Emerge Data Sharing Agreement

Table of Contents

Introduction

This document explains the safeguarding and security of data shared using the Emerge App. This document forms our Data Sharing Agreement (DSA) with you and is part of your contract with us. By ordering the Groupcall Emerge App your confirm that you understand and accept this agreement and acknowledge that your school will need to implement your own organisational policies based around the advice below.

What is Emerge?

The Groupcall Emerge App is an app which enables schools to have a mobile and offline copy of their core MIS data instantly and securely available in the palm of their hand.

The Emerge App is the solution for users to access information when and wherever it is needed i.e. in an emergency where the school system may be down or access to the school is restricted, thus ensuring staff and student safety is paramount always.

Emerge comprises of two elements or ‘pieces’ of software. The Emerge Device software (the App) and the Emerge Server software installed on your MIS server or other server operated by the school or academy, or operated by a third-party provider, LA or MAT.

Emerge Device Software

This is the app that will need to be installed on each of the devices that will run Emerge.  The Emerge Device Software communicates with the Emerge Server to receive and send MIS information.  Devices are authorised for access to the Emerge Server by user:device pairs and require a valid password to decrypt data.  The security and lifecycle of data while on the device is discussed further into this document.

Emerge Server Software

The Emerge Server Software talks to your MIS system extracting student and staff information that it then transfers to authorised Emerge App user:device pairs as they request it.  The Server software is configured using the 'Emerge Management Console' and can link to your local Active Directory to provide simplified sign on for your staff users.  The Emerge Server also manages policies regarding handling of new user:device pairs to enable your preference of how to balance security and business requirements to best suit your organisation.  The Emerge Server provides several user profiles for different types of users.

Emerge Data Movement Overview

The Groupcall Emerge Management Console operates in a layer above the Management Information System (MIS) and Emerge interfaces with the MIS through Groupcall Xporter.

Emerge App Diagram

Click image to expand.

Safely Managing Personal Data on Mobile Devices

Groupcall Emerge takes multiple reasonable measures to securely cache Personal Information on mobile devices, however as a mobile app Groupcall Emerge is ultimately subject to the same security constraints and limitations of mobile platforms that serve to protect apps from other apps and from malicious actors with access to the device.

Because of this, Emerge must form part of a multi-layer security stack to protect personal information and Groupcall strongly advise that your authorisation of the Emerge app for any user:device pair is made subject to your own organisational policies regarding the security and management of those devices.

Where mobile devices are used in education they are rarely used for a single purpose and so your organisational policies should encompass all aspects of device usage and management, such as email and shared file access, social media usage, internal communications tools, cameras (for example recording examples of good work) and other education support apps like, but not limited to, Emerge.

Your own organisational policies should include:

  • How do you continually verify and audit that a device meets your organisation minimum security requirements, including minimum hardware and software versions and enabled native device encryption?
  • How do you verify and enforce that a device is being automatically updated in a timely manner when new software versions are made available for the OS and for the apps that you use?
  • How do you verify that the device is not being used by other unauthorised individuals?
  • How do you determine the current location of the device or provide a remote erase instruction to a device?
  • How do you ensure that unauthorised attempts to access personal data on a device result in the device being erased?
  • What cloud accounts and systems does the device connect to? Does the device sync any personal data to those cloud accounts and systems?  How do you manage the lifecycle of those cloud accounts and systems to ensure control over movement of personal data?
  • How do you securely dispose of end of life devices and remove any personal data from them?
  • How do you manage the lifecycle of logins to various apps and the authorisation of users to use apps on specific devices?

As an app constrained by sandboxing and other platform security technologies Emerge cannot address all these problems, but it does provide tools to assist where technologically possible.

For example:

  • Where a user is removed from the Emerge Management Console, and their AD account is disabled if applicable, then the app will block access. The app may detect this over mobile data if permitted and in the background if permitted.  If not via background and/or mobile then the detection will not be made until the user next attempts to open and use the app at which point they will be logged out.
  • If a user repeatedly enters their PIN or password incorrectly then the app will auto-delete it’s data and log out. The maximum allowance is 5 attempts.
  • The app is also configured to challenge periodically for a full password rather than local PIN code, on a timescale that you can configure in the Emerge Management Console. This validation does not require a server connection.
  • After a period of non-connection to the Emerge Server the app will block access until reconnected, where this period is defined in the Emerge Management Console.
  • If connected to Active Directory then subject to a maximum 24 hour caching limit, Emerge Server will disable Emerge access for a user that is disabled in Active Directory.

Groupcall strongly recommend that you use a mature and well-recognised tool for such device management, for example Apple School Manager, Microsoft InTune or Google Admin Console, and that your devices and users are managed as part of an Apple, Microsoft or Google organisational tenancy.

