ScholarPack Parents App Privacy Statement

1. Executive Summary – Data Privacy & the Parent App

At all times when using the Parent App you should be aware that your school remains the controller of the personal data which you can access, update and interact with through the App.  It is important to remember that your use of the Parent App results in no transfer of control over the personal data, or of the personal data itself, to ScholarPack.  

Moreover, data accessed within the Parent App does not reside anywhere other than within the school’s databases which utilise the ScholarPack management information system (“MIS”), among other systems.   No personal data is cached or copied in the provision of the Parent App. The diagram below outlines the role and relationship of ScholarPack to the personal data accessed through the App.

2. Scope of this Privacy Policy – the Parent App

In this Policy, defined terms shall have the meanings given to them in the User Terms. 

ScholarPack is a secure, cloud-based management information system that stores and processes data relating to a school and its pupils.  This privacy policy applies specifically to the mobile application that is aimed at parents or legal guardians of school children to enhance their access and engagement with certain parts of the management information system as it applies to the pupil (the “Parent App” or “App”).   A parent or legal guardian can only use the Parent App after being authorised to do so by their school.

This Privacy Policy applies to information about you the User, about pupils and about third parties such as family members, key others connected to your child (for example carers, uncles, aunts or grandparents) or other personnel within your school and as it is accessed through the Parent App (together “App Personal Data”).  

Specifically, in this Privacy Policy we cover:

• what information the Parent App may collect about you and your child/pupil;
• how the Parent App will use this information;
• when the Parent App may use your details to contact you;
• whether the Parent App will disclose your details to anyone else;
• your choices regarding the personal information you provide to us; and,
• our use of cookies within the Parent App and how you can reject cookies.

Outside of the App as the primary mode of communication and data processing, this Privacy Policy also rightly relates to our use of any personal information you provide to us by phone, SMS, email, in letters, other correspondence and in person. In order to provide you with the full online service and functionality provided by the Parent App we sometimes need to collect information about you – which may involve for example verifying the records held about you and your child by the school.

3. Who we are – Explaining our role in more detail

ScholarPack is a trading name for Histon House Ltd registered in England and Wales with company number 07319617 and with registered address 3rd Floor 70 White Lion Street, London, England, N1 9PP (“ScholarPack” “us”, “we” or “our”). ScholarPack is part of The Key Support Services group of companies (“The Key”).  

As owner and creator of the App, ScholarPack acts as data controller in respect of its own business and personnel information.  But in respect of the App Personal Data, ScholarPack acts as data processor acting on the instruction of your school (the data controller).  Our data protection lead (DPL) responsible for communicating with you about our use of your data can be contacted at dataprotection@scholarpack.com.

4. What does the Parent App do?

At a functional level, the Parent App enables parents to communicate with their children’s schools and allows them to review the information held about them or their children within the school’s MIS.  The Parent App therefore acts as a communication and information medium which builds on the core software and services provided by ScholarPack to the school. 

5. Who controls the data in the Parent App?

The school is the controller of the data.  The use of the Parent App results in no transfer of control to ScholarPack.  Moreover, data accessed within the Parent App does not reside anywhere other than the school’s databases.   It is not cached or copied in the provision of the Parent App.

6. Your role and interaction with the App

You are a parent or legal guardian. Only users whose details have been registered with us by a school will be permitted to use the App. You have agreed to the end-user licence agreement (the “User Terms”) which play a pivotal role in governing the behaviours, controls and security aspects of the Parent App so that it is used appropriately and functions properly.

7. The data protection laws and principles we honour

ScholarPack is committed to protecting your personal information when you are using the Parent App. We take our written instructions to administer the App and to enable your access to the App from the school.

Whenever you provide such information in the App, we are legally obliged as a data processor to use your information in line with all applicable laws concerning the protection of personal information, including the Data Protection Act 2018 and the General Data Protection Regulation 2016/670 (“GDPR”) as the same may be updated or replaced from time to time.  These laws are referred to collectively in this policy as the “data protection laws”.

A fundamental feature of the data protection laws is the establishment of guiding privacy principles at Article 5 of the GDPR.  For further information as to how your school applies these privacy principles please refer to their own Privacy Policy.   

For your information, the service we provide at the request and instruction of the school operates in accordance with these principles including the principles of transparency, purpose-limitation, data accuracy, retention/storage, data security and integrity, and data minimisation.

