Security and Privacy
This security and privacy policy is for users of the Evidence for Learning software and service, (https://www.evidenceforlearning.net), which is owned and operated by theTeacherCloud Ltd. In this document, ‘We’ means theTeacherCloud Ltd.
The Evidence for Learning Software and Service
The Evidence for Learning software and service allows organisations to collect, record, store, analyse and share (learning) data about their learners and other stakeholders. The service allows the organisation and its staff to share data with the parents and other stakeholders connected with the learners.
Security
Evidence for Learning stores the organisation’s data on the device and in the Cloud.
On the device:
Only activated and licensed devices have access to data.
Photos and videos collected using the App are not automatically stored in the device camera roll or photo stream (outside of the app).
The app has passcode protection and your iOS device itself can be passcode enabled too which helps prevent unauthorised access.
Each of your devices is given a unique DeviceID and DeviceKey (like a username and password) granting permissions to access your (and ONLY your) data in the Cloud.
With a Cloud Subscription, the App can be remotely deactivated by theTeacherCloud should a device be lost or stolen. Passwords can be remotely reset.
Cloud infrastructure:
Our Cloud service is hosted on Amazon Web Services infrastructure (AWS) within the EU in highly secure, access-controlled data centres operated by AWS. (https://aws.amazon.com/security/)
Our services are configured as autoscaling, load-balanced, resilient environments, each configured across multiple geographically distributed availability zones. This ensures high levels of uptime and performance.
We have configured our environments to use VPC networks with robust security groups controlling access.
Our cloud infrastructure hard disks are encrypted, all data is encrypted at rest.
We use SSL/TLS 1.2 security at the network level to ensure all data is encrypted in transit.
Our User Manager tool forces a strong Password Policy containing a mix of uppercase, lowercase, numeric and special characters.
User passwords are salted and hashed using SHA512 encryption.
Our User Manager supports two-factor authentication (2FA).
Your Cloud Administrator has a password to maintain your system data stored in the Cloud.
Cloud data is protected with class-level and object-level Access Control Lists (ACLs).
We routinely conduct 3rd party security audits to verify the security and integrity of our systems and internal controls.
We have an internal data access policy that restricts access to personally identifiable information to a limited number of employees with a specific business need (such as for technical support).
No customer information is stored on individual employee computers.
We routinely monitor our systems for security breaches and attempts at inappropriate access.
Privacy Policy and Data Protection
In summary:
During normal use of the App, evidence photos, videos and data are transmitted from the app to our secure data centres.
All data transfer between a user’s device and our data centres in the cloud is encrypted and happens securely via https using SSL.
The data stored in our data centres is used for no other purpose than to provide the services available in the App.
theTeacherCloud staff may access your data only to assist with support queries or maintenance.
All staff using the App should be subject to their organisation’s policy on “Acceptable use of Electronic Communications”.
Learners featured on evidence photos and videos should be subject to the organisation’s standard “Parental Permission for Photos” policy where appropriate.
We are registered with the UK Information Commissioner’s Office (www.ico.org.uk) with registration Number ZB240514 and comply with the ICO’s mandate.
Under the terms of the Data Protection Act 2018 (DPA 2018), the UK GDPR, the Data Protection Directive (95/46/EC), the Regulation of Investigatory Powers Act 2000, the Telecommunications (Lawful Business Practice) (Interception of Communications) Regulations 2000 (SI 2000/2699), the Electronic Communications Data Protection Directive (2002/58/EC) the Privacy and Electronic Communications (EC Directive) Regulations 2003 (SI 2426/2003) as amended by the Privacy and Electronic Communications (EC Directive) (Amendment) Regulations 2011 (SI 2011/1208) and any national implementing laws, regulations and secondary legislation, as amended or updated from time to time in the UK and, if the UK GDPR is no longer directly applicable in the UK, any successor legislation to the UK GDPR or the DPA 2018 (collectively referred to here as the Data Protection Legislation), the school or organisation using the Evidence for Learning software is the Data Controller and theTeacherCloud Ltd and its service providers are Data Processors.
It is the organisation’s responsibility as Data Controller to be registered under the Data Protection Legislation and other relevant legislation and regulations.
Our Data Protection Officer, Barry Wood, can be reached at dataprotection@theteachercloud.net
What data do we collect?
For each organisation we collect and store:
- The name and address of the organisation.
- The name, email address and telephone number of staff and individuals at the organisation who pays for and/or use our service.
We store this information in order to administer, support and charge for the software and service.
You (the organisation) may additionally collect and store some or all of the following data on our service:
The names and email addresses of the organisation’s staff.
The names, dates of birth, gender, email addresses of their learners and other data relevant to the learning needs and profile of your learners.
The names and email addresses of the parents and related or relevant stakeholders of your learners.
The contents of a Learner Profile:
Observations and assessments related to a learner’s development, performance and progress.
Notes, photographs and videos of the learners and evidence related to their learning.
You (the organisation) have the freedom to choose which of the above data you store, and are able to delete it. You (the organisation) also choose who has access to the data.
