This guide has been designed to answer all of your questions relating to GDPR and ScholarPack.
What is GDPR?
The General Data Protection Regulation (GDPR) is a European privacy law approved by the European Commission in 2016. The GDPR regulates how individuals and organisations may obtain, use, store and eliminate personal data.
When does GDPR come into effect?
The GDPR was adopted in April 2016, but will officially be enforceable from May 25th 2018.
Is ScholarPack GDPR compliant?
Yes, and we have engaged an external company that specialise in data governance and privacy to assist us in complying with the General Data Protection Regulation (GDPR). We are already accredited under the ISO 27001 Information Security framework and are working with our advisors to identify any improvements based on the GDPR expectations should they be required in advance of the aforementioned date.
How do you use our data?
As a Data Processor we commit to only storing and displaying the information you provide. We do not use it for any other purpose.
Where exactly does ScholarPack store our data?
School data is held in secure Tier 4 data centres within the UK that are protected by both physical and logical security, and conform to industry standard security practice. Our live systems and backup systems are hosted with different providers in different geographical locations within the UK.
What access does ScholarPack have to our data?
Access to schools’ data is strictly controlled and monitored at ScholarPack, and we employ a 'least privilege' code of practice within our organisation. We have various security procedures in place which ensure the safety of your data within our ISO 27001 system, and the database is only accessed with express permission from the school.
How is my data backed up?
School data is mirrored in real time to a standby server by 'streaming replication'. This means that we always have an up to date backup ready to take over should there be problems with the primary server. Formal backups are taken at 10AM, 3PM and 3AM every day. These backups are then moved to high availability, replicated data storage across three geographically separate data centres to mitigate against the failure of the primary data centre.
Is the data encrypted in transit and at rest?
ScholarPack uses industry standard encryption to protect user and student data in transit and at rest.
How long does ScholarPack hold data / What is ScholarPack's data retention policy?
Currently all student and staff data will remain on the system unless deleted by yourselves or you move to a different MIS supplier. All backups are held for six months. ScholarPack will work with schools to implement their data retention policy.
If you do delete a student via the extended tab (you may do this if they were meant to attend your school and never turned up, for example) then this data will be completely removed. We do have backups which are held for 6 months, and data deleted from the live school will not be removed from the backup during this time.
Does our ScholarPack contract comply with the new GDPR?
Schools who are currently under contract will be receiving a GDPR Compliance Variation to replace the current Schedule 3 in the contract. If a school is awaiting a new contract then there will be a version with an updated statement.
Are there any instances where our data is passed to other organisations outside of ScholarPack’s sub processors?
We have API links with several organisations in order to sync up your data with different companies you may use within your school. These are set up exclusively within the school by the SysAdmin user. No other data is shared with any other companies, and the data made available via each API can be viewed in the API Config page in ScholarPack.
How does ScholarPack ensure the safety of our data through the vetting of employees?
Each ScholarPack employee is required to hold an enhanced DBS and comply to company regulations on data sharing and confidentiality. They are trained in strict compliance to ISO 27001 and receive monthly refresher training to ensure retention and active practice.
If I receive a request of All Data Held on a child in my school - what do I need to do?
Should this request occur we are happy to prepare this data. However, please note that this may take a period of time to collate, the time needed would be dependent on the specificity level of the required data. Once you have further clarification from the parent on what information they require, please send an email from the Headteacher's school email account requesting this data for the student with the correct student ID number.
How is data transferred between 3rd Parties and ScholarPack using the API?
Our API links are over SSL encrypted HTTPS and we enforce that it cannot be accessed through any other route.
How does ScholarPack deal with data breaches?
ScholarPack takes the security and consistency of users data very seriously. If we become aware of a breach, we will work to ascertain the limits of such breach and notify affected Schools as soon as we become aware who those Schools are. We will work with the schools to communicate with affected parties, and determine if such a breach should be reported to ICO.
Where a breach is reportable we will work with affected schools Data Protection Officer to help submit the declaration and manage the enquiry.
Who can authorise the destruction of any data on ScholarPack? How does ScholarPack dispose of IT hardware?
The systems operations team can undertake the deletion of this data if requested by the school. Single records can be deleted from the front end system by the Sysadmin user. All data that is erased is non recoverable and overwritten immediately. Any data storage media that is taken out of service is securely destroyed and we maintain certificates of each piece of hardware processed in this way.
What internal audits are in place to ensure that there is no unauthorised access of ScholarPack data?
ScholarPack records all user logins to schools and these are regularly audited at an operating system level. We have systems and processes in place to monitor unauthorised access to ScholarPack. If a school notifies us of suspicion of unauthorised access, we can work with the school to verify the log ins and provide a historical audit. We provide several mechanisms for limiting locations from which users can log into ScholarPack.
Does anyone within your organisation have access to the personal information of the Data Controller?
ScholarPack employees only have access to the personal information of the Data Controller with the express permissions from the school to undertake maintenance and support activities, and access is audited.
What Subprocessors and 3rd Parties does ScholarPack use?
We use a number of Sub-processors in order to deliver services such as email, SMS and backups. A full list is available here
Do ScholarPack contracts of employment contain confidentiality and gross misconduct clauses, in the context of customers data privacy?
Our employee contracts are GDPR compliant.
Does The Key have access to school data?
No, the data access stays exactly the same. Schools are the data controllers and ScholarPack are their data processors, this relationship is unchanged.
ScholarPack’s Overview of GDPR:
GDPR guidance for Schools - Iain Bradley from the DfE explains how you can review and improve your handling of personal data:
Preparation for the GDPR from the Information Commissioner’s Office:
Department for Education Documents: