Managing Privacy and Personal Data – classroom.cloud at a glance

Hi guys! We just wanted to give you a run-down on how NetSupport (as most humans know us) protects your users’ data and helps respect their privacy when you have, or are looking to get, a classroom.cloud subscription.

This guide is about where and how NetSupport Group uses your data – and these are your instructions to us. This is generally based around the GDPR in UK/Europe but we also talk about other regions too.[i] We have tried not to use too much legal language, but sometimes we may need to point to particular things. For example, if we say ‘you’ or ‘your’, we will mean your organisation as the Data Controller. If we say ‘we’, ‘us’, ‘our’ or ‘NetSupport’, we mean NetSupport as the Data Processor. 

Click here to read the full Data Processing Agreement.

Types of data we collect to use (Tell me why)

• Contact details
• Information we get from other systems
• Information that identifies users
• Information about devices and activities
• Information on how your users use classroom.cloud
• Lesson activities
• Possible safeguarding issues
• Audit information about your classroom.cloud

How we use your data (How exactly?)

• To provide you with an online, classroom management system for learning and teaching in lessons, including controlling access to applications and the internet.
• To provide you with information and tools to deliver technical support within your organisation.
• To monitor and provide information/evidence about what learners are doing during and outside of lessons, which may indicate possible safeguarding issues.
• To send nominated staff information about possible safeguarding issues, or concerns reported by end users, including exporting to systems authorised by you.
• To maintain a consistent audit trail of activities and actions.
• To keep classroom.cloud running and improve the existing service and tools.
• To give personalised customer support.

Sub-processors and partners who process your data (What do they do?)

NetSupport uses the following services to help us store and process your data on our behalf:

• Infrastructure: Microsoft Azure
• Integrations: Microsoft SDS, Google Classroom, Classlink, Clever, My Concern, CPOMS
• Comms: Twilio Sendgrid, Tawk.to

We use cookies (How can I choose?)

• We use only necessary cookies to run and improve the service.
• We use only necessary cookies to run and improve how we manage our customer relationship with you.
• Our partners/sub-processors use cookies too, which they control.
• You can turn off cookies but this will mean, for example, that we can’t recognise you in in-app functions or we can’t resolve issues so efficiently.

When and how we collect data (Am I included?)

We collect data from people and devices connected to the classroom.cloud platform, people browsing our website, NetSupport customers and people who view or obtain support through NetSupport, when…

Helping you support user rights (What can users do?)

All users have to come through your organisation to make use of their rights [ii]. To support that, we make sure that:

• You can access information we hold for you.
• You can ensure information is held for you.
• You can complain about us.

If you have any concerns about your data’s privacy at NetSupport, please get in touch via our contact form, email us at [email protected]  or hit the Chat button on our website to talk to us.

The classroom.cloud Data Processing Agreement

Our role in your privacy

If you are a NetSupport customer or subscriber, or just trialling our platform, this agreement applies to you. As part of the Terms of Service and Privacy Policy in our contract with you, you should check this agreement to make sure that this is understood to be the instructions that YOU (the Data Controller) give US (the Data Processor), as we are the provider of the classroom.cloud platform. This agreement is based on the UK GDPR, but may talk about other regions where there is a difference[iii].

Our responsibilities

If you are a registered customer or using a trial, we act as the ‘Data Processor’ of personal data. This means that we provide you with a service that allows you to process personal data based on the purpose and means that you have decided on. We are registered with the UK Information Commissioner’s Office under number Z9139408. We also provide you with all details of who we work with, technical and security information and how you can make checks to ensure we are meeting our requirements against both this agreement and any relevant laws.  

As you have entrusted us to provide a service to you which processes personal data, we want to help you with your need to show that you are looking after the personal data too. This agreement is designed to help with your risk assessments and our commitment to supporting you with any audits or inspections you are involved in. 

As part of this agreement, we will provide clear information together with linked documents, be available to discuss and work through any questions you have, provide information about our partners who we use to process your data, and give guidance to help you take a privacy-first approach with our tools. 

Your responsibilities

• Read this Data Processing Agreement.
• Check any contract or Terms of Service between us or any other document we have asked you to look at, as these may also have specific information that you want.
• Where you have provided us with personal information as part of our service, or where your end-users (staff and children) have provided us with personal data, it will only be used for the reasons it was provided to us. By submitting the information to us, you confirm that you have the right to authorise us to process it on your behalf in accordance with this Data Processing Agreement.
• You have reviewed the most appropriate use of classroom.cloud in your school and considered its impact on privacy

What if I am just using classroom.cloud as a user (such as a member of staff or a learner)?

If you are signing into classroom.cloud because it is provided to you through your organisation (that is to say, the organisation is the Data Controller and we are the Data Processor), then this document will help you better understand how NetSupport handles your information on behalf of your organisation. In addition, your organisation will be able to explain through more things such as their Privacy Notice. You should be able to find this on your organisation’s website, handbook or guides.