8. Our commitments to you

Subject to the bespoke commitments and arrangements put in place by your school as the relevant data controller, we subscribe to the following practices:

• We do not engage in restricted transfers of personal data save than as permitted by the exceptions and permissions contained in the data protection laws.   We therefore do not currently store or transport personal data outside of the UK, except where personal messages which may be communicated through the Parent App may be processed (not stored) by servers in the USA using legally approved appropriate safeguards. This is in our legitimate business interests of providing you with the App services.
• We do not transfer personal data originating from schools in an unencrypted format.
• We do not claim ownership over any of the data processed or created as part of services provided to you. You grant us a licence to use that data in accordance with the User Terms. If you wish to exercise any of your rights under data protection laws to remove any content, more details can be found in the ‘Rights of individuals’ section below.

9. Authorisation from the school

The Parent App is made available to you under clear authorisation provided to us by your school, who act as the primary gatekeeper and data controller in terms of the information held by it in connection with your child.

10. Your download of the Parent App

Your school will provide you with details of how to download our App along with a unique link-up code for each user. When you first open our App, it will ask you for your linkup code. This code will generate an automated text message which is sent to your mobile with a one-time passcode. Once you have entered the one-time passcode into the App, you are ready to use our App. From that moment on, you should not allow others to access the App on your phone or other handheld device or tablet upon which the App can be accessed (each a “Device”).  You should not share your login credentials including this linkup code with anyone even if he or she is a co-parent or fellow legal guardian or fellow teacher of your child.  All parents or guardians with children at schools which subscribe to the ScholarPack services are entitled under the licensing agreement to set up their own profiles. This will then enable them to access the Parent App providing the school has provided them with the relevant authorisation.

11.  Data sources

The App may process data about you through:

• Downloading the App – when registering your device for the services 
• Displaying information supplied by the school
• Displaying content you upload using the App
• Unique application numbers, reinstallations of the App, other updates or re-sets

When you want to install or uninstall an App such as the Parent App it may possess a unique application number or it may search for automatic updates and these processes can supply information about your installation such as the type of operating system your Device is using.

12. The types of information we collect about you and your child/pupil

The predominant types of data that might be used (but not necessarily cached) in the App include:

• The technical and other information that you give us when downloading and registering the App – which allows us to validate you as a User; 
• The information we get from your day to day use of the App (for example by uploading content, frequency of visits);
• Other types of information we process and display which emanate from the MIS controlled by the school (such as your child/pupil’s attendance record, school reports and achievements)
• Messaging services or feedback opportunities or surveys which we may provide from time to time to time on the App (both one-way and two-way traffic);
• Special category data where the school is obliged to (and therefore will) obtain your specific consent before processing it – such as blood group, medical details, and other essential information relating to the vital interests of your child which may include associated information relating to his or her sibling or other family members (particular allergies, medicines, procedures and conditions the school should know about). 
• Technical information relating to how you use the App, which will include information about your Device, its settings, its IP address, and certain permissions within the Device, plus analytics regarding your use of the App – frequency of usage, what you read, interact with, upload and download; and,
• Monitoring information and communications which may be recorded for purposes of quality assurance, training and fraud prevention.

13. Your school’s lawful bases for collecting information about you and your child/pupil?

We have listed a wide range of information-types in the previous section.  Data protection laws requires your school to have a lawful basis (Article 6 (1) of the GDPR) for engaging us to process the types of App Personal Data we hold about you or your child. The six forms of lawful basis that are available are summarised in the info-graphic below:

For the most part your school is obliged to use personal data in respect of you and your child pursuant to a legal obligation.  These legal obligations emanate from successive Education Acts (from 1944, 1996, 2002 for example) as well as a vast range of other acts of parliament related to children and childcare in addition to relevant regulations applicable to schools.  For further details please consult your school’s Privacy Policy.

ScholarPack is required to help your school process this personal data because of a contractual necessity – where we need to perform our subscription agreements with each school (which includes provision of the MIS and the App we make available to you through your school).  In a similar vein, you are obliged to sign up to the User Terms for the App – this is a contract between ScholarPack and you. In these ways we can provide you with outputs we commit to provide to your school through the subscription agreements and to you through the User Terms.

For several the information-types that are accessed in the App there will be occasions when your school will rely on its legitimate interests to justify the processing of that information.  Again we invite you to consult your school’s Privacy Policy to learn further about the use of legitimate interests by your school.

In addition, we at ScholarPack will rely on our legitimate interests whenever we act as data controller over particular personal data (in limited circumstances).  We have identified on page 1 of this Privacy Policy that we will act as data controller in two clear circumstances:

• When we compile and use technical information 
• When we maintain or update the App (including fixes/patches)

When we do use your data in these ways we will not collect or process any data in relation to you or your child unless it is necessary in order to provide you with the service (for example to correct bugs in the App) or we are satisfied that we continue to have a legitimate interest in doing so (in adherence to the GDPR).  This means that through this policy we are happy to commit to continually assessing our legitimate business needs against the needs to maintain and protect individual rights and freedoms.  We are happy to make our up to date assessment of our legitimate interests available to you upon request.  