The above table shows the maximum available datasets that can be accessed using Emerge. The level of access to these datasets will depend upon user privileges as determined by the school. This applies to the latest release of Emerge and may vary with previous versions.

By accepting this DSA you, as the Data Controller, agree to Groupcall acting as Data Processor of the aforementioned Personal Information for use in Groupcall Emerge.

It is for schools to ensure that, as Data Controllers, they have the ability to share data using Groupcall Emerge and that they consider there to be appropriate measures in place to ensure that the data is held securely and confidentially, including staff awareness and device policies.

For a more detailed explanation of what constitutes Personal Information and the roles and responsibilities of people responsible for data, please see our Data Privacy Summary.

Groupcall has taken all reasonable measures to ensure the safety and security of data in Emerge, including Personal Information.  We have processes in place, in line with ITILv3 guidance for Continual Service Improvement, to ensure that all reasonable measures are taken to maintain compliance with relevant parts of applicable data protection legislation such as the GDPR, DPA 2018 and any successors to these.

Encryption and transfer of data

Like any technical implementation, Groupcall and the Emerge App rely on a multi-layer stack of protective mechanisms utilising established technologies provided by mobile vendors and those that form part of our own mature application stack.

This includes:

  • Use of proven platform specific encryption technologies such as iOS and Android encryption
  • Use of device and user identifiers to whitelist devices authorised for transfer
  • Generation of user and device specific encryption keys to protect data held on devices
  • Transfer of data by scoped block units each with separate encryption and expiry rules that may include further app level AES encryption implemented using industry standard cross-platform libraries, in addition to device level encryption
  • Use of mobile data (where permitted) and background sync (where permitted) to ensure timely reflection of data changes and user revocation to mobile devices
  • Use of approved App store distribution paths to ensure only approved signed apps are deployed to devices
  • Dynamic detection of communications methods available to pick the lowest risk transfer medium, where possible data is transmitted over local networks rather than via the Internet
  • Use of ETAGs (checksums) to avoid unnecessary transfer of data when unchanged

On modern mobile devices all data is encrypted by default to protect both against loss or theft, and to offer limited protections against malicious actors with physical or remote access.  Modern mobile devices also operate app isolation technologies to ensure separation between apps.  Groupcall aim to utilise the protections offered by native device protections, including native device encryption, and to balance these with additional user and device specific AES encryption of specific data modules.

The principles applied to this layered encryption approach are detailed below and relate to the risk and impact of data disclosure in balance with battery-efficient and performant operation of the Emerge app on a mixed economy of modern mobile hardware:

  • Where a data unit contains personal data that would have adverse impact if disclosed then that data unit is encrypted
  • Where a data unit contains record identifiers that could be used as a heuristic to infer the identity of an individual or group of individuals by their ID in other unencrypted Emerge data then that data unit is encrypted, even if that data unit does not contain personal data (such as timetable structure)
  • Where a data unit contains configuration or instructions that could be used to adjust the output of the app then that data unit is encrypted (for example reporting definitions)

The encryption behaviour per data unit is outlined in the table below.

The Server Lifetime is how long Emerge Server will present that data unit to clients before refreshing it from the MIS, that refresh is only carried out on demand at the next relevant request from a client not automatically.  The Device lifetime is how long a device will consider the data valid before making attempts to refresh it.  When a device requests a refresh for a data unit it presents an ETAG for the data and the Emerge Server will either return the data or a confirmation that it currently holds the same ETAG so the device can consider the data valid again as if it had just received it.  The absolute maximum validity period of a data unit is therefore the two lifetime values added together, in the unlikely event that a device refreshes a data unit seconds before it expires at the server and then retains it.

Data unit

Native device encryption

App level encryption

Server lifetime

Device lifetime

Content summary

AsmTables

Yes

Yes

6 hours

Assessment structure data including aspects, marksheets, result sets and templates.

AsmUpdates

Yes

Yes

Immediate expiry

Assessment marks for writeback

AsmBaseResults

Yes

Optional

1 day

6 hours

Assessment results linked only to ID numbers, excluding free text results

AsmSecureBaseResults

Yes

Yes

1 day

6 hours

Assessment free text results

AsmThisWeeksChanges

Yes

Yes

6 hours

Assessment results changed this week

AsmTodaysResults

Yes

Yes

30 mins

1 hour

Assessment results changed today

AttendanceCodes2

Yes

No

6 hours

Attendance and meal codes lookup list

MealsTaken

Yes

Yes

6 hours

Meal choices and meal notes

AttendanceMarks2

Yes

Yes

6 hours

Session and lesson attendance marks and notes for rolling window as configured in EMC

