Data Sharing Agreement

Grofar Data Sharing Agreement

What is Grofar?

Grofar is a careers guidance management solution. Grofar significantly reduces the time careers leaders and careers co-ordinators spend on careers administration and stores all careers information in one place. Grofar helps every school to meet Statutory Guidance and implement the Gatsby benchmarks. The easy and effective one-system solution encompasses everything from careers service planning, event organisation and feedback to destination data collection and work experience management. Engaging students, parents, businesses, alumni and SLT. A pioneering careers passport ensures every student has access to evidenced aspirational careers advice. Grofar was developed by the trusted, award-winning team that created Schoolcomms.

Document Aims

This document details the data objects and items that are shared, the use of, use by, storage and storage duration, safeguarding and security of the data that your establishment will share with Grofar Ltd. This information provides a framework for our Data Sharing Agreement (DSA) with you. The DSA is an important document, which supports our joint obligation to comply with the Data Protection Act 2003 and comply with the Information Commissioner’s Office (ICO) mandate. In order to use Grofar your organisation must understand and formally accept this agreement.

Transfer and Use of Personal Information

For the purpose of allowing authorised users to use Grofar we require transmission of specific personal information. The data will in part be classified in accordance with the UK Government’s Information Security Design Manual Business Impact Levels.

1. Personal information about pupils who are currently on roll:

  • Forename
  • Surname
  • Middle Name
  • Display Name
  • Admission No
  • Gender
  • Registration Group Membership
  • Year Group Membership
  • House Group Membership
  • UPN (Unique Pupil Number)
  • Date of Birth
  • ULN (Unique Learner Number)
  • Enrolment Status
  • SEN Provision
  • FSM Eligible
  • Pupil Premium
  • EAL
  • YSSA
  • Uniform Allowance
  • Parental Salutation
  • Address
  • Email Communications
  • Student Photo
  • Student Timetable

2. Personal information about adults currently in the employment of the school:

  • Title
  • Staff Code
  • Forename
  • Surname
  • Middle Name
  • Display Name
  • Gender
  • Work Email
  • Work Phone
  • Date Of Birth
  • Is Teacher
  • Is Support
  • Staff member Photo
  • School Timetable information

3. Personal information about pupil contacts with parental responsibility:

  • Relationship
  • Forename
  • Surname
  • Display Name
  • Work Email
  • Home Email
  • Mobile Phone

4. Information about the establishment:

  • Name
  • Head
  • Main Contact
  • Telephone
  • Web address
  • Email adress
  • Deni No
  • Governance
  • Phase
  • School Timetable
  • Group Information (Year Groups, Registration Groups, Houses):
    • Code
    • Name
    • Number of Students
    • Primary Staff Member
    • Staff
    • Type

5. Personal information about pupils, staff or contacts who have now left the school

  • Data is retained within Grofar for historical data analysis but all personal details are anonymised.

6. Personal information about pupils, staff or contacts who have not yet started at the establishment

  • Data is retained within Grofar for historical data analysis but all personal details are anonymised.

The Use of Data policy is provided for establishments to ensure that, as data controllers, they have the ability to share data and that they consider there to be appropriate measures in place, ensuring that the data is held securely and confidentially. This document sets out how Grofar Ltd supports these objectives.

Grofar Ltd and its suppliers will be acting as ‘data processors’ as defined by the 2003 Data Protection Act. Grofar Ltd has taken all reasonable measures to ensure the safety and security of personal information and continues to review these measures on an on-going basis.

Data will be used to populate the Grofar application and provide relevant and up-to-date information to your establishments careers service, students, parents, business and staff users.

Data Storage

All information is encrypted and stored within a cloud hosted database. The database is hosted within Microsoft Azure North Europe (Dublin). Access to the database is restricted to the Grofar application and approved employees.

Data Security

This information gives details of the management of data security in relation to the use of Grofar. Establishments may wish to use this in conjunction with their fair use policy.

Information is extracted from the school Management Information System (MIS) using Groupcall’s industry leading and secure Xporter software. The data is securely uploaded to Grofar using industry standard SSL encryption. A unique identifier configured by Grofar Ltd in Groupcall Xporter ensures that the information is linked to the correct customer account in Grofar. Groupcall Xporter accesses your school MIS system using credentials that you provide and cannot access it without them.

The information from your establishment is held inside the Grofar platform, which is hosted within Microsoft Azure North Europe (Dublin). You can find out about the security and safety policies that affect your data in more detail by contacting Grofar Ltd.

