What data is being accessed from our systems? Please detail fields and a description of the data.
Why is this data required?
Is this data shared with other third parties?
Is the data encrypted when it leaves our site?
How long is the data held on your systems for?
Where is the data located geographically?
Who can view the data?
What is your procedure if consent is withdrawn for data?
Do you have a GDPR policy or document that you can send us?
Data that is held or processed by realsmart:
UPN (students only)
Staff code (staff only)
MIS ID (unique id for each user in your MIS)
User type (admin, mentor or learner)*
Title (staff only)
Username (usually generated via username policy)*
Password (only stored as an encrypted hash, not accessible)
Year (taught in)
List of group names the user is a member of (usually class / teaching groups)
House (school house, if used)
Admission number (from MIS)
Legal Forename (if required)
Legal Surname (if required)
*this data only applies to realsmart services and products
This data is required for us to uniquely identify your users in our applications. It is also needed to provide services to students and staff as identified in our Terms and Conditions.
Some of this data is shared with Google to provide features of G Suite for Education (formerly Google Apps for Education). This is limited to:
List of groups each user is a member of
We do not share data with any other third parties for any purpose.
All data is encrypted during transmission from your MIS to ourselves or third parties.
Live data is held by realsmart for the duration of the contract plus 28 days. Data is held in an offline backup for a further 28 days. Data of users (staff or students) who leave the school is usually held live for a maximum of 60 days (unless requested otherwise) plus an offline backup for a further 28 days.
Currently all our user data is held within the European Union in accordance with the GDPR guidelines.
Data can be viewed by support and technical staff as required to provide support to our users and improve our services.
Notice of withdrawal of consent must be received from a named contact at the school. Live data will be removed as soon as is practical, offline backups will take longer to remove but will be removed within a maximum of 28 days. Removal of consent to store/process personal data will mean that realsmart services will not be available to that user.
We have not yet completed our GDPR policy. Our latest statement on GDPR preparation is below.
GDPR, General Data Protection Regulation, is a regulation by which the European Parliament, the Council of the European Union and the European Commission intend to strengthen and unify data protection for all individuals within the European Union. It comes into effect on May 25, 2018. It replaces the 1995 EU Data Protection Directive enacted in UK law as the Data Protection Act 1998 with which realsmart are fully compliant.
We understand that GDPR compliance is a shared responsibility. At realsmart we believe in high standards of information security, privacy and transparency. When enforcement begins on May 25, 2018 realsmart are committed to compliance with the GDPR across all versions of our suite of products. We are currently working on the changes that are necessary across the business. We'll make important updates to contractual commitments that directly address GDPR requirements.
Further updates on our progress will be regularly communicated.