EIS Privacy Notice

EiS (Educational Informational Services) is a leading supplier of ICT services to schools and a division of Kent County Council. EiS collects, uses and is responsible for certain personal information about you. When we do so we are regulated under the General Data Protection Regulation (GDPR). GDPR applies across the European Union, including in the United Kingdom. EiS are responsible as ‘controller’ of that personal information for the purposes of GDPR. Our Data Protection Officer is Benjamin Watts.

This privacy statement explains what personal data we collect from our customers to provide our services and what we do with that information.

Please read this statement carefully to understand how we use the personal and sensitive information that we collect. Some data is necessary to enable us to provide our services.

To make the information easy to understand, this privacy notice has been structured around our support processes and each of our services. It is broken down into the following sections:

  • Legal Basis for Processing Data
  • Support Processes
  • Service Contracts
  • Sales and Marketing
  • Your Rights
  • Keeping Your Personal Information Secure
  • Who to Contact

Who we share information with

Other than as specified below, we may share your personal data with law enforcement or other authorities if required by applicable law. We may share data with our professional advisers and with potential purchasers of some or all of our business in the event of a restructure (usually information will be anonymised, but this may not always be possible).

Legal Basis for Processing Personal Data

We rely on our legitimate interests where we are using data for reasons that are outside of the scope of our tasks as a public authority.In particular, we rely on our commercial interests in providing services to key public-sector customers. 

Our legitimate interests and the legitimate interests of our customers are the provision of an efficient service.  The processing identified in each of the following areas is the minimum necessary to achieve our stated aims and we consider the personal data we process is no more than what you would reasonably expect in the context of our service contracts.  

We will also process your data where it is necessary for compliance with a legal obligation or where it is necessary for the establishment, exercise or defence of legal claims or whenever courts are acting in their judicial capacity. 

Support Processes

1.      Service Desk

When you contact our service desk for support we will collect some information about you and your employer, which we may need to verify with your employer.

We collect: This will include contact information like your name, job title, email address, contact numbers and job functions within your organisation.

Who do we share your data with: Nobody

Why: We collect this information to be able to give you an excellent customer support experience.

How long do we keep your data:  If you have not contacted us for a year we will delete your personal information. Once your organisation is no longer a customer, we will delete all the information we hold within 90 days. 

2.      Remote Support Procedures

When you need remote support, you will need to enter a code provided by the support agent to accept a remote support connection. By entering the code, you are taking responsibility for the information that is on view on their device. That may include personal or personal sensitive information.

We collect: Your unique randomly generated one-time-use code and general information about the nature of the support request, no personal data that appears on your screen will be recorded or collected by support staff during these remote support sessions.

Who do you share this information with: Nobody.

Why: We collect this information to help resolve problems.

How long do we keep your data:  Remote support session details including one-time-use codes are logged for a period of 90 days, after -90 days they are automatically deleted.

3.      Support Call Screenshots

We collect: the screenshots you send us to assist with diagnosing support problems. These screenshots may include personal data. However, we strongly encourage you to obscure this information.

Who do you share this information with: We may share this information with Capita, the developer of the SIMS (School Information Managemetn System) but will obscure any personal information if you have not done so.

Why: This information is required to help with problem resolution.

How long do we keep your data:  The screenshots are not stored.

4.      Annual Data Review

We store: EIS will conduct an annual data review of your employer’s contact information which allows your employer to review the contact data we hold and submit changes.

Why: We do this to us to help keep our records up-to-date

Who we share this with: We share these details with our customers when we ask them to review their contact information.

How long we store your information: If your employer is no longer a customer, we will delete all the information we hold within 90 days.  We will remove contact details as instructed by our customers.    

Service Contracts

All Services

We collect: A contact name, email address and contact phone numbers.

Why: We need this information to inform you about changes to the service and to communicate with you about reported problems.

How long do we keep your data: Data is deleted within 90 days of a contract ending.

Additional information collected by each service or any change from our storage duration is detailed below.

Kent Learning Zone (KLZ)

We collect: Staff, student and parent names, email addresses, contact numbers and Unique Pupil Numbers (UPN)/Unique Teacher Numbers (UTN). We additionally collect student date of birth, year group and registration class information. We also collect the school DfE (Department for Education) number.

Why: We gather this information to be able to provide the KLZ service. Names are used to automatically provision user accounts. Email addresses and contact numbers are used to provide the Home Connect function to be able to send text messages and emails to parents. Year group and registration class is used to automatically provision security group membership. UPN/UTN and school DfE numbers are used to provide unique references to identify schools and users.

We share your data with: Microsoft as a result of our use of Office 365. We may transfer your personal information to the United States.  There is an EU approved mechanism in place to safeguard your information, namely an agreement between us and Microsoft that incorporates the European Commission standard contractual clauses as permitted under Article 46 of the GDPR.  Office 365 is also verified to meet the requirements specified in ISO 27001. Here is their privacy policy: https://products.office.com/en-gb/business/office-365-trust-center-privacy

How long do we keep your data: Data is deleted within 90 days of a contract ending.

Schools Broadband

We collect: We collect IP addresses, service port numbers, active directory information and staff names and email addresses.

Why: We need this information to inform customers about changes to the service and to communicate with customers about reported problems. The additional technical information is required to deliver broadband services. Firewall logging captures IP addresses and port information. Internet filtering requires IP addresses and active directory information for group membership. VPN access requires use of staff names and email addresses.