AttendanceUpdates2

Yes

Yes

Immediate expiry

Attendance marks and meal choices for writeback

AttendMarksDelta

Yes

Yes

15 mins

30 mins

Attendance marks and notes changed today

YearAttendMarks

Yes

Yes

6 hours

YTD session attendance marks without notes

YearAttendMarkNotes

Yes

Yes

6 hours

YTD session attendance mark notes

Address

Yes

Yes

6 hours

Student, staff and contact addresses

Behaviour

Yes

Yes

6 hours

Behaviour and achievement events within the rolling window configured in EMC

BehavourToday

Yes

Yes

30 mins

1 hour

Behaviour and achievement events changed today

Contacts

Yes

Yes

6 hours

Parental contact names, contact details and relationships

Detentions

Yes

Yes

30 mins

2 hours

Detentions data

DetentionUpdates

Yes

Yes

Immediate expiry

Detentions for writeback

ExamTimetables

Yes

Yes

6 hours

Exam timetables for students

Groups

Yes

Yes

6 hours

Year, reg, house, teaching and user-defined groups and memberships for students and staff

Icons

Yes

No

6 hours

Menu icons for display within the application

IncidentLookups

Yes

No

6 hours

Lookup lists for custom incident types and resolutions as defined in MIS

IncidentUpdates

Yes

Yes

Immediate expiry

Behaviour and Achievement for writeback

MyIdentity

Yes

Yes

60 secs

30 mins

Logged in user and their permissions and settings

Photos

Yes

Optional

6 hours

Student and staff photos linked to Photo ID

Reports

Yes

Yes

10 mins

6 hours

Report definitions for Emerge inbuild attendance and behaviour reports

SSO

Yes

Yes

1 hour

5 mins

User SSO token for other Groupcall services (where applicable)

Staff

Yes

Yes

6 hours

Staff including contact details

Students

Yes

Yes

6 hours

Student details including demographics and language

Timetable

Yes

Yes

6 hours

Timetable structure and relational links

RedButton

Yes

Yes

0 secs

1 day

Help me button contact numbers

RedButtonSend

Yes

Yes

Immediate expiry

Help me request for upload to Emerge Server

iOS device encryption supports multiple methods of permitting access by an App to its own data.  To facilitate unattended background data transfer within the app including for security reasons as listed above, the Emerge app uses the “Complete until first user authentication” model for protection of data on a mobile device.  This means that access to Emerge datafiles is blocked by iOS after a device is powered on or rebooted until a user first unlocks a device after, even for the Emerge App itself.

Historic assessment data and student and staff photos

These two data units contain pseudononymised data records and do not include data identifying the source school.  The relational IDs for these records are held in databases that are always encrypted at the app level.  In the view of our own Data Privacy Impact Assessment for handling of these two data items in the Emerge app on a modern mobile device authorised and managed by the school customer, Groupcall consider that applying App level encryption for these very large data units in addition to those protections already afforded at an OS level on modern customer approved and managed mobile devices does not offer any significant reduction to risk or impact when compared to the potential business impact for end users both for performance and for battery life.

However, Groupcall accept that our view is not the only possible view and so we provide options in the Emerge Management Console for a customer to adjust this encryption behaviour to suit their own view of risks and impacts in their own data privacy impact assessment, enabling the customer to double encrypt these databases should the view that this is necessary.

Historic assessment comments, which absolutely may contain personally identifiable data, are treated separately and always encrypted at the app level regardless of the settings applied here.

User Level Permissions

To simplify the assignment of permissions to users the Emerge App provides user Profiles that cover typical user roles, these are:

  • Senior Leadership – this includes access to all student records and staff records including contact details and emergency contacts
  • Teaching – includes access to all student records and staff records for access to their timetables and groups for cover. It does not include access to staff contact details or emergency contacts.
  • Attendance Only – provides access to record attendance for any register
  • Companion – this is a more modern profile that provides a mobile-efficient dataset, specifically excluding Assessment.

Within these profiles further granular permissions can be applied, with some using the default for the selected profile.  If you want to apply bespoke permissions to a user, then the Companion profile offers the most flexibility.

