Privacy Notice for Schoolcomms Users
Schoolcomms, part of ParentPay limited, is engaged in the design, development, sales, marketing, supply, maintenance and operation of payment collection, payment processing, parent communication and management information systems and services for the education market.
This notice explains to Schoolcomms Users (“you/your”) how ParentPay (“we/us”) use your personal information.
This privacy notice covers:
- Why we use your personal information
- The legal basis for processing
- What personal information we use
- How we use your personal information
- Your rights under data protection legislation
- Sharing personal information with third parties
- How long we may keep your information
- Changes to our privacy notice
- Contact details for our Data Protection Officer
Why we use your personal information
The Schoolcomms payment solutions and communication platforms provided to schools and their parents, are governed by a contract between us and the schools, Multi-Academy Trust or a Local Education Authority (“Schoolcomms Customer”), and also the Terms and Conditions that you agree with when you sign up (“Schoolcomms User”).
We process your personal data for the following purposes:
- to provide you with the service activated and registered for
- the verification of your identity where required
- for the prevention and detection of crime, fraud and anti-money laundering
- for the ongoing administration of the service
- to allow us to improve the products and services we offer to our customers
- for research and statistical analysis including payment and usage patterns
- We only use the data in an anonymized manner when we use your data for this purpose.
- to enable us to comply with our legal and regulatory obligations
- to offer new products and services to you which are relevant and appropriate, and only to the extent that would be reasonably expected.
If we plan to introduce further processes for the use of your information, we will provide information about that purpose prior to such processing.
The legal basis for processing
Under Data Protection Law, there are various grounds which are considered to be a ‘legal basis for processing’.
The legal basis for processing should be determined by the Data Controller.
Where we are the Data Processor, the legal basis is determined by the Customer. Typically, the legal basis in this scenario is:
‘processing is necessary for the performance of a task carried out in the public interest’
Where we are the Data Controller, the legal basis for processing is based on:
‘processing is necessary for the purposes of legitimate interests pursued by the controller’
It should be noted that in some circumstances this legal basis may vary, however, we always operate in full compliance with Data Protection Law and will only process data with a fair and reasonable legal basis for doing so.
What personal information we process
In order to carry out these services, we obtain (either from the Customer and/or from you directly) and process the following information:
|Data Subject (Who)||Data Category (What)||Description|
|Pupil \ Student||Forename||This is the forename of the pupil.|
|Pupil \ Student||Surname||This is the surname of the pupil.|
|Pupil \ Student||Known as||This is the name that the pupil is known as.|
|Pupil \ Student||DOB||This is the date of birth of the pupil.|
|Pupil \ Student||Gender||This is the pupil's gender|
|Pupil \ Student||Groups||Registration group (if any), year, other groups|
|Pupil \ Student||Salutation||This is the pupil’s salutation.|
|Pupil \ Student||Dietary Requirements||This is the pupils special dietary requirements|
|Pupil \ Student||Postal Address||The student's postal address|
|Pupil \ Student||Primary email address||This is the pupil’s primary email address used to receive communications from the school and to verify the pupil’s School Gateway account.|
|Pupil \ Student||Mobile Telephone||This is the pupil’s mobile telephone number used to receive alerts from the school and to verify the pupil’s School Gateway account.|
|Pupil \ Student||Identifiers||Roll/Admission number, UPN, management system identifier|
|Pupil \ Student||Meal Selections and spend history||This is a history of a pupil's meal selections and spends for school meals or non-meal-related items, including free school meals|
|Pupil \ Student||Trip information||Trip details collected from parents, e.g. emergency contacts, medical details, dietary requirements, doctor’s contact, EHIC and Passport|
|Pupil \ Student||Unexplained absence records||Any unexplained absences recorded by the school for AM or PM registration.|
|Pupil \ Student||Achievement records||Achievement records entered into the Schools MIS.|
|Pupil \ Student||Behaviour incident records||Behaviour incidents recorded on the Schools MIS.|