In summary, the data you transmit to us is protected from exposure using a cloud based enterprise firewall, string SSL https encryption, OAuth 2.0 application authentication, strong database encryption, data anonymization where appropriate. The Grofar building and offices have physical access control.

Grofar undergoes annual independent intrusion detection and penetration testing carried out by a third party provider to ensure the security robustness of the application and data.

Support

The Support team at Grofar Ltd are able to resolve or advise you on any technical issues that you encounter while using our products and provide first line support for Groupcall Xporter integration also. Occasionally it can be necessary for our support technicians to view the issue with you, in order to diagnose it fully and offer a solution. In circumstances where support technicians need to view the issue with you they may use remote access tools to view your computer with you, in which case you should remain at your computer and supervise the entire session.

All of our remote sessions allow you to retain control and allow you to terminate the session at any time. If your issue escalates and an additional support technician is required, then they may also be invited to join the remote session. In some cases where a second line escalation is required for Groupcall Xporter software this may involve also allowing a Groupcall support technician to join the remote session.

If your issue is a platform issue or requires changes to your account configuration, then Grofar Ltd staff may perform such configuration on your behalf from our secure management platform without requirement for remote access. You are reminded that you should avoid sending personal information, such as student/contact records, to us directly via email. You certainly should only send such information when supported by strong encryption, if there is an explicit requirement to do so. Grofar Ltd staff will advise the most secure method for transfer if there is such an explicit requirement.

Data Life Cycle

Your data’s point of origin remains in the school MIS. Changes made in the MIS are transmitted to the Grofar via Groupcall Xporter. Data is synchronised nightly from your school MIS.

New ‘personal’ records

When a new staff, student or contact record is detected in the MIS, and meets the selection criteria it will be uploaded to Grofar at the next transmission and appear in the user interface accordingly for authorised users.

Changed ‘personal’ records

When an updated staff, student or contact record is detected in the MIS, and meets the selection criteria it will be updated in Grofar at the next transmission and appear in the user interface accordingly for authorised users.

Deleted ‘personal’ records

When a staff, student or contact record in the MIS no longer meets the selection criteria or is deleted this will be notified to Grofar on the next transfer.

When a person is detected as deleted or left, Grofar immediately revokes permissions for that person and retains their historic activity indefinitely to provide audit and historical analysis and reporting. If a user is not restored after 6 months, their records are anonymised for security.

New Group Memberships

When a person is detected to have a new or changed group membership, e.g. registration group, staff post, etc. this will be notified to Grofar on the next transfer and will then be reflected in the user interface for authorised users.

Deleted or Ended Group Membership

When a person is detected to have left a group membership, e.g. year group, class group, etc. this will be notified to Grofar on the next transfer and will then be reflected in the user interface for authorised users.

Privacy Policy

This forms part of the application process to use relevant Grofar Ltd Products. The Head Teacher or an authorised member of staff will agree to have read and understood the terms and conditions outlined below:

Who is responsible for managing my information?

Grofar is provided by Grofar Ltd and its suppliers. Grofar Ltd is responsible for ensuring that your data is adequately protected in relation to the operation of Grofar platform.

Who can I contact if I have queries about this privacy policy?

If you have any queries regarding Grofar Ltd’s privacy policy please contact info@grofar.com

Will you ever update this privacy policy?

We may update this privacy policy from time to time and we will send notification to your main account contact if this is the case.

How can I update my data?

The data in Grofar reflects the data in your school MIS system, hence to correct any inaccuracies you should correct the data in your MIS and allow an overnight update to occur.

If it is important that data changes are shown more urgently; for example if a parent has been restricted from contact with their child by court order, then you can contact Grofar Ltd for assistance via support@grofar.com.

What information do we collect?

We collect student, staff and parental contact information such as names, record identifiers and contact details.

The full information we collect is detailed in the section entitled Transfer and Use of Personal Information, above.

What is my information used for in Grofar?

Your data is used to populate Grofar and provide your establishment’s careers service with up-to-date student, parent and staff records and information.

How is my information held within Grofar?

All information is encrypted and stored within a cloud hosted database. The database is hosted within Microsoft Azure North Europe (Dublin).

How long will my information be held for by Grofar?

Data will be held no longer than is absolutely necessary. Anonymised data may be kept for reporting and historical analysis purposes.

How do I delete my data from Grofar?

In order to terminate your account with us you must contact support@grofar.com.

Browser Cookies

Grofar makes use of browser cookies for the following purposes:

To manage user authentication and to track individual user behaviour in order to continuously improve the product functionality and performance.

Next Steps…

If you need any further assistance or get in to any difficulty, please contact Grofar Ltd via support@grofar.com or phone 01173155261.