You can find the separate Data Sharing Agreement here for download.
What data we store
- For each student registered on the DFM Homework Platform, we store their name, email address, and encrypted password (the original of which is not retrievable by any individual, including administrators), year group (where specified), school name (where specified) and usage data, in terms of questions completed and summative accuracy data. No other personal information beyond name and email address are stored.
- For each teacher, we store the above data (in addition to their title), but also what classes he/she administers.
Who can access what data
- Students can access only their own data after log in. Accounts must initially be verified via an activation email.
- Teachers can access assessment data of any student within the school. They can also see what students at their school are logged in and what question they might currently be completing. Teachers can administer student accounts, for example changing their email address or changing their class(es). The email address is viewable only if the domain extension (i.e. after the '@') matches that set for the school; it is otherwise not displayed with an indication that a personal email address was used.
- Special 'multi-academy trust administrator' accounts can access data across schools within a trust and set assessments/homeworks to students in these schools. Approval for such accounts will only be granted with appropriate evidence of the individual's responsibilities within the trust.
- We do not allow (nor have the functionality to accommodate) teachers being able to access the data of multiple schools (other than in the capacity above). Individuals teaching at more than one school should register separately for each school.
- Only administrators can view data from other schools to ensure the smooth running of the platform. Currently this is only myself (a full-time teacher) and Mr Dupont-Panon (also a full-time teacher). Both individuals naturally have full DBS clearance. DrFrostMaths acts as data processors for your school.
- All administrators and processors of the data by DrFrostMaths are subject to confidentiality for all school owned data that will remain indefinitely even after cessation of services.
- Students whose total 'points' puts them in the top few globally, will be automatically listed on the global leaderboard, with their name and school appearing. However it should be noted that (a) full names are not given, with only the first name and surname initial given and (b) schools can opt out of the global leaderboard by using the appropriate setting on the Manage School Settings interface. This is viewable to any registered user, but will not be published elsewhere. The same applies to the times table time trial leaderboard. 'Trust' leaderboards are viewable to other leaderboards within the same Multi-Academy Trusts, again with the full name not given. All other leaderboards are internal to schools. Only students who are in a class (and by implication, verified as a student at the school by a teacher) will be able to view school leaderboards.
DrFrostMaths's role as Data Processor
(We define Customer, to mean the school, or independently registered users outside of a school.)
In respect of personal data, schools/individuals acknowledge that:
- DrFrostMaths acts as a Processor; and
- The Customer acts as the Controller.
DrFrostMaths only creates accounts upon the explicit instruction of the Customer and with their consent. Assessment data is generated by students using the platform, where by teacher-initiated assignments on independently instigated practices. Such data is only generated for the purposes of informing the Customer of their progress.
Where DrFrostMaths receives an instruction from the school/individual that, in its reasonable opinion, infringes the GDPR, DrFrostMaths will inform them.
A separate data sharing agreement, clarifying on DrFrostMaths' duties as a Data Processor, can be found here.
How teacher accounts are verified
- Teacher accounts must be approved by myself (Dr Frost). It will only be approved if using a school email address associated with the school's domain name, and clearly where the email address is in a teacher format. In any cases of doubt I search online for staff lists or contact the registering user to provide additional evidence.
- For the school 'Home Tutoring', only student registrations are accepted; teacher accounts will not be approved.
Fair Usage Policy
We are keen that DrFrostMaths is used for constructive learning purposes. We reserve the right to either temporarily or permanently suspend either teacher or student accounts where:
- Use of automated scripts/bots to repetitively answer questions and arbitrarily increase points.
- Any Denial of Service attacks, where the site is flooded with traffic with the specific intent to cause disruption to services.
- There is excessive patterns of repetitive question answering behaviour. User accounts receive automated warnings where they repeatedly answer excessive consecutive questions on the same type, and accounts are automatically suspended if these warnings are ignored.
Where a student account has been suspended and needs to be reinstated, contact to DFM Support must be via a teacher at the student's school, and not via the student or their parent directly.
Use of Data by Third Parties
- No user data stored within our databases is passed on to any third parties.
- These are Cookies set by other suppliers which we may be using to enhance our site and which are controlled by them. The following section details third party Cookies you might encounter through this site. For more information on these Cookies or to opt-out of third parties collecting any data regarding your interaction on our website, please refer to their websites for further information.
