GDPR - SIMS Parent Lite Privacy Statement

SIMS Parent Lite Privacy Statement

Capita take care to protect the privacy of customers and users of Capita websites and Products. Set out below is an explanation of how Capita process and manage the information.

  1. Introduction

Capita Education Software Services are fully committed to keeping your information safe.

This privacy notice is to help you understand what information Capita Education Software Services collects, the purpose for which it is collected and who we share the information with.  It also explains the decisions that you can make about your information.

This notice will provide you with the following information:

  • Accountability
  • Who is collecting information about me?
  • What information is transferred?
  • Why are you collecting this information?
  • What is the legal basis for processing the information?
  • Can a Parent request data to not be displayed within SIMS Parent?
  • Where the data is stored?
  • Security of the data stored
  • Where the data is processed
  • What information from sign in providers does Capita receive and store?
  • Is the information received from Third party providers used outside of the sign-in process?
  • What information do sign-in providers receive from Capita?
  • Is there any additional Third Party processing of SIMS data?
  • Cookies Policy

 

For the purposes of this Privacy Notice:

“Information” means either the data held within SIMS Primary application or the School and contact contractual and support information, this will be specified where referred to.
“ESS” means Capita Education Software Services.
“Customer” means the establishment that purchases the service. i.e. individual school, Multi Academy Trust
“Data Controller” refers to the Customer
“Data Processor” refers to ESS
“Data Subject” refers to a living person details that are recorded in the SIMS application by the Data Controller
“Individual” refers to a person or employee who is associated with a named Customer
“EEA” is the European Economic Area

  1. Accountability

ESS provides you, the customer, with the SIMS Parent Lite service that enables you to share school contact information, school term dates and option to view and request modification to information held on the student and parent within the core SIMS MIS with Parents.


As you are responsible for the information that is entered and maintained in the SIMS Parent service, this makes you, the customer, the Data Controller.  ESS delivers the service that provides you with the ability to store this information and as such does not enter your information into this system for you, this makes ESS the Data Processor.  As a Data Processor, ESS provide a hosted service that includes the application and customer data as well as support services to the customer.

As the Data Controller you are responsible for the information in the SIMS Parent system and must be able to demonstrate compliance with the 8 Principles of the Data Protection Act for the processing of personal information.

ESS must demonstrate the same compliancy for any processing of your SIMS Data and School and contact information.

Details of the 8 Principles are detailed on the Information Commissioner Office’s website: https://ico.org.uk/for-organisations/guide-to-data-protection/data-protection-principles/

 

  1. Who is collecting information about me?

Capita Education Software Services
Franklin Court 
Priory Business Park
Cardington 
Bedfordshire
MK44 3JZ
01234 838080

Website : www.capita-sims.co.uk

Should you have any queries relating to the collection of your information or about this policy please contact the Capita Data Privacy Officer at privacy@capita.co.uk

  1. What information is transferred?

SIMS Parent depends on data that is held within the SIMS system.  For example, student data is displayed within SIMS Parent to contextualise the applications' functionality (e.g. forename, surname, and student / parent relationships).  Selected information is transferred to SIMS Parent periodically, via the SIMS Online Services Client over a secure channel.  The SIMS Online Services Client (school-side) uses client credentials to uniquely identify the school and authorise at the server. 

The following data is required to allow the school to invite Parents/Guardians to use SIMS Parent and to display relevant data to parents about their children.  Configurable items will only be stored if they have been enabled by the school administrator:

Item

Data Fields

Configurable

Student data

Forename, Surname, Date of Birth, School Photo

No

Contacts (Parental Responsibility)

Title, Forename, Surname, Email Addresses, and Addresses

No

School Details

Address, Head Teacher, Email Address, Web Site, Phone number

No

Contacts (Data Collection)

Title, Forename, Surname, Middle Name, Gender, Relationship, Parental Responsibility, Priority, Telephone Numbers, Email Addresses, Addresses

Yes

 

  1. Why are you collecting the information?

SIMS Parent Lite is intuitive and informative, providing parents with the ability to view and securely request modification to the data held on them and their children

The school are able to customise what data is shared and displayed within SIMS Parent via the SIMS Parent Administration Portal.

  1. What is the legal basis for extracting and processing this information?

The contract entered into by the School and Capita allows Capita to extract the data in the above table for the purposes of displaying this information to the Parent.

