1. Executive Summary – Data Privacy & the Parent App
At all times when using the Parent App you should be aware that your school remains the controller of the personal data which you can access, update and interact with through the App. It is important to remember that your use of the Parent App results in no transfer of control over the personal data, or of the personal data itself, to ScholarPack.
Moreover, data accessed within the Parent App does not reside anywhere other than within the school’s databases which utilise the ScholarPack management information system (“MIS”), among other systems. No personal data is cached or copied in the provision of the Parent App. The diagram below outlines the role and relationship of ScholarPack to the personal data accessed through the App.
In this Policy, defined terms shall have the meanings given to them in the User Terms.
3. Who we are – Explaining our role in more detail
ScholarPack is a trading name for Histon House Ltd registered in England and Wales with company number 07319617 and with registered address 3rd Floor 70 White Lion Street, London, England, N1 9PP (“ScholarPack” “us”, “we” or “our”). ScholarPack is part of The Key Support Services group of companies (“The Key”).
As owner and creator of the App, ScholarPack acts as data controller in respect of its own business and personnel information. But in respect of the App Personal Data, ScholarPack acts as data processor acting on the instruction of your school (the data controller). Our data protection lead (DPL) responsible for communicating with you about our use of your data can be contacted at email@example.com.
4. What does the Parent App do?
At a functional level, the Parent App enables parents to communicate with their children’s schools and allows them to review the information held about them or their children within the school’s MIS. The Parent App therefore acts as a communication and information medium which builds on the core software and services provided by ScholarPack to the school.
5. Who controls the data in the Parent App?
The school is the controller of the data. The use of the Parent App results in no transfer of control to ScholarPack. Moreover, data accessed within the Parent App does not reside anywhere other than the school’s databases. It is not cached or copied in the provision of the Parent App.
6. Your role and interaction with the App
You are a parent or legal guardian. Only users whose details have been registered with us by a school will be permitted to use the App. You have agreed to the end-user licence agreement (the “User Terms”) which play a pivotal role in governing the behaviours, controls and security aspects of the Parent App so that it is used appropriately and functions properly.
7. The data protection laws and principles we honour
ScholarPack is committed to protecting your personal information when you are using the Parent App. We take our written instructions to administer the App and to enable your access to the App from the school.
Whenever you provide such information in the App, we are legally obliged as a data processor to use your information in line with all applicable laws concerning the protection of personal information, including the Data Protection Act 2018 and the General Data Protection Regulation 2016/670 (“GDPR”) as the same may be updated or replaced from time to time. These laws are referred to collectively in this policy as the “data protection laws”.
For your information, the service we provide at the request and instruction of the school operates in accordance with these principles including the principles of transparency, purpose-limitation, data accuracy, retention/storage, data security and integrity, and data minimisation.
8. Our commitments to you
Subject to the bespoke commitments and arrangements put in place by your school as the relevant data controller, we subscribe to the following practices:
9. Authorisation from the school
The Parent App is made available to you under clear authorisation provided to us by your school, who act as the primary gatekeeper and data controller in terms of the information held by it in connection with your child.
10. Your download of the Parent App
Your school will provide you with details of how to download our App along with a unique link-up code for each user. When you first open our App, it will ask you for your linkup code. This code will generate an automated text message which is sent to your mobile with a one-time passcode. Once you have entered the one-time passcode into the App, you are ready to use our App. From that moment on, you should not allow others to access the App on your phone or other handheld device or tablet upon which the App can be accessed (each a “Device”). You should not share your login credentials including this linkup code with anyone even if he or she is a co-parent or fellow legal guardian or fellow teacher of your child. All parents or guardians with children at schools which subscribe to the ScholarPack services are entitled under the licensing agreement to set up their own profiles. This will then enable them to access the Parent App providing the school has provided them with the relevant authorisation.
11. Data sources
The App may process data about you through:
When you want to install or uninstall an App such as the Parent App it may possess a unique application number or it may search for automatic updates and these processes can supply information about your installation such as the type of operating system your Device is using.
12. The types of information we collect about you and your child/pupil
The predominant types of data that might be used (but not necessarily cached) in the App include:
13. Your school’s lawful bases for collecting information about you and your child/pupil?
We have listed a wide range of information-types in the previous section. Data protection laws requires your school to have a lawful basis (Article 6 (1) of the GDPR) for engaging us to process the types of App Personal Data we hold about you or your child. The six forms of lawful basis that are available are summarised in the info-graphic below:
ScholarPack is required to help your school process this personal data because of a contractual necessity – where we need to perform our subscription agreements with each school (which includes provision of the MIS and the App we make available to you through your school). In a similar vein, you are obliged to sign up to the User Terms for the App – this is a contract between ScholarPack and you. In these ways we can provide you with outputs we commit to provide to your school through the subscription agreements and to you through the User Terms.
When we do use your data in these ways we will not collect or process any data in relation to you or your child unless it is necessary in order to provide you with the service (for example to correct bugs in the App) or we are satisfied that we continue to have a legitimate interest in doing so (in adherence to the GDPR). This means that through this policy we are happy to commit to continually assessing our legitimate business needs against the needs to maintain and protect individual rights and freedoms. We are happy to make our up to date assessment of our legitimate interests available to you upon request.
In summary, we conduct a 3-stage test to challenge ourselves and confirm our legitimate interests to hold personal data as follows:
Finally, we ensure that our legitimate interests are prudently counterbalanced against the constant right of individuals to make a data access request to us (such as an objection to processing).Other lawful reasons (of the six available) of relevance to the App include our need to ensure the vital interests of the child by processing certain medical records (where your child may have a debilitating or life-limiting condition or illness, or essential medicines that we need to hold).
