Safeguarding and General Data Protection Regulation (GDPR) Compliance
What data we store
- For each student registered on the DFM Homework Platform, we store their name, email address, and encrypted password (the original of which is not retrievable by any individual, including administrators), year group (where specified), school name (where specified) and usage data, in terms of questions completed and summative accuracy data. No other personal information beyond name and email address are stored.
- For each teacher, we store the above data (in addition to their title), but also what classes he/she administers.
Who can access what data
- Students can access only their own data after log in. Accounts must initially be verified via an activation email.
- Teachers can access assessment data of any student within the school. They can also see what students at their school are logged in and what question they might currently be completing. Teachers can administer student accounts, for example changing their email address or changing their class(es). The email address is viewable only if the domain extension (i.e. after the '@') matches that set for the school; it is otherwise not displayed with an indication that a personal email address was used.
- Special 'multi-academy trust administrator' accounts can access data across schools within a trust and set assessments/homeworks to students in these schools. Approval for such accounts will only be granted with appropriate evidence of the individual's responsibilities within the trust.
- We not allow (nor have the functionality to accommodate) teachers being able to access the data of multiple schools (other than in the capacity above). Individuals teaching at more than one school should register separately for each school.
- Only administrators can view data from other schools to ensure the smooth running of the platform. Currently this is only myself (a full-time teacher) and Mr Dupont-Panon (also a full-time teacher). Both individuals naturally have full DBS clearance. DrFrostMaths acts as data processors for your school.
- All administrators and processors of the data by DrFrostMaths are subject to confidentiality for all school owned data that will remain indefinitely even after cessation of services.
- Students whose total 'points' puts them in the top few globally, will be automatically listed on the global leaderboard, with their name and school appearing. However it should be noted that (a) full names are not given, with only the first name and surname initial given and (b) schools can opt out of the global leaderboard by contacting me at email@example.com. This is viewable to any registered user, but will not be published elsewhere. The same applies to the times table time trial leaderboard. 'Trust' leaderboards are viewable to other leaderboards within the same Multi-Academy Trusts, again with the full name not given. All other leaderboards are internal to schools.
How teacher accounts are verified
- Teacher accounts must be approved by myself (Dr Frost). It will only be approved if using a school email address associated with the school's domain name, and clearly where the email address is in a teacher format. In any cases of doubt I search online for staff lists or contact the registering user to provide additional evidence.
- For the school 'Home Tutoring', only student registrations are accepted; teacher accounts will not be approved.
Your right to delete stored data and account deletion
- Student accounts can be deleted by teachers at their respective school. Teachers may also delete other teachers. Any user may request to have their account deleted via an email to firstname.lastname@example.org. The email request must match the email address of the account being deleted, or of the teacher of a student. If students are in one of more classes set up by a teacher, we will not consent to student requests to delete their account, and this must be done by the teacher.
- DFM will automatically purge inactive accounts where the user has not logged in over 2 years. It is the school's responsibility to delete the accounts of students who have left the school (via the Manage Classes interface) if they want to delete accounts before this time.
- If students register independently, they must verify that they have parental consent, and are provided a direct link to this policy.
How your data is protected
- The site is hosted using Amazon Web Services, a hosting provider used by many EdTech companies/organisations. The data is stored within the EU, and AWS's compliance documentation can be found here.
- All data accessed via user accounts have appropriate checks to ensure the account has the correct permissions to view the data.
- In the unlikely event of any data breach, the nature of the breach, in addition to the resulting action to remedy such a breach, will be clearly communicated.
- The server has an SSL certificate (in layman's terms, the 'padlock' symbol that appears in your browser), meaning that data is transmitted securely.
- No data is shared with Third Parties.
- You have the right to request an audit of data stored about your school and its students.
- DrFrostMaths will provide assistance to the best of its capacity should there be an issue surrounding data.
- I (Dr Frost) am the Data Protection Officer for the site.
Disaster Recovery Plan
In complaince with EU legislation:
- "(a) the pseudonymisation and encryption of personal data;"
As per "What data we store", the only personal data stored is email address and name, along with assessment data purely based on usage of the platform. Passwords are encrypted and cannot be unencrypted.
- (b) the ability to ensure the ongoing confidentiality, integrity, availability and resilience of processing systems and services;
Any code which accesses the database ensures appropriate permissions to view/modify/delete the data, as per "Who can access what data". The server is managed at a secure data centre by Amazon Web Services, which has a 100% uptime guarantee.
- (c) the ability to restore the availability and access to personal data in a timely manner in the event of a physical or technical incident;
Backups are made daily by the server administrator, which can be restored as necessary.
- (d) a process for regularly testing, assessing and evaluating the effectiveness of technical and organisational measures for ensuring the security of the processing.
I review code as per (b) to ensure access to data is appropriate restricted as described. With regards to the effectiveness of the server, this is as per the host provider's Amazon Web Service's own GDPR compliance.
My ICO (Information Commission Office) number is 00014019818. You have the right to make a complaint to the ICO on any data protection matter.
If you have further questions about safeguarding or data protection
Please contact email@example.com for any further queries.