How classroom.cloud’s privacy controls provide flexibility for your school 

Author: Tony Sheppard CIPP/E 

Edtech companies don’t often get the chance to explain how each of their products is designed to support schools’ needs from a privacy point of view. 

Most of the time, any information they do provide is simply to allow Data Protection Officers to tick off things in a risk assessment, make sure that any procurement can be completed, and outline some basic information to go into the school’s Privacy Notice.  

So, we’re going one step further! 

Here, we’ll set out the privacy controls available in classroom.cloud and how those combine with your school’s security needs (one of the data protection principles) to provide peace of mind and help you better understand how to make the most of its tools. 

NetSupport’s role 

As our newest product, classroom.cloud has been able to take on a lot of the feedback we had already received from our other edtech solutions, allowing us to select the best features. 

Due to classroom.cloud being cloud-based and hosted by NetSupport, in the UK, that makes us a Data Processor on behalf of any school or group that uses it. We know and understand how important this is and have tried to improve the transparency about how we support you by publishing a clear Data Processing Agreement to go alongside our Terms of Service. We are always looking at ways we can improve this, so feel free to let us know what you think. 

Let’s look at what we can do within classroom.cloud in terms of privacy and security. 

Ensuring the correct level of staff access

Firstly, we make use of staff user details as part of logging in and giving them access to classes and safeguarding information. What sections of the platform they have access to is up to you. You can do it by the role of the user, by which ‘site’ in the platform, or a mixture.  

There are five roles, which can be combined depending on what you want staff to do – or not to do! 

1. Organisation Admin – This is the highest level of access, allowing the user complete control over all sites and all functions, including safeguarding and inventory. This is typically given to your senior technical members of staff, who have responsibilities for installation of software, management of accounts and integration with different systems. It is a highly trusted role.
    

1. Site Admin – This allows access to all configurations and settings within a specific ‘site’. If you are a MAT or have structured the organisation of the platform to separate out areas of your school(s), you can give access just to that site or groups of sites. This does not cover safeguarding, so it’s a handy way to let some technical staff manage the platform without providing access to any safeguarding functionality. It does include the Technician role and functions.
    

1. Teacher – This allows teachers to be able to deliver teaching and learning within allocated sites. Again, this means that you can control which devices these staff can or cannot connect to, keeping things secure between different sites. Teachers can be allocated to one or multiple sites.
    

1. Safeguarding Admin – This is an organisational role, allowing full access and control of the safeguarding functionality. This can be a role on its own or combined with that of a Site Admin or a Teacher.
    

1. Safeguarding User – Similar to Site Admin, this allows access to Safeguarding functionality for specific sites. This can be a role on its own or combined with that of Site Admin or Teacher. Where it is combined with either of these roles, the sites the Safeguarding User has access to will align with those already set for the Site Admin or Teacher role. 

1. Technician – Similar to Teacher, there is functionality that is designed for the specific role of a Technician. This allows a user to only have remote access and information from within the inventory, and only for specified sites. This also ensures you have a role that does not have the administrative control of sites or the wider organisation. As additional functionality is added, some will be targeted at the Technician role. 

By allowing individual roles, a combination of roles and the delegation to look at specified sites, we have aimed to provide schools with more flexibility on controlling staff access to classroom.cloud. This is key to ensure that staff only have access to the areas and information required for their jobs.  

SIS integration

Many schools already have platforms that help manage which students are in which classes, and which staff are designated as teachers or other roles. This could be Microsoft 365, Google Workspace, Clever or ClassLink. By integrating with these systems, classroom.cloud can ensure that the right students are grouped together and which staff can run those classes.  

 Controlling connection times and locations

When we look at how we connect to devices or gather safeguarding information from them, we provide a range of options. As there is an increase in using mobile devices with learners, whether laptop schemes or BYOD, schools must take into consideration when and where the device and the learner may be at any given time. Where a device is fixed within a classroom or a laptop trolley, remaining in school all the time, there is little need to change anything to consider devices not on-site. However, a student-owned/controlled device needs some careful management. 

You can decide whether there are any dates when you don’t want staff connecting to student devices for lessons. Typically, this will be excluding the date ranges for holidays, whether half-terms, Christmas, Easter or Summer, or maybe inset days and Bank Holidays. You can also exclude days of the week, and also set classroom.cloud to only connect at given times, maybe between 8.30am and 3.30pm, depending on the school day. 

This gives enough flexibility so that teachers can still include learners in a class when they are learning at home, but not outside of school hours. It may be that you don’t want to connect to students at home at all, and so you could restrict the connections to IP ranges, only allowing connections when a device is on the school IP range.  

For some device types (e.g., Windows), you can even specify that you can only connect when on a particular wireless network. You can set it so that the learner has to grant access to the teacher before the learner’s device joins a lesson – and, likewise, you can set it so that if the teacher wants to operate the remote control, access has to be granted by the learner. 

In the same way, there are privacy controls for the safeguarding functionality. Depending on the school’s approach to safeguarding, you might only want to monitor devices when in school, or during school term time, or simply during the school day. These are all decisions that your school can take based on your particular circumstances.  

Controlling where and who we monitor

There will always be occasions when one size definitely does not fit all. This also applies to making decisions about groups of children who may need particular care and support for a range of reasons, or where you take a more relaxed approach due to age or competency, or where anyone in the group might be working.  

By using Safeguarding Groups, you have control over how, when and where you make use of the safeguarding tools. The groups allow you to build the criteria you want, whether by prefix of device name, AD user group, email address, public IP range and more – and in any combination . For that group, you can then have a specific approach for how you use the safeguarding tools; adding or removing particular keywords or phrases or perhaps making changes that are more appropriate or targeted than in the default organisation or site settings. In short, this now gives you more granular options and keeps you, the school, in control. 

Empowering your students 

We have always tried to be at the forefront of making sure EdTech solutions help children and young adults. Transparency about monitoring and support has always been an essential part of this, but equally, we need to ensure they have a voice.  

The Report a Concern tool gives them the opportunity to speak out, allowing them to discreetly share an issue with a nominated member of staff. You can choose whether to apply this functionality across your entire organisation or just selected sites – and even notify additional members of staff when a new concern is reported (e.g., a head teacher or school principal for monitoring purposes). 

Integrating with the existing online safety toolkit, the Report a Concern function increases your ability to support users in your organisation by giving them the tools to help them stay safe. 

Flexibility and security for your school

The risk assessment (DPIA) a school would undertake when looking at tools such as classroom.cloud should look at and consider these areas, and we hope we have provided sufficient options to allow your school to make choices that are healthy for your learners and supportive of your staff – and to maximise the benefits for learning and safeguarding. 

Combined with the clear information from the Data Processing Agreement around using best of breed cloud solutions for security and resilience, a careful approach to data minimisation and data retention, and ensuring that we only work with tried and trusted partners as sub-processors to ensure personal data is only processed as instructed by you, we think we have really changed the way edtech vendors should be helping and supporting schools around privacy and security. 

If you need any more help or information on any of these points, please contact us. 

July 22 

V1.1 – updated to include information on the role of Technician 

V1.2 – updated to cover Safeguarding Groups and Report a Concern 

About the author
Tony Sheppard CIPP/E is an experienced education technician, school senior leader, governor, EdTech consultant, Data Protection Officer and  privacy professional. Tony is also the Information Governance Lead at NetSupport.