General Data Protection Regulation (GDPR) Key Facts
With the Data Protection Act (DPA) being superseded by the General Data Protection Regulation (GDPR) on 25th May 2018, it is important for schools to ensure that their systems satisfy the requirements of GDPR. When GDPR comes into force, the legal basis under which Clifton EMAG Ltd will hold and process personal data for pupils and users of the EAZ MAG Writer system is that of legitimate interest.
The DfE has issued guidance to schools on GDPR, which recommends that schools ask their system suppliers six key questions about their systems, so we have answered these questions as follows:
||Which personal and special category data are contained within the system?
||EAZ MAG Writer holds the following personal and special category data:
Special Category Pupil Data
- Basic pupil details such as UPN, forename, surname, date of birth, start date, comments, etc
- Current and prior attainment data, targets, estimates, assessments, attitude to learning and attendance
- Information on allocation of pupils to pupil sets, groups and classes
- Evidence in the form of photos
- Contextual information such as if a child is SEND, FSM, PP, etc. This depends on what contextual information the school wishes to use in the system
Basic pupil details, attainment, targets, estimates, assessment, attitude to learning, attendance, sets, groups, classes, contextual information and user login details are all entered and managed by the schools.
- Contact details and job title of the users who use the system in schools
- Username, Password, Full Name, Role and details of system usage by the user
National comparison data is provided by bodies such as the DfE or FFT
||Does any personal data flow from the system onto anywhere else?
||Pupil Personal Data
Schools may wish to download and/or share their inputted data with other schools, LAs, MATs, etc, but we do not share this data with any 3rd party unless we are obligated to do so by the school or as a legal requirement
We do not share user contact details with any 3rd party unless we are obligated to do so by the school or as a legal requirement
||What is the system’s data retention policy?
||Pupil personal data
- If the data is no longer required, schools have the ability to remove a pupil and all of the associated data relating to that pupil at any time from within the system.
- A school's system data will remain on our servers for no longer than 12 months after a school’s subscription comes to an end. This period has been set to cover the possibility that the school may need to retrieve this data at a later date or feel that they would like to renew their subscription and carry on.
- If the school no longer wishes to use our system and would like all system data to be promptly removed then this will be done on request.
- Details of EAZ MAG users and their system usage are retained for up to 5 years for audit purposes after which these are destroyed.
||How would you get the information for a subject access request out of the system?
||The information required to respond to a pupil subject access request is already available through various EAZ MAG Writer reports, which can be output in a number of electronic formats.
Other forms of subject access requests can be sent in writing to firstname.lastname@example.org.
||How does the system ensure the security of the personal data held?
- The entire EAZ MAG Writer system is stored in a secure dedicated hosting environment, which is located in a secure UK-based facility (Fasthosts, ISO 27001)
- The entire EAZ MAG Writer system operates under SSL (Secure Socket Layers) and strong AES encryption techniques used for dormant data, such as data backups.
- Server access controls are only used by members of the senior development team
- Security tests are continually carried out by our senior development team and benchmarked against external bodies such as Qualys SSL Labs.
- Numerous safeguards are in place to assist schools with their access of the system, eg unique usernames, strong hashed passwords, limited number of login attempts per user, different levels of access control, ability to disable logins irrespective of the validity of the entered details, etc
- All relevant staff are DBS checked and have completed non-disclosure forms.
||Is this system supplier confident that they will be GDPR compliant by May 2018?
||Yes – to the best of our knowledge we are confident that it will be fully compliant with GDPR by 25th May 2018.
Download a PDF version of this document
A new updated Data Sharing Agreement for schools using
the EAZ MAG Writer system can be downloaded via this link
Date of creation: May 2018
Date of next review: Nov 2019