We share your data with: Nobody.  

How long do we keep your data: Data is deleted within 90 days of a contract ending

SIMS and Admin Support

We collect: A contact name, email address and contact phone numbers.

Why: We need this information to inform customers about changes to the service and to communicate with customers about reported problems.

We share your data with: Capita Group PLC (UK based) to help us resolve incidents and problems. Find out more about SIMs and GDPR: https://www.capita-sims.co.uk/gdpr

How long do we keep your data: Data is deleted within 90 days of a contract ending.

SIMS Personnel Update Service

We collect: Customers send work requests electronically to EIS which contain personal information including personnel records.

Why: The transferred electronic work requests are required to provide the service and allow EIS to update the SIMS system remotely acting as a data processor.

How long do we keep your data: We keep the work requests for an academic year to provide an audit trail of work should it be required to support workforce census return enquiries.

We share your data with: Microsoft, as a result of our use of Office 365 to store work requests. We may transfer your personal information to the United States.  There is an EU approved mechanism in place to safeguard your information, namely an agreement between us and Microsoft that incorporates the European Commission standard contractual clauses as permitted under Article 46 of the GDPR.  Office 365 is also verified to meet the requirements specified in ISO 27001. Here is their privacy policy: https://products.office.com/en-gb/business/office-365-trust-center-privacy  

Mobile Device Management

We collect: User names and email addresses.

Why: The user names and email addresses are used to assign software to devices and are required to deliver the service.

How long do we keep your data: Data is deleted within 90 days of a contract ending.

Remote Backup Service

We collect: A daily set of customer data as a data processor which may contain personal and sensitive data. The data is encrypted during transit, whilst we store it and is not visible to us.

Why: The encrypted data sets are required to provide the service. 

We share your data with:  Nobody

How long do we keep your data: Data is deleted within 90 days of a contract ending. 

Virtual Infrastructure

We collect: Active Directory information.

Why: Active Directory information is automatically synchronised with our central Active Directory to provide single sign on services to cloud based services.

We share your data with: Microsoft as a result of our use of Office 365. We may transfer your personal information to the United States.  There is an EU approved mechanism in place to safeguard your information, namely an agreement between us and Microsoft that incorporates the European Commission standard contractual clauses as permitted under Article 46 of the GDPR.  Office 365 is also verified to meet the requirements specified in ISO 27001. Here is their privacy policy: https://products.office.com/en-gb/business/office-365-trust-center-privacy.

How long do we keep your data: Data is deleted within 90 days of a contract ending.

WordPress Websites

We collect: No personal data is collected, we only provide a hosting service to our customers and are the data processor.

We share your data with: Nobody

How long do we keep your data: Data is deleted within 90 days of a contract ending.

Sales and Marketing

We collect:  Your name, email address and contact numbers. We rely on your consent to collect and process your personal data for this purpose.

Why: We use this information to provide you with information about our other products and services which we think may be of interest to you.

How long do we keep your data: We have processes in place to regularly review our contact information and you are free to opt out at any time. All our communications to you will include a link to opt out of further sales and marketing emails.

We share your date with: We do not share your data with any organisation outside of the KCC Group.

Sending data outside of the EEA

We will only send your data outside of the European Economic Area (‘EEA’) to:

  • Follow your instructions.
  • Comply with a legal duty.
  • Work with our agents and advisers who we use to help run your accounts and services.

If we do transfer information to our agents or advisers outside of the EEA, we will make sure that it is protected in the same way as if it was being used in the EEA. We’ll use one of these safeguards:

Your Rights

Under the GDPR you have several rights which you can access free of charge which allow you to:

  • Know what we are doing with your information and why we are doing it
  • Ask to see what information we hold about you
  • Ask us to correct any mistakes in the information we hold about you
  • Object to direct marketing
  • Make a complaint to the Information Commissioners Office

Depending on our reason for using your information you may also be entitled to:

  • Ask us to delete information we hold about you
  • Have your information transferred electronically to yourself or to another organisation
  • Object to decisions being made that significantly affect you
  • Object to how we are using your information
  • Stop us using your information in certain ways

We will always seek to comply with your request however we may be required to hold or use your information to comply with legal duties. Please note: your request may delay or prevent us delivering a service to you.

For further information about your rights, including the circumstances in which they apply, see the guidance from the UK Information Commissioners Office (ICO) on individuals’ rights under the General Data Protection Regulation.

If you would like to exercise a right, please contact [the Information Resilience and Transparency Team at data.protection@kent.gov.uk.]

 

Keeping your personal information secure

We have appropriate security measures in place to prevent personal information from being accidentally lost or used or accessed in an unauthorised way. We limit access to your personal information to those who have a genuine business need to know it. Those processing your information will do so only in an authorised manner and are subject to a duty of confidentiality.

We also have procedures in place to deal with any suspected data security breach. We will notify you and any applicable regulator of a suspected data security breach where we are legally required to do so.

Who to Contact

[Please contact the Information Resilience and Transparency Team at data.protection@kent.gov.uk to exercise any of your rights, or if you have a complaint about why your information has been collected, how it has been used or how long we have kept it for.]

You can contact our Data Protection Officer, Benjamin Watts, at dpo@kent.gov.uk.

The General Data Protection Regulation also gives you right to lodge a complaint with a supervisory authority. The supervisory authority in the UK is the Information Commissioner who may be contacted at https://ico.org.uk/concerns or telephone 03031 231113.