EIS Privacy Notice

EIS is part of Cantium Business Solutions, a company owned by Kent County Council. EiS collects, uses and is responsible for certain personal information about you. When we do so we are regulated under the General Data Protection Regulation (GDPR). GDPR applies across the European Union, including in the United Kingdom. EiS are responsible as ‘controller’ of that personal information for the purposes of GDPR. Should you have any questions about this privacy notice please contact our Data Protection Officer, iSystems at dataprotection@cantium.solutions

This privacy statement explains what personal data we collect from our customers to provide our services and what we do with that information.

Please read this statement carefully to understand how we use the personal and sensitive information that we collect. Some data is necessary to enable us to provide our services.

To make the information easy to understand, this privacy notice has been structured around our support processes and each of our services. It is broken down into the following sections:

  • Legal Basis for Processing Data
  • Support Processes
  • Service Contracts
  • Sales and Marketing
  • Your Rights
  • Keeping Your Personal Information Secure
  • Who to Contact

Who we share information with

Other than as specified below, we may share your personal data with law enforcement or other authorities if required by applicable law. We may share data with our professional advisers and with potential purchasers of some or all of our business in the event of a restructure (usually information will be anonymised, but this may not always be possible).

Legal Basis for Processing Personal Data

We rely on our legitimate interests where we are using data for reasons that are outside of the scope of our tasks as a public authority.In particular, we rely on our commercial interests in providing services to key public-sector customers. 

Our legitimate interests and the legitimate interests of our customers are the provision of an efficient service.  The processing identified in each of the following areas is the minimum necessary to achieve our stated aims and we consider the personal data we process is no more than what you would reasonably expect in the context of our service contracts.  

We will also process your data where it is necessary for compliance with a legal obligation or where it is necessary for the establishment, exercise or defence of legal claims or whenever courts are acting in their judicial capacity. 

Support Processes

  1. Service Desk

When you contact our service desk for support we will collect some information about you and your employer, which we may need to verify with your employer. Information may be provided by means including online forms, email, telephone, post, live chat and virtual agent functionality.

We collect: This will include contact information like your name, job title, email address, contact numbers and job functions within your organisation.

Who do we share your data with: Nobody

Why: We collect this information to be able to give you an excellent customer support experience.

How long do we keep your data:  We will not hold your personal information for longer than is reasonably necessary in providing the service or as is required by law. Upon expiry, any personal data which we are not legally obliged to retain, will be securely destroyed.

  1. Remote Support Procedures

When you need remote support, you will need to enter a code provided by the support agent to accept a remote support connection. By entering the code, you are taking responsibility for the information that is on view on their device. That may include personal or personal sensitive information.

We collect: Your unique randomly generated one-time-use code and general information about the nature of the support request, no personal data that appears on your screen will be recorded or collected by support staff during these remote support sessions.

Who do you share this information with: Nobody.

Why: We collect this information to help resolve problems.

How long do we keep your data:  We will not hold your personal information for longer than is reasonably necessary in providing the service or as is required by law. Upon expiry, any personal data which we are not legally obliged to retain, will be securely destroyed.

  1. Support Call Screenshots

We collect: the screenshots you send us to assist with diagnosing support problems. These screenshots may include personal data. However, we strongly encourage you to obscure this information.

Who do you share this information with: We may share this information with Capita, the developer of the SIMS (School Information Managemetn System) but will obscure any personal information if you have not done so.

Why: This information is required to help with problem resolution.

How long do we keep your data:  The screenshots are not stored.

  1. Annual Data Review

We store: EIS will conduct an annual data review of your employer’s contact information which allows your employer to review the contact data we hold and submit changes.

Why: We do this to us to help keep our records up-to-date

Who we share this with: We share these details with our customers when we ask them to review their contact information.

How long do we keep your data:  We will not hold your personal information for longer than is reasonably necessary in providing the service or as is required by law. Upon expiry, any personal data which we are not legally obliged to retain, will be securely destroyed.

Service Contracts

All Services

We collect: A contact name, email address and contact phone numbers.

Why: We need this information to inform you about changes to the service and to communicate with you about reported problems.

How long do we keep your data:  We will not hold your personal information for longer than is reasonably necessary in providing the service or as is required by law. Upon expiry, any personal data which we are not legally obliged to retain, will be securely destroyed.

Additional information collected by each service or any change from our storage duration is detailed below.

