Grofar Data Sharing Policy – Oct 18
This document should be read in conjunction with:
What is Grofar?
Grofar provide two systems, one is a careers guidance management solution and the other is a tool for the administration of work placements. Grofar significantly reduces the time spent on administration and stores all careers or work placement information in one place.
This document details the data objects and items that are shared, the use of, use by, storage and storage duration, safeguarding and security of the data that your establishment will share with Grofar Ltd. This information provides a framework for our Data Sharing Agreement (DSA) with you. The DSA is an important document, which supports our joint obligation to comply with the Data Protection Act 2003, The General Data Protection Regulations (GDPR) and comply with the Information Commissioner’s Office (ICO) mandate. In order to use Grofar your organisation must understand and formally accept this agreement.
Transfer and Use of Personal Information
For the purpose of allowing authorised users to use Grofar we require transmission of specific personal information. The data will in part be classified in accordance with the UK Government’s Information Security Design Manual Business Impact Levels.
|Data Subject||Schools/Grofar Careers – data held||Colleges/Grofar Work Placement – data held||Purpose of processing|
|Students or pupils currently on roll||
||To provide easy setup and maintenance of the data in Grofar.
To allow careers or work placement activity to be logged against students.
|Adults currently in the employment of the Institution||
||To populate the users of the system|
|Pupil contacts with parental responsibility||
||For information only – visible to staff|
|Business contacts of the Institution – providers of work placements or services||
||To enable the Health and Safety and Placement feedback tools|
|Information about the establishment||
||To accurately align the students to the relevant groups|
|Pupils staff or contacts who have now left the school||As above (for pupils or staff)||Data is archived in Grofar but retained for a period of 5 years|
|Pupils staff or contacts who have not yet started at the establishment||As above (for pupils or staff)||Data is loaded from the School or College MIS which may include early registration.|
Grofar Ltd and its suppliers will be acting as ‘data processors’ as defined by the 2003 Data Protection Act. Grofar Ltd has taken all reasonable measures to ensure the safety and security of personal information and continues to review these measures on an on-going basis.
Data will be used to populate the Grofar application and provide relevant and up-to-date information to your establishments careers service, students, parents, business and staff users.
All information is encrypted and stored within a cloud hosted database. The database is hosted within Microsoft Azure North Europe (Dublin). Access to the database is restricted to the Grofar application and approved employees.
This information gives details of the management of data security in relation to the use of Grofar. Establishments may wish to use this in conjunction with their fair use policy.
Information is extracted from the school Management Information System (MIS) using Groupcall’s industry leading and secure Xporter software. The data is securely uploaded to Grofar using industry standard SSL encryption. A unique identifier configured by Grofar Ltd in Groupcall Xporter ensures that the information is linked to the correct customer account in Grofar. Groupcall Xporter accesses your school MIS system using credentials that you provide and cannot access it without them.
Information is extracted from the College MIS using either csv Import or the Grofar supplied API . The data is securely uploaded to Grofar using Industry standard SSL encryption. A Unique Identifier configured by Grofar Ltd ensures that the information is linked to the correct customer account in Grofar. The Grofar API accesses your MIS using credentials that you provide and cannot access it without them.
In summary, the data you transmit to us is protected from exposure using a cloud based enterprise firewall, string SSL https encryption, OAuth 2.0 application authentication, strong database encryption, data anonymization where appropriate. The Grofar building and offices have physical access control.
Grofar undergoes annual independent intrusion detection and penetration testing carried out by a third-party provider to ensure the security robustness of the application and data.
The Support team at Grofar Ltd are able to resolve or advise you on any technical issues that you encounter while using our products and provide first line support for Groupcall Xporter integration also. Occasionally it can be necessary for our support technicians to view the issue with you, in order to diagnose it fully and offer a solution. In circumstances where support technicians need to view the issue with you they may use remote access tools to view your computer with you, in which case you should remain at your computer and supervise the entire session.
All of our remote sessions allow you to retain control and allow you to terminate the session at any time. If your issue escalates and an additional support technician is required, then they may also be invited to join the remote session. In some cases where a second line escalation is required for Groupcall Xporter software this may involve also allowing a Groupcall support technician to join the remote session.