|Pupil \ Student||Assessment reports||Annual assessment reports generated by the school using their MIS.|
|Parents \ Contacts||Title||This is the contact’s title (Mr, Mrs, Ms, etc).|
|Parents \ Contacts||Forename||This is the contact’s forename.|
|Parents \ Contacts||Surname||This is the contact’s surname.|
|Parents \ Contacts||Authentication data||The contact’s School Gateway PIN|
|Parents \ Contacts||Gender||The contact’s gender (Salutation)|
|Parents \ Contacts||House Name||The text entered as the contact’s house name.|
|Parents \ Contacts||Street||The text entered as the contact’s street.|
|Parents \ Contacts||Locality||The text entered as the contact’s locality.|
|Parents \ Contacts||Town||The text entered as the contact’s town.|
|Parents \ Contacts||Postcode||The text entered as the contact’s post code.|
|Parents \ Contacts||Mobile Telephone||This is the contact’s mobile telephone number used to receive alerts from the school and to verify the contacts School Gateway account.|
|Parents \ Contacts||Primary Email address||This is the contact’s primary email address used to receive communications from the school and to verify the contacts School Gateway account.|
|Parents \ Contacts||Payment History and balances||This is the contact’s history of payment transactions, including reversals, refunds and withdrawals of funds.|
|Parents \ Contacts||Payment card details||Payment card details are captured and passed to a 3rd party for authorisation.|
|Parents \ Contacts||Bank account details||Bank account details are captured and passed to a 3rd party for authorisation|
|Parents \ Contacts||In-app messages||Messages sent from parents to school within the School Gateway application|
|Parents \ Contacts||Browser Details||IP address, cookies, browser information|
|Parents \ Contacts||Mobile OS||This is the operating system (iOS or Android) of the mobile phone used to access School Gateway.|
|Parents \ Contacts||Parental responsibility status||This is a marker used by schools to identify if a contact has parental responsibility over a student (allowed to give consent etc. ).|
|Parents \ Contacts||MIS Contact priority||The priority of contacts connected to a student. (i.e. 1 & 2 may be immediate family whereas 3 & 4 may be distant relatives for emergency contact purposes).|
|Parents \ Contacts||School Gateway app status||Identifies whether a user is logged into the School Gateway mobile application.|
|Parents \ Contacts||School Gateway activation date||This is the date the user activated and first logged into the School Gateway portal.|
|School Staff||Title||This is the staff member’s title (Mr, Mrs, Ms, etc.).|
|School Staff||Forename||This is the staff member’s forename.|
|School Staff||Surname||This is the staff member’s surname.|
|School Staff||Gender||The staff member’s gender|
|School Staff||Role||The staff member’s role at the school|
|School Staff||Primary email||The staff member’s primary email address|
|School Staff||Mobile telephone||The staff member’s mobile telephone number|
|School Staff||Authentication data||The staff member’s School Gateway PIN|
|School Staff||School Gateway app status||Identifies whether a staff member is logged into the School Gateway mobile application.|
|School Staff||School Gateway activation date||This is the date the staff member activated and first logged into the School Gateway portal.|
|School||School Gateway Banner||A banner logo to be displayed on the School Gateway|
|School||External links||Links to external websites to be presented to users on the School Gateway, including the school’s own website.|
|School||Address||The schools postal address|
|School||Telephone number||The schools main telephone number|
|School||Email address||The schools main email address|
|School||DfE number||A unique identification number given to every school by the department for education (DfE).|
|School||Bank account details||School bank account details for payments made via the School Gateway to be processed into.|
|School||Inbound SMS||A telephone number given to the school by Schoolcomms, this is the number parents must send SMS messages to in order to communicate with the school.|
|Website Access||IP Address||The network address of your device or internet connection|
|Website Access||Browser Type and Version||The type of Web Browser your device is using|
|Website Access||Cookies||Special records in your browser to help the website operate|
|Website Access||Web Analytics||Generalised information about browsing behaviour and page statistics|
How we process your personal information
We use your personal information, and some of our employees have access to such information, only to the extent required to carry out the services for you and on behalf of the Customer.