14. How your school makes decisions about you?
15. When will ScholarPack contact me?
It is unlikely that ScholarPack will ever contact you directly. Your school is responsible for communicating with you about use of the App. This may include notifications within the App alerting you to new messages or notices which we can display on behalf of the school.
It is possible in the future (we do not store any contact data for you ourselves), we may contact you as follows:
16. Will I be contacted for marketing purposes?
17. Will ScholarPack share my personal information or my child’s personal information with anyone else?
As a data processor following instructions (pursuant to a subscription agreement) from your school there are times when we may share your information but not your child’s with other companies in our group (such as our parent company the Key) – this will be relevant when some of our internal support services are shared across the Key group.
Sometimes ScholarPack uses third parties to process your information on our behalf, for example to provide services such as email deployment or cloud storage services or analysis of the technical data we use. We need these providers to provide us with their services for our legitimate interests of operating our business and our App effectively. Two prominent service providers we use are:
Mailgun – please learn more at https://www.mailgun.com/privacy-policy/
Firebase (part of Google) – https://firebase.google.com/support/privacy
When we use the services of others it will be required in order to fulfil our obligations under either the subscription agreement in place with your school or the User Terms we have in place with you or in order to improve our products and services.
18. Will other end users or administrators of the Parent App be able to see my data?
We may build increased functionality into the Parent App in future and this may involve our use of your data. For example, with the school’s permission only, we may seek a reference or a testimonial from you with respect to your user experience. In this case we will ask your permission to display your name, job title and school, and you can withhold this permission and instead be acknowledged anonymously.
19. Sharing aggregated or anonymised information
In line with the organisational and technical measures and techniques of anonymisation and/or pseudonymisation advocated by the data protection laws we may share aggregated or anonymised information within and outside of ScholarPack, with partners such as research groups, policy groups, the DfE, or Ofsted. Neither you nor your child or individuals connected to your child will be able to be identified from this information.
20. Offensive or inappropriate content on the Parent App
The User Terms shall govern the behaviour, standards and acceptable uses of the App. If a User posts or uploads content which is disruptive or may reasonably be deemed to be offensive, inappropriate or objectionable or otherwise in breach of our User Terms, ScholarPack may remove such content and may deny you access to the Parent App temporarily or permanently as we see fit.
Where ScholarPack reasonably believes that you are or may be in breach of any applicable laws, in respect of hate-speech for example we may disclose your personal information to relevant third parties, including to law enforcement agencies or your mobile phone operator or other internet communications provider. ScholarPack shall only do so in circumstances where such disclosure is permitted under applicable laws, including data protection law.
21. How long will ScholarPack keep my information?
As a reminder, the ParentApp only provides a medium for you and the school to update the records your school holds about you and your child. ParentApp does not cache or store these records. If you need to access these records, please contact your school.
The technical data we collect about you is very limited but we will only store your data for as long we need it and we will keep information in line with any data retention policy in force. To determine the appropriate period, we consider the amount of data, its nature and sensitivity, the potential for harm and whether we can achieve our purposes through other means as well as our applicable legal requirements. Details of our records retention policy is available upon request. We will regularly cleanse this data. We will also delete your data on your request though we may hold a list of the ‘opt out’ requests to administer your request.
22. How we protect your data
In terms of the limited technical data we store about you, this is stored on our servers, and we have implemented reasonable and appropriate security measures to protect the data including HTTPS and the industry standard for encryption and SSL technology.
Unfortunately, the transmission of information via the internet is not completely secure and we cannot guarantee that data breaches will never occur. Please keep your linkup code and your Device safe from unauthorised use or intervention at all times – and remember to log out or close down stale or inactive pages on the App after use.
For safety and child protection purposes only, in the future, we may require users to verify their credentials. We also reserve the right to contact the school in the event of any unusual or noteworthy login activity or patterns of usage. We won’t use this information for unexpected reasons.
We also do not recommend that you put email addresses, URLs, phone numbers, full names or addresses, holiday / home absence information, credit-card details or other identifying or sensitive information in any online messaging function on the App now or in future.
23. Your rights
You have a number of rights in relation to the information that the school holds or uses about you or your child. In the vast majority of cases, it will be appropriate to contact your school as the first port of call so that any information relating to the MIS which the school controls can be made available by the school.
For the very limited information we hold as data controller (in respect of technical information relation to the App, analytics applied to that information and any software upgrade or modification) you nevertheless have enshrined rights which are summarised below:
You and individuals (including individuals connected to your school) can exercise your rights by contacting us at [insert email address]
Individuals have a right to complain to the UK Information Commissioner’s Office by visiting www.ico.org.uk, or to the data protection regulator in the country where they live or work.
Where we are the data controller of your personal data, you have the right to access information we hold about you. Simply email us at [insert email address] and we will tell you how to do this.
24. What are Cookies?
A cookie is a piece of code or text stored on the hard drive of your computer, mobile phone or other portable device by your web browser. We do not track your online browsing patterns and the App does not contain cookies at present. It is possible the App may contain cookies in the future to provide you with a good experience when you use the App, to store information about your App usage, your preferences and your engagement. In this way, cookies ensure that the App functions as we intend it to and enables us to provide the services you request. If we do this, we will provide a clear notice about this usage within the App.
The App is not available to users outside the UK.
Last Revised May 2020.
Download our brochure for more information on ScholarPack MIS, Assessment and Comms to share with your colleagues.
We have worked with Chris Kirk, education consultant and MAT expert at CJK Associates, to develop this guide to organisational continuity: Ensuring the resilience of your trust.