If your issue is a platform issue or requires changes to your account configuration, then Grofar Ltd staff may perform such configuration on your behalf from our secure management platform without requirement for remote access. You are reminded that you should avoid sending personal information, such as student/contact records, to us directly via email. You certainly should only send such information when supported by strong encryption, if there is an explicit requirement to do so. Grofar Ltd staff will advise the most secure method for transfer if there is such an explicit requirement.
Data Life Cycle
Your data’s point of origin remains in the School or College MIS. Changes made in the MIS are transmitted to the Grofar via Groupcall Xporter or Grofar API. Data is synchronised nightly from your School or College MIS.
New ‘personal’ records
When a new staff, student or contact record is detected in the MIS, and meets the selection criteria it will be uploaded to Grofar at the next transmission and appear in the user interface accordingly for authorised users.
Changed ‘personal’ records
When an updated staff, student or contact record is detected in the MIS, and meets the selection criteria it will be updated in Grofar at the next transmission and appear in the user interface accordingly for authorised users.
Deleted ‘personal’ records
When a staff, student or contact record in the MIS no longer meets the selection criteria or is deleted this will be notified to Grofar on the next transfer.
When a person is detected as deleted or left, Grofar immediately revokes permissions for that person and retains their historic activity indefinitely to provide audit and historical analysis and reporting. If a user is not restored after 6 months, their records are anonymised for security.
New Group Memberships
When a person is detected to have a new or changed group membership, e.g. registration group, staff post, etc. this will be notified to Grofar on the next transfer and will then be reflected in the user interface for authorised users.
Deleted or Ended Group Membership
When a person is detected to have left a group membership, e.g. year group, class group, course code etc. this will be notified to Grofar on the next transfer and will then be reflected in the user interface for authorised users.
Obligations of the “Data Controller”
The School or College as “Data Controller” must abide by the requirements of the GDPR specifically.
- Personal Data must be processed legally and fairly;
- It must be collected for explicit and legitimate purposes and used accordingly;
- It must be adequate, relevant and not excessive in relation to the purposes for which it is collected and/or further processed;
- It must be accurate, and updated where necessary;
- Data controllers must ensure that data subjects can rectify, remove or block incorrect data about themselves;
- Data that identifies individuals (personal data) must not be kept any longer than strictly necessary;
- Data controllers must protect personal data against accidental or unlawful destruction, loss, alteration and disclosure, particularly when processing involves data transmission over networks. They shall implement the appropriate security measures;
- These protection measures must ensure a level of protection appropriate to the data.
With regard to Grofar, the “Data Controller” must provide any instructions to vary the data being shared and its usage in writing and must manage the consent process with the subjects of their data – specifically students, staff, alumni, employers and other contacts included in the Grofar database.
Use of the Grofar system is subject to agreement of our licence and privacy policies.
The following questions and answers are provided to help you understand how these work in practice.
Who is responsible for managing my information?
Grofar is provided by Grofar Ltd and its suppliers. Grofar Ltd is responsible for ensuring that your data is adequately protected in relation to the operation of Grofar platform.
Who can I contact if I have queries about this policy?
If you have any queries please contact firstname.lastname@example.org
Will you ever update this policy?
Government regulations frequently change and this policy may well change. We will notify customers of any changes and update the web version of this and other documents available via www.grofar.com
How can I update my data?
The data in Grofar reflects the data in your School or College MIS system, hence to correct any inaccuracies you should correct the data in your MIS and allow an overnight update to occur.
If it is important that data changes are shown more urgently; for example, if a parent has been restricted from contact with their child by court order, then you can contact Grofar Ltd for assistance via email@example.com.
How long will my information be held for by Grofar?
Data will be held no longer than is absolutely necessary. Anonymised data may be kept for reporting and historical analysis purposes.
How do I delete my data from Grofar?
In order to terminate your account with us you must contact firstname.lastname@example.org. We will either delete your data or return it on demand in electronic form.
If you need any further assistance or get in to any difficulty, please contact Grofar Ltd via email@example.com or phone 01173155261.