In providing the software and service, we may from time to time send emails to staff and other stakeholders (such as parents) in order to confirm email addresses, reset passwords and may notify your users of events relating to the organisation’s use of the software and service (such as when a new observation is added about a learner.)
We collect the following information from visitors to our sites:
- IP addresses
- Information about their web browser, device or computer
- Which pages people view
We use this information to monitor the security of our service, to help us improve the service and to improve the way we market the service (e.g. what search terms were used to discover our site).
We collect the following information from users of our tablet and phone applications:
- The make and model of the device
- The version of the operating system
- Details of any crashes that occur in the application
- Which screens people view in the application, although not the specific content of those screens
We use this information to help us improve the service (e.g., troubleshoot crashes)
We collect the following information about people who contact us by email or through our support ticket system:
- The person’s email address, telephone number (if provided) and the contents of the email
We use this information to respond to questions or problems raised by our users.
When customers pay for our services, we may pass them to a Payment Service Provider (PSP), currently PayPal, which will collect the appropriate credit card and address verification details. We do not hold any credit card information ourselves.
How do we collect the data?
Data is typically entered by you and/or staff at your organisation directly into our software (either via the mobile application or web console). You (the organisation) may permit learners and other stakeholders (e.g. parents of learners) to add data to the service. If you have chosen the option to integrate our software with your other third party software (e.g. MIS integration), then we may collect data from that 3rd party software.
We may store cookies on users’ computers and devices in order to verify that the user is logged in and to store their preferences. The cookies themselves do not contain any identifiable information about the user or the information they are looking at.
Information about the computers and devices that visit our site and access our software may be collected by Google Analytics and MixPanel, however NO information that is stored by you (the organisation) on our system is sent to Google or MixPanel. To clarify, Google and MixPanel are NOT able to view or access any data about your staff, learners or other stakeholders (e.g. parents of learners). You can read the privacy policy for Google and MixPanel here: https://support.google.com/analytics/answer/6004245?hl=en; https://mixpanel.com/privacy/
Who owns the data?
You (the organisation using the software and service) are the Data Controller.
theTeacherCloud Ltd and its service providers are Data Processors acting on behalf of the organisation (which is the customer of theTeacherCloud Ltd).
The only exception being that theTeacherCloud Ltd is a Data Controller for our own customer account information (e.g. for billing, administrative and support data and purposes)
Who do we share data with?
We do not share customer data, except as explicitly requested by you (the organisation).
You (the organisation) can provide access to data to your staff, learners and other stakeholders (such as the parents of learners).
The organisation and its staff can view, download or print some or all of the data and share it with other staff, parents, government agencies and any other stakeholders at their discretion.
theTeacherCloud Ltd ONLY accesses and processes the data stored by you (the organisation) in order to provide, troubleshoot or improve the software and service.
To clarify, data collected and stored by you (the organisation) is not used for commercial purposes. We do not pass on any personal data or metadata for any commercial purpose and we will NOT sell or rent any information to any third party for any reason.
Can I (we) have my (our organisation’s) data corrected or deleted?
Yes, you (the organisation) can correct or delete your data that is stored within the software by us, without the need to contact or involve us directly.
You (the organisation) can request that we correct or delete the information we store and process on your behalf where you are reasonably unable to make the required changes.
At the end of a contract, leaving customer data is made inaccessible immediately, however if you (the organisation) provide us with a written request within 10 days of the effective contract termination date, we will make the software accessible for a period of 28 days after the effective contract termination date (Download Period) for the purposes of allowing you to download your data in the format it is typically made available via the software.
The deletion of data will then be fully completed within 30 days. This gives customers time after contract end to retrieve their data. Once we have completed the deletion process we will notify you in writing to confirm.
What are your (the organisation’s) responsibilities?
When you subscribe to and/or use our software and services, you agree to our terms and conditions as contained in your organisation’s sales invoice and the Data Processing Agreement.
You (the organisation that uses our software and service) have overall responsibility for complying with the Data Protection Legislation requirements (or the equivalent in other countries). It is your (the organisation’s) responsibility as Data Controller to be registered under the Data Protection Legislation.
All staff using the App should be subject to your organisation’s policy on “Acceptable use of Electronic Communications”.
Learners featured on evidence photos and videos should be subject to the organisation’s standard “Parental Permission for Photos” policy where appropriate.
It is important that you (the organisation) has taken care to:
- Think about what information it is appropriate to share with whom
- Ensure you have permission from parents or carers (where appropriate) for the data you wish to store about them and the way that you wish to use that data.
- Train your staff about sensible security and confidentiality precautions:
- Taking care of passwords
- Taking care not to install software on devices and computers that may compromise security.
- Taking care not to access material from inappropriate places where it can’t be kept appropriately confidential.
- Prevent access to the software and service for stakeholders (e.g. parents) where the learner has been made inactive or has been deleted.
- Give stakeholders such as parents instructions for keeping the data protected.
Additional information…
https://aws.amazon.com/security/
https://aws.amazon.com/privacy/
https://aws.amazon.com/compliance/gdpr-center/
For further information, please contact us at info@theteachercloud.net or dataprotection@theteachercloud.net