Kent Learning Zone (KLZ)

We collect: Staff, student and parent names, email addresses, contact numbers and Unique Pupil Numbers (UPN)/Unique Teacher Numbers (UTN). We additionally collect student date of birth, year group and registration class information. We also collect the school DfE (Department for Education) number.

Why: We gather this information to be able to provide the KLZ service. Names are used to automatically provision user accounts. Email addresses and contact numbers are used to provide the Home Connect function to be able to send text messages and emails to parents. Year group and registration class is used to automatically provision security group membership. UPN/UTN and school DfE numbers are used to provide unique references to identify schools and users.

We share your data with: Microsoft as a result of our use of Office 365. We may transfer your personal information to the United States.  There is an EU approved mechanism in place to safeguard your information, namely an agreement between us and Microsoft that incorporates the European Commission standard contractual clauses as permitted under Article 46 of the GDPR.  Office 365 is also verified to meet the requirements specified in ISO 27001. Here is their privacy policy: https://products.office.com/en-gb/business/office-365-trust-center-privacy

How long do we keep your data:  We will not hold your personal information for longer than is reasonably necessary in providing the service or as is required by law. Upon expiry, any personal data which we are not legally obliged to retain, will be securely destroyed.

Schools Broadband

We collect: We collect IP addresses, service port numbers, active directory information and staff names and email addresses.

Why: We need this information to inform customers about changes to the service and to communicate with customers about reported problems. The additional technical information is required to deliver broadband services. Firewall logging captures IP addresses and port information. Internet filtering requires IP addresses and active directory information for group membership. VPN access requires use of staff names and email addresses.

We share your data with: Nobody.  

How long do we keep your data:  We will not hold your personal information for longer than is reasonably necessary in providing the service or as is required by law. Upon expiry, any personal data which we are not legally obliged to retain, will be securely destroyed.

SIMS and Admin Support

We collect: A contact name, email address and contact phone numbers.

Why: We need this information to inform customers about changes to the service and to communicate with customers about reported problems.

We share your data with: Capita Group PLC (UK based) to help us resolve incidents and problems. Find out more about SIMs and GDPR: https://www.capita-sims.co.uk/gdpr

How long do we keep your data:  We will not hold your personal information for longer than is reasonably necessary in providing the service or as is required by law. Upon expiry, any personal data which we are not legally obliged to retain, will be securely destroyed.

SIMS Personnel Update Service

We collect: Customers send work requests electronically to EIS which contain personal information including personnel records.

Why: The transferred electronic work requests are required to provide the service and allow EIS to update the SIMS system remotely acting as a data processor.

How long do we keep your data:  We will not hold your personal information for longer than is reasonably necessary in providing the service or as is required by law. Upon expiry, any personal data which we are not legally obliged to retain, will be securely destroyed.

We share your data with: Microsoft, as a result of our use of Office 365 to store work requests. We may transfer your personal information to the United States.  There is an EU approved mechanism in place to safeguard your information, namely an agreement between us and Microsoft that incorporates the European Commission standard contractual clauses as permitted under Article 46 of the GDPR.  Office 365 is also verified to meet the requirements specified in ISO 27001. Here is their privacy policy: https://products.office.com/en-gb/business/office-365-trust-center-privacy  

Mobile Device Management

We collect: User names and email addresses.

Why: The user names and email addresses are used to assign software to devices and are required to deliver the service.

How long do we keep your data:  We will not hold your personal information for longer than is reasonably necessary in providing the service or as is required by law. Upon expiry, any personal data which we are not legally obliged to retain, will be securely destroyed.

Remote Backup Service

We collect: A daily set of customer data as a data processor which may contain personal and sensitive data. The data is encrypted during transit, whilst we store it and is not visible to us.

Why: The encrypted data sets are required to provide the service. 

We share your data with:  Nobody

How long do we keep your data:  We will not hold your personal information for longer than is reasonably necessary in providing the service or as is required by law. Upon expiry, any personal data which we are not legally obliged to retain, will be securely destroyed.

Virtual Infrastructure

We collect: Active Directory information.

Why: Active Directory information is automatically synchronised with our central Active Directory to provide single sign on services to cloud based services.

We share your data with: Microsoft as a result of our use of Office 365. We may transfer your personal information to the United States.  There is an EU approved mechanism in place to safeguard your information, namely an agreement between us and Microsoft that incorporates the European Commission standard contractual clauses as permitted under Article 46 of the GDPR.  Office 365 is also verified to meet the requirements specified in ISO 27001. Here is their privacy policy: https://products.office.com/en-gb/business/office-365-trust-center-privacy.