We have introduced appropriate technical and organisational measures to protect the confidentiality, integrity and availability of your personal information during storage, processing and transit.
We are a Level 2 PCI-DSS certified organisation and operate an ISO27001 compliant security programme to help protect your data at all times.
The Schoolcomms Products and Services only processes your personal information in the UK.
Some of our supporting services (for example Microsoft CRM), might use cloud platforms that operate from Third Countries outside of the EEA. Where this is the case, we ensure that adequate safeguards are established to protect your data.
Your rights under Data Protection Law
Right to Access
You have the right of access to your personal information that we process and details about that processing.
You can usually access that information directly within the Schoolcomms Products and Services (self-service). However, should this not be possible, you can raise a Data Subject Access Request (DSAR) to receive this information in another format.
Right to Rectification
You have the right to request that information is corrected if it’s inaccurate. You can usually update your own information using the Schoolcomms Products and Services (self-service). However, should this not be possible, your child’s school will need to correct the data held by them and provided to us for processing.
Right to Erasure (Right to be Forgotten)
You have the right to request that your information is removed; depending on the circumstances, we may or may not be obliged to action this request.
Right to Object
You have the right to object to the processing of your information; depending on the circumstances, we may or may not be obliged to action this request.
Right to Restriction of Processing
You have the right to request that we restrict the extent of our processing activities; depending on the circumstances, we may or may not be obliged to action this request.
Right to Data Portability
You have the right to receive the personal data which you have provided to us in a structured, commonly used and machine readable format suitable for transferring to another controller.
Right to lodge a complaint with a supervisory authority
If you think we have infringed your privacy rights, you can lodge a complaint with the relevant supervisory authority. You can lodge your complaint in particular in the country where your live, your place of work or place where you believe we infringed your right(s).
You can exercise your rights be sending an e-mail to firstname.lastname@example.org. Please state clearly in the subject that your request concerns a privacy matter, and provide a clear description of your requirements.
Note: We may need to request additional information to verify your identity before we action your request.
Sharing personal information with third parties
We use a range of trusted service providers to help deliver our services. All of our suppliers are subject to appropriate safeguards, operating in accordance with our specific instructions and limitations, and in full compliance with Data Protection Law.
These service providers include:
- Payment Processors – to securely process your card payments (we do not see, or store payment card details)
- SMS Providers – to send out our SMS notifications or messages sent by Customers using Schoolcomms Products and Services
- Email Providers – to send out our email notifications or messages sent by Customers using Schoolcomms Products and Services
- Hosting Providers – to manage our secure enterprise datacentres
- Security Providers – to protect our systems from attack
- Telephony Providers – we might record calls for training, quality and security purposes
- Support Portal (ZenDesk) – so that you can easily ask for help
We may also have access to your personal information as part of delivering the service.
If we need to change or add additional third parties, we will always update our Privacy Notice accordingly.
We will only disclose your information to other parties in the following limited circumstances
- where we are legally obliged to do so, e.g. to law enforcement and regulatory authorities
- where there is a duty to disclose in the public interest
- where disclosure is necessary to protect our interest e.g. to prevent or detect crime and fraud
- where you give us permission to do so e.g. by providing consent within the Schoolcomms Products and Services or via an online application or consent form
How long we may keep your personal information
We will only retain information for as long as is necessary to deliver the service safely and securely. We may need to retain some records to maintain compliance with other applicable legislation – for example finance, taxation, fraud and money laundering law requires certain records to be retained for an extended duration, in some cases for up to seven years.
Changes to our Privacy Notice
This policy will be reviewed regularly and updated versions will be posted on our websites.
Contact details for our Data Protection Officer
We have appointed a Data Protection Officer (DPO); their contact details are as follows:
Data Protection Officer