In summary, we conduct a 3-stage test to challenge ourselves and confirm our legitimate interests to hold personal data as follows: 

1. We identify what our legitimate business interests are at any given time.
2. We check the necessity of processing a parent or child’s personal data in order to properly deploy and operate the App.  We check that there are no any less intrusive means to deliver the App’s functionality for parents and legal guardians.
3. We make sure we weigh the balance of the interests of our business and our App with the interests of the pupils, parents and others whose personal information we hold.

Finally, we ensure that our legitimate interests are prudently counterbalanced against the constant right of individuals to make a data access request to us (such as an objection to processing).Other lawful reasons (of the six available) of relevance to the App include our need to ensure the vital interests of the child by processing certain medical records (where your child may have a debilitating or life-limiting condition or illness, or essential medicines that we need to hold).

14. How your school makes decisions about you?

Your school’s Privacy Policy will set out how the school makes decisions about you and your child’s information.  As for ScholarPack, we may use automated systems or triggers to help us identify your compliance with the User Terms for the App (i.e. when you are uploading and how you are using the App).  Individuals may have a right to certain information about automated decisions we make about them and may also have a right to request human intervention and to challenge the decision. More details can be found in the ‘Rights of individuals’ section below.

15. When will ScholarPack contact me?

It is unlikely that ScholarPack will ever contact you directly. Your school is responsible for communicating with you about use of the App.  This may include notifications within the App alerting you to new messages or notices which we can display on behalf of the school.

It is possible in the future (we do not store any contact data for you ourselves), we may contact you as follows:

• To notify you about any planned maintenance and downtime affecting the App;
• At the school’s request only, to verify your credentials or your authorisation from the school or to help you reset your linkup code with the school (i.e. password);
• In relation to any email or other correspondence we receive from you or any comment or complaint you make about the Parent App directly to us;
• At the school’s request only, in relation to any tailored or trial services or new features of the App you are using;
• At the school’s request only to occasionally invite you to participate in surveys or research about the App.

16. Will I be contacted for marketing purposes?

No.

17. Will ScholarPack share my personal information or my child’s personal information with anyone else?

As a data processor following instructions (pursuant to a subscription agreement) from your school there are times when we may share your information but not your child’s with other companies in our group (such as our parent company the Key) – this will be relevant when some of our internal support services are shared across the Key group. 

Sometimes ScholarPack uses third parties to process your information on our behalf, for example to provide services such as email deployment or cloud storage services or analysis of the technical data we use.  We need these providers to provide us with their services for our legitimate interests of operating our business and our App effectively.  Two prominent service providers we use are:

Mailgun – please learn more at https://www.mailgun.com/privacy-policy/

Firebase (part of Google) – https://firebase.google.com/support/privacy

When we use the services of others it will be required in order to fulfil our obligations under either the subscription agreement in place with your school or the User Terms we have in place with you or in order to improve our products and services.

18. Will other end users or administrators of the Parent App be able to see my data?

Your school’s privacy policy sets out the relevant permissions to access your data and school records to which the App interfaces. Certain permitted administrators will be able (and must be able) to view certain information relating to your child/pupil’s information (such as the headteacher of the school).      Other end users of the Parent App who are unconnected to your child (i.e. who are not another parent or legal guardian) will NOT be able to see your data or your child’s data.  (Those who are connected to your child will be able to see certain data about you or your child unless you make contact with the School and seek to limit this).

We may build increased functionality into the Parent App in future and this may involve our use of your data.  For example, with the school’s permission only, we may seek a reference or a testimonial from you with respect to your user experience.  In this case we will ask your permission to display your name, job title and school, and you can withhold this permission and instead be acknowledged anonymously.

19.  Sharing aggregated or anonymised information

In line with the organisational and technical measures and techniques of anonymisation and/or pseudonymisation advocated by the data protection laws we may share aggregated or anonymised information within and outside of ScholarPack, with partners such as research groups, policy groups, the DfE, or Ofsted. Neither you nor your child or individuals connected to your child will be able to be identified from this information.

20. Offensive or inappropriate content on the Parent App

The User Terms shall govern the behaviour, standards and acceptable uses of the App.  If a User posts or uploads content which is disruptive or may reasonably be deemed to be offensive, inappropriate or objectionable or otherwise in breach of our User Terms, ScholarPack may remove such content and may deny you access to the Parent App temporarily or permanently as we see fit.