When and how we collect data

From the first moment your users interact with classroom.cloud, we are collecting data. Sometimes users provide us with data, sometimes your organisation provides us with data and sometimes data about users is collected automatically.

Here’s when and how this is done

We  and audit 

What types of data we collect

Contact details

Your name, email address, photograph, role in the organisation, groups such as class/year/department, contact numbers, organisation details.

Technical data that identifies you

Your IP address, login information, browser type, time zone setting, browser plug-in types, geolocation information about where you might be, the device you are using, operating system and version, applications installed and used, websites accessed.

Data on how you use classroom.cloud during lessons

Images of your desktop whilst you are working; responses to surveys provided by your teacher/instructor; requests for help/chats with your teacher/instructor; rewards points; applications used and websites accessed.

Data on how classroom.cloud is accessed or changes made

Information on access to the teacher/admin portal, changes to groups/devices/users, an audit trail for any configuration changes and who made them.

Data on how you use your computer or device, for monitoring and safeguarding purposes

Images or video of your desktop whilst you are working; matched phrases or keywords; requests for help/chats with your teacher/instructor; rewards points; applications used and websites accessed.

What about really sensitive data?

We know that you will be using classroom.cloud in lessons and other general activities as part of life in your organisation. When your learners are using their devices during lessons, talk with others via their devices and share how they are feeling or their particular experiences, then you may be sharing sensitive information. You may also include learners in particular groups based on ‘sensitive data’ (like racial or ethnic origin, political opinions, religious/philosophical beliefs, genetic data, biometric data, health data, or data about your sexual life). Where you share sensitive information or we use it, then it will be allowed based on how you, as an organisation, have agreed to it. We will process this information on the understanding that you have a Lawful Basis for processing it. This may include explicit consent or substantial public interest, but this will need to be shared by the organisation through the organisation’s Privacy Notice.

What about children’s data?

classroom.cloud is designed to provide organisations with resources to support the curriculum, tools to help with pastoral support and/or tools to support safeguarding. This means that both staff and pupil personal data will be used. We know this and take additional care as a result.

How and why we collect your data

Data protection law means that we can only use your data for certain reasons, where instructed by the organisation and where they have a lawful basis to do so, or where we are required to use it with relevant authorities. As part of the building of classroom.cloud, we have taken this into account and these are the areas we have identified and are likely to be used by your organisation. Where there are differences to our normal list, it is because your organisation has identified something differently, which you can do as Data Controller.

Giving you classroom.cloud and all relevant resources

This means making sure that classroom.cloud gives you all the available tools. This includes access to resources, interactions between teachers and pupils and helping you get assistance.

Lawful basis for this data usage: Public Task/Substantial Public Interest.

Improving classroom.cloud

This means making sure that classroom.cloud is the right tool for you and works as you need it to, including any improvements needed to make sure it continues to be the right tool. This will include technical support and analytical information.

This may also mean taking personal data and anonymising it so that when different people within NetSupport use it, we have protected it as much as we can.

Lawful basis for this data usage: Public Task/Substantial Public Interest.

Here is what each of the “lawful bases” means:

Public Task

This states:

“…processing is necessary for the performance of a task carried out in the public interest or in the exercise of official authority vested in the controller”

This means that the organisation, as a public authority, has many things it does with children’s personal data. It has to do these things as it has been told that it needs to do it (by laws, regulations or statutory guidance) or it does the task as it is in the best interest of the children.

Substantial Public Interest

This states:

“…processing is necessary for reasons of substantial public interest, on the basis of Union or Member State law which shall be proportionate to the aim pursued, respect the essence of the right to data protection and provide for suitable and specific measures to safeguard the fundamental rights and the interests of the data subject;”

This means that the organisation has taken extra measures to ensure that any information is safe (including having the appropriate policy documents). It also means that the organisation has taken the approach that the use of any ‘sensitive data’ is part of its work on safeguarding children and helping to identify and work with any who are at risk.

Other Lawful Bases

It may be that your organisation has decided it cannot use Public Task and/or Substantial Public Interest. This could be for a variety of reasons. If your organisation is an independent school, then it may be that you are using the contract between the parent and the school as the reason, or you have asked the parent/child for their consent (which has been freely given). Where ‘sensitive data’ is used, then it may be that explicit consent has been given.

Other options are available and the schools or organisations will have checked to see which is most appropriate, including anything needed to keep things safe.

If you are based in the US, then different laws apply to you (COPPA/FERPA). Please make sure you understand any requirements around consent from parents if you have children under 13 using classroom.cloud. Also, NetSupport will refer any requests for student information back to the school.

For all countries, we try to make sure that it is understood that the school or organisation makes the decision and ensures they have the right basis for using any personal data.