- Google Analytics
Like many websites, we use Google Analytics to collect information about visitor behaviour, such as the number of visitors to the various parts of our website. We do this to compile reports that help us improve our site. Google Analytics stores information about what pages you visit, how long you are on the site, how you got here, what documents you download and what you click on. This analytics data is not tied to personally identifiable information (e.g. your name or address) so this information cannot be used to identify who you are.
Below is a description of the Google Analytics Cookies we may use on this site and what they are used for:
|_utm.gif|| Logs details about visitor's browser and computer|| End of session|
|_utma|| Used to distinguish users and sessions|| 2 years|
|_utmb|| Used to determine new sessions/visits|| 30 mins|
|_utmc|| Used to determine the duration of a visit|| End of session|
|_utmv|| Use to determine visitor behaviour during a session|| End of session|
|_utmz|| Stores the traffic source that explains how the user reached the site|| 6 months|
|_utmt|| Used to throttle request rate|| 10 minutes|
|_utmt_masterTracker|| Updates the total number of page visits in anonymous form|| End of session|
|_ga|| Used to distinguish users|| 2 years|
|_gid|| Used to distinguish users|| 24 hours|
You can find more detailed information about the Google Analytics Cookies we use by clicking here.
You can find out more about Google's position on data privacy as regards to its analytics service, including information about the Google Analytics opt-out browser add-on in the Privacy Controls section here.
Your right to delete stored data and account deletion
- Student accounts can be deleted by teachers at their respective school. Teachers may also delete other teachers. Any user may request to have their account deleted via an email to email@example.com. The email request must match the email address of the account being deleted, or of the teacher of a student. If students are in one of more classes set up by a teacher, we will not consent to student requests to delete their account, and this must be done by the teacher.
- DFM will automatically purge inactive accounts where the user has not logged in over 2 years. It is the school's responsibility to delete the accounts of students who have left the school (via the Manage Classes interface) if they want to delete accounts before this time.
- If students register independently, they must verify that they have parental consent, and are provided a direct link to this policy.
How your data is protected
- The site is hosted using Google Cloud, a hosting provider used by many EdTech companies/organisations. The data is stored in London, and Google Cloud's compliance documentation can be found here.
- All data accessed via user accounts have appropriate checks to ensure the account has the correct permissions to view the data.
- In the unlikely event of any data breach, the nature of the breach, in addition to the resulting action to remedy such a breach, will be clearly communicated.
- The server has an SSL certificate (in layman's terms, the 'padlock' symbol that appears in your browser), meaning that data is transmitted securely.
- You have the right to request an audit of data stored about your school and its students.
- DrFrostMaths will provide assistance to the best of its capacity should there be an issue surrounding data.
- I (Dr Frost) am the Data Protection Officer for the site.
Disaster Recovery Plan
In complaince with EU legislation:
- "(a) the pseudonymisation and encryption of personal data;"
As per "What data we store", the only personal data stored is email address and name, along with assessment data purely based on usage of the platform. Passwords are encrypted and cannot be unencrypted.
- (b) the ability to ensure the ongoing confidentiality, integrity, availability and resilience of processing systems and services;
Any code which accesses the database ensures appropriate permissions to view/modify/delete the data, as per "Who can access what data". The server is managed at a secure data centre by Amazon Web Services, which has a 100% uptime guarantee.
- (c) the ability to restore the availability and access to personal data in a timely manner in the event of a physical or technical incident;
Backups are made daily by the server administrator, which can be restored as necessary.
- (d) a process for regularly testing, assessing and evaluating the effectiveness of technical and organisational measures for ensuring the security of the processing.
I review code as per (b) to ensure access to data is appropriate restricted as described. With regards to the effectiveness of the server, this is as per the host provider's Amazon Web Service's own GDPR compliance.
ICO number and Data Protection Complaints
My ICO (Information Commission Office) number is ZA739389. You have the right to make a complaint to the ICO on any data protection matter. This can be done by visiting www.ico.org.uk. We'd be grateful if you could discuss the matter with us first to we can resolve the issue where appropriate.
If you have further questions about safeguarding or data protection
Please contact firstname.lastname@example.org for any further queries.