Where ScholarPack reasonably believes that you are or may be in breach of any applicable laws, in respect of hate-speech for example we may disclose your personal information to relevant third parties, including to law enforcement agencies or your mobile phone operator or other internet communications provider.  ScholarPack shall only do so in circumstances where such disclosure is permitted under applicable laws, including data protection law.

21. How long will ScholarPack keep my information?

As a reminder, the ParentApp only provides a medium for you and the school to update the records your school holds about you and your child. ParentApp does not cache or store these records. If you need to access these records, please contact your school.

The technical data we collect about you is very limited but we will only store your data for as long we need it and we will keep information in line with any data retention policy in force.  To determine the appropriate period, we consider the amount of data, its nature and sensitivity, the potential for harm and whether we can achieve our purposes through other means as well as our applicable legal requirements. Details of our records retention policy is available upon request. We will regularly cleanse this data. We will also delete your data on your request though we may hold a list of the ‘opt out’ requests to administer your request.

22. How we protect your data

Your school records are stored within the MIS at your school. Your school’s privacy policy should provide information about the security measures it has in place to protect this.

In terms of the limited technical data we store about you, this is stored on our servers, and we have implemented reasonable and appropriate security measures to protect the data including HTTPS and the industry standard for encryption and SSL technology. 

Unfortunately, the transmission of information via the internet is not completely secure and we cannot guarantee that data breaches will never occur.   Please keep your linkup code and your Device safe from unauthorised use or intervention at all times – and remember to log out or close down stale or inactive pages on the App after use.

For safety and child protection purposes only, in the future, we may require users to verify their credentials. We also reserve the right to contact the school in the event of any unusual or noteworthy login activity or patterns of usage. We won’t use this information for unexpected reasons.

We also do not recommend that you put email addresses, URLs, phone numbers, full names or addresses, holiday / home absence information, credit-card details or other identifying or sensitive information in any online messaging function on the App now or in future.

23. Your rights

You have a number of rights in relation to the information that the school holds or uses about you or your child.  In the vast majority of cases, it will be appropriate to contact your school as the first port of call so that any information relating to the MIS which the school controls can be made available by the school.

For the very limited information we hold as data controller (in respect of technical information relation to the App, analytics applied to that information and any software upgrade or modification) you nevertheless have enshrined rights which are summarised below:

• The right to be informed about our use of your data. This is met by this Policy.
• The right to access information we hold about you and to obtain information about how we process it (commonly known as a “data subject access request”). This enables you to receive a copy of the personal data we hold about you and to check that we are lawfully processing it. Please note that we may ask you to specify what you wish to see in order to focus our search, and we may have to verify your identity/authority. 
• In some circumstances, the right to withdraw your consent to our processing of your information, which you can do at any time. If you withdraw your consent, we may not be able to provide certain products or services to you. We will advise you if this is the case at the time you withdraw your consent. 
• In some circumstances, the right to receive certain information you have provided to us in an electronic format and/or request that we transmit it to a third party;
• The right to request that we rectify your information if it’s inaccurate or incomplete though we may need to verify the accuracy of the new data you provide to us.
• In some circumstances, the right to request that we erase your information where there is no good reason for us continuing to process it. We may continue to retain your information if we’re entitled or required to retain it. You also have the right to ask us to delete or remove your personal data where you have successfully exercised your right to object to processing (see below), where we may have processed your information unlawfully or where we are required to erase your personal data to comply with local law. Note, however, that we may not always be able to comply with your request of erasure for specific legal reasons which will be notified to you, if applicable, at the time of your request. 
• The right to object to, and to request that we restrict, our processing of your information in some circumstances for example where we are relying on our legitimate interests or using it for direct marketing. Again, there may be situations where you object to, or ask us to restrict, our processing of your information but we’re entitled to continue processing it and/or to refuse your request. 

You and individuals (including individuals connected to your school) can exercise your rights by contacting us at [insert email address]

Individuals have a right to complain to the UK Information Commissioner’s Office by visiting www.ico.org.uk, or to the data protection regulator in the country where they live or work.  

Where we are the data controller of your personal data, you have the right to access information we hold about you. Simply email us at [insert email address] and we will tell you how to do this.

24. What are Cookies?

A cookie is a piece of code or text stored on the hard drive of your computer, mobile phone or other portable device by your web browser.  We do not track your online browsing patterns and the App does not contain cookies at present. It is possible the App may contain cookies in the future to provide you with a good experience when you use the App, to store information about your App usage, your preferences and your engagement.  In this way, cookies ensure that the App functions as we intend it to and enables us to provide the services you request. If we do this, we will provide a clear notice about this usage within the App.

The App is not available to users outside the UK.

Last Revised May 2020.