How long do we keep your data:  We will not hold your personal information for longer than is reasonably necessary in providing the service or as is required by law. Upon expiry, any personal data which we are not legally obliged to retain, will be securely destroyed.

WordPress Websites

We collect: No personal data is collected, we only provide a hosting service to our customers and are the data processor.

We share your data with: Nobody

How long do we keep your data:  We will not hold your personal information for longer than is reasonably necessary in providing the service or as is required by law. Upon expiry, any personal data which we are not legally obliged to retain, will be securely destroyed.

Sales and Marketing

We collect:  Your name, email address and contact numbers. We rely on your consent to collect and process your personal data for this purpose.

Why: We use this information to provide you with information about our other products and services which we think may be of interest to you.

How long do we keep your data: We have processes in place to regularly review our contact information and you are free to opt out at any time. All our communications to you will include a link to opt out of further sales and marketing emails.

We share your data with: We do not share your data with any organisation outside of the KCC Group.

Sending data outside of the EEA

We will only send your data outside of the European Economic Area (‘EEA’) to:

  • Follow your instructions.
  • Comply with a legal duty.
  • Work with our agents and advisers who we use to help run your accounts and services.
  • If we do transfer information to our agents or advisers outside of the EEA, we will make sure that it is protected in the same way as if it was being used in the EEA. We’ll use one of these safeguards:
  • Transfer it to a non-EEA country with privacy laws that give the same protection as the EEA. Learn more on the European Commission Justice website.
  • Put in place a contract with the recipient that means they must protect it to the same standards as the EEA. Read more about this here on the European Commission Justice website,

How we use your information to make automated decisions

An automated decision is where an electronic system makes a decision using personal information without human intervention (e.g. monitoring your online activities and emails or events which trigger actions such as your sickness absence triggering our capability policy).  This helps us to make sure our decisions are quick, fair, efficient and correct, based on what we know.  These automated decisions can affect the services we may offer you now or in the future.

 

Automated decision making is allowed in the following circumstances:

 

  1. Where we have notified you of the decision and given you 21 days to request a reconsideration
  2. Where it is necessary to fulfil our contractual obligations and requirements and appropriate measures are in place to safeguard your rights.  
  3. In limited circumstances, with your explicit consent and where appropriate measures are in place to safeguard your rights.  

 

If an automated decision is made, based on any particularly sensitive personal information, we must have either your explicit written consent or it must be justified

in the public interest, and we must put in place appropriate measures to safeguard your rights.

 

Your Rights

Under the GDPR you have several rights which you can access free of charge which allow you to:

  • Know what we are doing with your information and why we are doing it
  • Ask to see what information we hold about you
  • Ask us to correct any mistakes in the information we hold about you
  • Object to direct marketing
  • Make a complaint to the Information Commissioners Office

Depending on our reason for using your information you may also be entitled to:

  • Ask us to delete information we hold about you
  • Have your information transferred electronically to yourself or to another organisation
  • Object to decisions being made that significantly affect you
  • Object to how we are using your information
  • Stop us using your information in certain ways

We will always seek to comply with your request however we may be required to hold or use your information to comply with legal duties. Please note: your request may delay or prevent us delivering a service to you.

For further information about your rights, including the circumstances in which they apply, see the guidance from the UK Information Commissioners Office (ICO) on individuals’ rights under the General Data Protection Regulation.

If you would like to exercise a right, please contact dataprotection@cantium.solutions.

Keeping your personal information secure

We have appropriate security measures in place to prevent personal information from being accidentally lost or used or accessed in an unauthorised way. We limit access to your personal information to those who have a genuine business need to know it. Those processing your information will do so only in an authorised manner and are subject to a duty of confidentiality.

We also have procedures in place to deal with any suspected data security breach. We will notify you and any applicable regulator of a suspected data security breach where we are legally required to do so.

Who to Contact

Please contact dataprotection@cantium.solutions to exercise any of your rights, or if you have a complaint about why your information has been collected, how it has been used or how long we have kept it for.

You can contact our Data Protection Officer, iSystems at dataprotection@cantium.solutions

The General Data Protection Regulation also gives you right to lodge a complaint with a supervisory authority. The supervisory authority in the UK is the Information Commissioner who may be contacted at https://ico.org.uk/concerns or telephone 03031 231113.