Your privacy choices and rights (information for end-users)

We also want to help you be transparent with your data subjects. It is possible to use the initial summary with your data subjects to help them understand how we process data on your behalf. It may be that you also need to provide additional information on rights and choices. We include the additional information that may support this. This is not specifically a part of the Agreement, but additional helpful information.  

How secure is the data we collect?

We have organisational and technical measures in place to safeguard and secure the information we hold, based on standard industry practices. Further information is in our general Request for Information document as part of this DPA, but we prefer not to publicly publish too much security information as a measure to protect our services.  

And please remember:

• Only share personal data where you need to.
• You are responsible for your username and password, so keep them secret and safe!
• If you believe that your privacy has been breached, then contact your Data Protection Officer or follow the guidance your organisation provides.

Where do we store your data?

The personal data we collect is processed at our offices in Peterborough or regional offices, or our platform, which is hosted by Microsoft Azure Services in the UK or US (depending on your geographic location).

By submitting your personal data, you agree to this transfer, storing or processing by us. Limited personal data is transferred or stored outside of the UK or EEA and is detailed below. If we make changes to any transfer of data outside of the UK or EEA, we will notify you, including explaining any steps being taken to ensure that your privacy rights continue to be protected as outlined in this Data Processing Agreement.

For how long do we store your data?

We continue to hold all ‘active’ data (data that has been provided and is linked to active accounts on a verified licence) until the following:

• If your subscription licence has run out and accounts are no longer active, personal data is kept for 30 days, as per this agreement, and then securely deleted.
• We also operate a rolling retention program that retains safeguarding and audit data for 13 months.
• We also operate a rolling retention program that retains activity monitoring software for 90 days. [effective from 2nd July 2023]
• We can extend the length of the rolling backup, but additional agreements and costs may be needed.

Partners (sub-processors) who process your data

Edtech businesses often use contractors and outside companies to help them host their applications, power their support tools, etc. Any company or individual that we use when processing information under this agreement is a “sub-processor”. This means that any agreement or contract we have with them is, at least, as strict as this agreement. We make sure that we are happy that they will also take the same level of care of the personal data you are trusting us with, including checking if they hold any certificates for their work. Any partners mentioned below will be considered to have general authorisation for us to tell them what they need to do  

In the rare circumstance that there is a change to who we work with that significantly affects any existing service you have with us, we will work to give you advance notice. Where a new element of functionality is available from classroom.cloud, this is turned off by default and does not process any of your data. If you want to turn it on, then you will need to check that you are happy with any partners we are using. In these cases, we include information in our release notes and updates to this agreement, plus associated guidance such as our Privacy by Design guide. 

Here are the details of the main sub-processors and service providers; what they collect, process and store; and a general explanation of why.

Infrastructure

Analytics

Integrations (optional)

Comms

How we use cookies

We use cookies. Unless you adjust your browser settings to refuse them, we (and our sub-processors) will issue cookies when you interact with classroom.cloud. These may be session cookies, meaning they delete themselves when you leave classroom.cloud or ‘persistent’ cookies which do not delete themselves and help us to recognise you when you return so we can provide you with a tailored service.

How can I block cookies?

You can block cookies by activating a setting in your browser allowing you to refuse the setting of cookies. You can also delete cookies through your browser settings. If you use your browser to disable, reject, or block cookies (including essential cookies), certain parts of our platform will not function fully. In some cases, our platform may not be available at all. Please note that where sub-processors use cookies, it is also to enable the service to work correctly. This also includes blocking cookies from other systems you want us to integrate with. We do not allow third-parties to set cookies.

Which specific cookies do we use?

Making this DPA great

Well done for getting through this Data Processing Agreement and reviewing everything in it! It is designed to help you best understand what we do, under your instructions. Where you have instructions outside of this agreement, then they will be treated as support or account requests, as long as they do not fundamentally change anything mentioned in this agreement.

N.B. This DPA was built based on an open-source design for Privacy Notices from https://juro.com & https://stefaniapassera.com/. Get these patterns free at github.com/juro-privacy. This DPA pattern is open source and reuse is permitted when using the attributions above. Specific content relating to the service itself may not be reused without the permission of NetSupport.

Further technical information

If you need further technical or operational information, we have also provided a Request for Information document, based on a popular, standardised template. We hope you find this useful as well.

Publication date: 2nd June 2023
Version: 1.7

What’s new

Clarification on the collection and use of personal data for Activity Monitoring and Audit Logs

Update of data retention policy to clarify for Activity Monitoring

Update of data retention policy for Audit Log. [Effective from 2nd July 2023]

[i] Terms of Service 1.1.2 Data Processing Agreement
[ii] Terms of Service 1.1.2.1 Data Subject Rights
[iii] Terms of Service 1.1.2 Data Processing Agreement