Schools are able to easily define what data from the above table is displayed to the user within the SIMS Parent Administration Portal. If the School choose to withdraw information within the SIMS Parent Administration Portal so that it is no longer available via the product to the parent, that specific data category is removed from SIMS Parent services meaning the data resides on the School’s SIMS database.

  1. Can a Parent request data to not be displayed within SIMS Parent?

Yes, this is managed by the school. The parent is able to contact the school by phone or email via the SIMS Parent product to request removal of access. The School will need to decide if they wish to remove the data from within SIMS as there are legal implications of doing so based on Statuary Returns.

  1. Where the data is stored?

Data is stored within SIMS Parent in various forms, all using Microsoft Azure data constructs. Information interchange between software services within the applications is protected by a dedicated Secure Token Server (STS), so that access to all data is validated against the access rights of the requesting user.

Data sits with the EEA and is subject to EU model clauses, specifically data for these services reside in the EU: Ireland and the Netherlands.

  1. Security of the data stored

SIMS Parent Lite is a securely hosted web service, delivered via the web using standard HTTPS TCP/IP protocols. The SIMS Parent application is hosted on a secure and highly scalable managed service, with the main system hosting provided by Microsoft Azure® UK, which is reliable and resilient. Microsoft Windows Azure has G-Cloud Impact Level 2 (IL2) from the Cabinet Office for use across the UK Public Sector. All data is securely stored and processed within the EU and complies with UK data protection standards and requirements.  

Technical hosting and management for SIMS Parent Lite is undertaken fully by Capita on behalf of the establishment, including the provision of all software, maintenance operations, upgrades and background supporting processes. Application security is 256bit Secure Socket Layer (SSL), point-to-point encryption.

  1. Where the data is processed

The SIMS Parent Lite application is hosted on a secure and highly scalable managed service, with the main system hosting provided by Microsoft Azure® UK, which is reliable and resilient. Microsoft Windows Azure has G-Cloud Impact Level 2 (IL2) from the Cabinet Office for use across the UK Public Sector. All data is securely stored and processed within the EU and complies with UK data protection standards and requirements.  

  1. What information from sign in providers does Capita receive and store?

When a parent user logs into the service using a third-party login via SIMS ID they are prompted with a consent screen where they consent for their e-mail address and name to be passed to SIMS ID.

The e-mail address and name are passed to SIMS ID but no extended properties are received other than a unique identifier.  The third-party identity provider has no concept of the education establishments that the user is associated with however, SIMS ID understands the site context, as does Parent App. 

In the SIMS ID Database we store the e-mail address, a unique identifier which may or may not be the same as their mail address or may be GUIDS (Global Unique Identity that cannot be moved between services), the third-party provider detail may include the parents’ provided name, this is not stored – SIMS ID stores a name associated with the parent from Parent App (sims people service)

  1. Is the information received from Third party providers used outside of the sign-in process?

This information is used to associate the third-party account with the SIMS ID identity that is used to authenticate the user to SIMS Parent Lite.  The name from SIMS Parent Lite is displayed to help in identifying correct sign in by the end user.

We do not store the email address provided by the third-party login provider, we do however store the email address provided from parent app during the initial invite process for audit purposes.

  1. What information do sign-in providers receive from Capita?

No data is passed from Capita to the sign in provider.  We do not send credential information to the third-party provider. The information those service providers have already is freely given and agreed to at the point the user creates an account with the third party and accept the T&Cs of the provider.  

  1. Is there any additional Third Party processing of SIMS data?

SIMS Parent sends reminder notifications using the Apple Push Notification service and the Google Cloud Messaging service.  These notifications contain summary information about Student events.

  1. Cookies Policy

 

SIMS Parent uses a small number of cookies to provide the features in the web site and to help us improve its performance.

If you do not know what cookies are, or how to control or delete them, then we recommend you visit http://www.aboutcookies.org for detailed guidance.

The list below describe the cookies we use on this site and what we use them for:

Cookie Name

Purpose

ai_authUser

This helps us to proactively analyse the performance of the site and its infrastructure

ai_session

This helps us to proactively analyse the performance of the site and its infrastructure

ai_user

This helps us to proactively analyse the performance of the site and its infrastructure

angular-consent.global

Used to track if cookies have been accepted

Changes to this privacy notice

Capita keep this privacy notice under regular review. This privacy notice was last updated on 04/12/2017