and provide a historical audit. We provide several mechanisms for limiting locations from which users can log into ScholarPack.
Does anyone within your organisation have access to the personal information of the Data Controller?
ScholarPack employees only have access to the personal information of the Data Controller with the express permissions from the school to undertake maintenance and support activities, and access is audited.
What Subprocessors and 3rd Parties does ScholarPack use?
We use a number of Sub-processors in order to deliver services such as email, SMS and backups. A full list is available here
Do ScholarPack contracts of employment contain confidentiality and gross misconduct clauses, in the context of customers data privacy?
Our employee contracts are GDPR compliant.
GDPR guidance for Schools - Iain Bradley from the DfE explains how you can review and improve your handling of personal data:
Preparation for the GDPR from the Information Commissioner’s Office:
Department for Education Documents: