This document should be read in conjunction with:
Grofar is a single software platform which comprises of two software solutions, one is a Careers Service Management solution and the other is a Work Placement Management solution. The Grofar platform is for use by Schools, Colleges, Multi Academy Trusts, Education Providers, Charity Organisations, Training providers, Local Authorities and learners/young people. Grofar significantly reduces the time spent on administration, streamlines processes and stores all careers or work placement information in one place.
This document details the data objects and items that are shared, the use of, use by, storage and storage duration, safeguarding and security of the data that your establishment will share with Grofar Ltd. This information provides a framework for our Data Sharing Agreement (DSA) with you. The DSA is an important document, which supports our joint obligation to comply with the General Data Protection Regulation (EU) 2016/679, retained in domestic law now the transition period has ended, and the Data Protection Act 2018 and comply with the Information Commissioner’s Office (ICO) mandate. In order to use Grofar your organisation must understand and formally accept this agreement.
For the purpose of allowing authorised users to use Grofar we require transmission of specific personal information. The data will in part be classified in accordance with the UK Government’s Information Security Design Manual Business Impact Levels.
| Data Subject | Schools | Colleges | All Other Education Providers/Charity Organisations | Purpose of processing |
|---|---|---|---|---|
| Students/Young Person currently on roll |
|
|
|
To allow careers or work placement activity to be logged against students. To analyse provision by biographical attributes It should be noted that any establishment is in full control of which records they transfer and can limit the records to just those with a justifiable reason for inclusion. |
| Staff in the employment of the Institution |
|
|
|
This section refers to Staff who will be users of Grofar, the data will allow the system to login based on the details provided. Staff typically includes Work Experience Coordinators and Careers Advisers who will be logging in to maintain the records and Tutors and Curriculum Staff who will access the system to monitor students Progress. It should be noted that any establishment is in full control of which records they transfer and can limit the records to just those with a justifiable reason for inclusion. |
| Parent or Carer of students enrolled |
|
|
|
To enable consent to be obtained for students under 18. Provides emergency contact information. Information is only visible to college/school/establishment staff It should be noted that any establishment is in full control of which records they transfer and can limit the records to just those with a justifiable reason for inclusion. |
| Business contacts of the Institution – providers of work placements or services |
|
To enable communications with regards to the Health and Safety and Placement attendance and feedback to be obtained It should be noted that any establishment is in full control of which records they transfer and can limit the records to just those with a justifiable reason for inclusion. |
||
| Information about the establishment |
|
|
|
To accurately align the students to the relevant groups or enrolments |
| Students/Young Persons or Staff who have left the establishment | As above (for students/young people and staff) | As above (for students/young people and staff) | As above (for students/young people and staff) |
Data is archived automatically as and when the establishment ceases to provide this information. Grofar retain this data within archive for a period of 5 years, unless complete removal is requested by the institution. |
| Students/Young Persons or Staff who have not yet started at the establishment | As above (for students/young people and staff) | As above (for students/young people and staff) | As above (for students/young people and staff) |
Data is loaded from the establishment's MIS which may include early registration data. Data is archived automatically as and when the establishment ceases to provide this information. Grofar retain this data within archive for a period of 5 years, unless complete removal is requested by the institution |
Grofar Ltd and its suppliers will be acting as ‘data processors’ as defined by the Data Protection Act 2018. Grofar Ltd has taken all reasonable measures to ensure the safety and security of personal information and continues to review these measures on an on-going basis.
Data will be used to populate the Grofar application and provide relevant and up-to-date information to your establishment's careers service, students, parents, business and staff users.
All information is encrypted and stored within a cloud hosted database. The database is hosted within Microsoft Azure North Europe (Dublin). Access to the database is restricted to the Grofar application and approved employees.
This information gives details of the management of data security in relation to the use of Grofar. Establishments may wish to use this in conjunction with their fair use policy.
Information is extracted from the school Management Information System (MIS) using Groupcall’s industry leading and secure Xporter software. The data is securely uploaded to Grofar using industry standard SSL encryption. A unique identifier configured by Grofar Ltd in Groupcall Xporter ensures that the information is linked to the correct customer account in Grofar. Groupcall Xporter accesses your school MIS system using credentials that you provide and cannot access it without them.
Information is extracted from the establishment's MIS using either CSV Import or the Grofar supplied API. The data is securely uploaded to Grofar using Industry standard SSL encryption. A Unique Identifier configured by Grofar Ltd ensures that the information is linked to the correct customer account in Grofar. The Grofar API accesses your MIS using credentials that you provide and cannot access it without them.
In summary, the data you transmit to us is protected from exposure using a cloud-based enterprise firewall, string SSL https encryption, OAuth 2.0 application authentication, strong database encryption, data anonymisation where appropriate. The Grofar building and offices have physical access control.
Grofar undergoes annual independent intrusion detection and penetration testing carried out by a third-party provider to ensure the security robustness of the application and data.
The Support team at Grofar Ltd are able to resolve or advise you on any technical issues that you encounter while using our products and provide first line support for Groupcall Xporter integration also. Occasionally it can be necessary for our support technicians to view the issue with you, in order to diagnose it fully and offer a solution. In circumstances where support technicians need to view the issue with you, they may use remote access tools to view your computer with you, in which case you should remain at your computer and supervise the entire session.
All of our remote sessions allow you to retain control and allow you to terminate the session at any time. If your issue escalates and an additional support technician is required, then they may also be invited to join the remote session. In some cases where a second line escalation is required for Groupcall Xporter software this may involve also allowing a Groupcall support technician to join the remote session.
If your issue is a platform issue or requires changes to your account configuration, then Grofar Ltd staff may perform such configuration on your behalf from our secure management platform without requirement for remote access. You are reminded that you should avoid sending personal information, such as student/contact records, to us directly via email. You certainly should only send such information when supported by strong encryption, if there is an explicit requirement to do so. Grofar Ltd staff will advise the most secure method for transfer if there is such an explicit requirement.
Your data’s point of origin remains in the establishment's MIS. Changes made in the MIS are transmitted to the Grofar platform via Groupcall Xporter or the Grofar API. Data is synchronised nightly from your establishment's MIS.
New ‘personal’ records
When a new staff, student or contact record is detected in the MIS, and meets the selection criteria it will be uploaded to Grofar at the next transmission and appear in the user interface accordingly for authorised users.
Changed ‘personal’ records
When an updated staff, student or contact record is detected in the MIS, and meets the selection criteria it will be updated in Grofar at the next transmission and appear in the user interface accordingly for authorised users.
Deleted ‘personal’ records
When a staff, student or contact record in the MIS no longer meets the selection criteria or is deleted this will be notified to Grofar on the next transfer.
When a person is detected as deleted or left, Grofar immediately revokes permissions for that person. If a user is not restored after 6 months, their records are anonymised for security. Anonymised historic activity data is retained for auditing, analysis and reporting purposes.
New Group Memberships
When a person is detected to have a new or changed group membership, e.g. registration group, staff post, etc. this will be notified to Grofar on the next transfer and will then be reflected in the user interface for authorised users.
Deleted or Ended Group Membership
When a person is detected to have left a group membership, e.g. year group, class group, course code etc. this will be notified to Grofar on the next transfer and will then be reflected in the user interface for authorised users.
The School, College, Education Provider, or Charity Organisation as “Data Controller” must abide by the requirements of the UK GDPR specifically:
With regard to Grofar, the “Data Controller” must provide any instructions to vary the data being shared and its usage in writing and must manage the consent process with the subjects of their data – specifically students, staff, alumni, employers and other contacts included in the Grofar database.
Grofar as "Data Processor" must abide by the requirements of the UK GDPR specifically:
Use of the Grofar system is subject to agreement of our licence and privacy policies.
The following questions and answers are provided to help you understand how these work in practice.
Grofar is provided by Grofar Ltd and its suppliers. Grofar Ltd is responsible for ensuring that your data is adequately protected in relation to the operation of Grofar platform.
If you have any queries please contact [email protected]
Government regulations frequently change and this policy may well change. We will notify customers of any changes and update the web version of this and other documents available via www.grofar.com
The data in Grofar reflects the data in your MIS system, hence to correct any inaccuracies you should correct the data in your MIS and allow an overnight update to occur.
If it is important that data changes are shown more urgently; for example, if a parent has been restricted from contact with their child by court order, then you can contact Grofar Ltd for assistance via [email protected].
Data will be held no longer than is absolutely necessary. Anonymised data may be kept for reporting and historical analysis purposes.
In order to terminate your account with us you must contact [email protected]. We will either delete your data or return it on demand in electronic form.