  • Allow Evidence – permit attaching photos and videos to new behaviour and achievement records
  • Staff Member – which staff member’s timetables and assessment templates to present by default
  • Show all Assessment Templates – permits the user to view all assessment templates not just for their groups
  • View Staff Personal – view staff contact and next of kin information
  • View Student Contact Info – view student contact details and those of parental contacts
  • Configure Red Button – configure the Help Me function
  • View Attendance
  • Take Attendance
  • View Behaviour
  • Add Behaviour
  • View Achievements
  • Add Achievements
  • Add/Edit Assessments and Programmes of Study

Data generated by the Emerge App

When you use the Emerge App you may generate additional data, this can include:

  • Uploaded data history – which stays on the device for clarity of successful and unsuccessful uploads and is not transmitted elsewhere. When you log out of the Emerge app this history is cleared.
  • App diagnostic logs – when you enable this feature the app generates logs for 24 hours. These logs are transmitted to Groupcall only at your instruction, and are retained on device until you delete them, restart logging or uninstall the app.  The logs may contain information on data read and write activities including error messages but will not contain school data.  The logs will contain your device information to support diagnostic activities and your username.
  • App comms test results – when you use this feature and elect to transmit results to Groupcall we will receive logs containing your device information and your username along with the outcome of performance tests which will contain no personal data.
  • Google Analytics usage data – individual users can opt out of this using the settings in the app. Our Analytics data is anonymised but collatable by school and is retained for a maximum of 38 months.

Groupcall Personnel & Data Security

The technical support team at Groupcall can resolve or advise you on any technical issues that you encounter while using Groupcall products.  Where you are using Emerge App operated by a Groupcall partner organisation you should raise your support requests to that organisation in the first instance, they’ll be able to escalate any advanced cases to Groupcall directly.

Sometimes it is necessary for a Groupcall support technician to view an issue with you to diagnose it fully and offer a solution. In circumstances where support technicians need to view the issue with, you they may use remote access tools to view your computer with you, in which case you should remain at your computer and supervise the entire session.  All our remote sessions allow you to retain control and allow you to terminate the session at any time.  If your issue escalates and an additional support technician is required, then additional Groupcall staff may join the remote session.

If your issue is a platform issue or requires changes to your account configuration, then Groupcall staff may perform such configuration on your behalf from our secure management platform without requirement for remote access.

You are reminded that you should avoid sending personal information, such as student/contact records, to Groupcall directly.  You certainly should only send such information when supported by strong encryption and only if there is a specific and agreed requirement to do so.  Groupcall staff will advise the most secure method for transfer if there is such a requirement.

Emerge Updates

Once installed, the Emerge Server Software requires no further maintenance intervention (provided that Xporter maintains accessibility to the pre-requisite URLs e.g. after a proxy server change etc) as required updates are released and applied via the in-built mechanisms.

App updates are pushed to devices through the standard device update release mechanisms.  Updates can include bug fixes, security enhancements and feature developments – some of which may not take full effect until an Emerge Server update has also taken place.

To further maintain the integrity, performance and functionality of the software, Groupcall adheres to the ITILv3-based release management cycle. Usually in the case of a major update, you will be informed prior to this taking place.

Emerge Data Lifecycle

Your data’s point of origin remains in the source MIS product.  Data is cached in Groupcall Emerge App until any of the following conditions are met:

  • A blocked user is automatically logged out from the app by foreground or background sync
  • The pin or password entry screen is failed multiple times as configured in the Emerge Management Console
  • The user actively elects to wipe data while logged in
  • The user logs out
  • The app encounters a data error that causes the user to be logged out
  • The app is uninstalled from the device by the user or remotely using Mobile Device Management tools
  • The device is securely wiped using Mobile Device Management tools or a consumer iCloud or Google account

Outside of these conditions the app retains cached data even when expired to provide emergency information.  The access period when using the app offline is limited by configuration in the Emerge Management Console.

Who is responsible for managing my information?

It is the responsibility of the Data Controller, as defined in your contract, to manage the information available to the Emerge app, the dissemination of that information to mobile devices, and the life cycle of those devices.  As a Data Processor Groupcall undertake to process data under the terms of contract with due diligence and with reasonable and adequate technical and other protections in place to ensure that the risks regarding such data processing are responsibly managed.

Who can I contact if I have queries about this privacy policy?

If you are already a Groupcall customer then please contact Groupcall Support. If you are a prospective customer then please contact our sales team by emailing sales@groupcall.com or call 0208 506 6100.

What happens when you update this privacy policy?

We may update this privacy policy from time to time and we will send notification to your main account contact if this is the case.

How can I change and correct my data?

The data in the Emerge app reflects the data in your school MIS system, and so to correct any inaccuracies in the Emerge app you must correct the data in your MIS and allow updates to occur within the lifecycles outlined earlier in this document.

If it is important that data changes are shown in the Groupcall Product more urgently. For example, if a parent has been restricted from contact with their child by court order, then you can contact Groupcall Support for assistance, by emailing support@groupcall.com or call 0208 506 6100.

Emerge Browser Cookies

The Groupcall Emerge app is not a browser-based service and therefore does not rely upon Internet browser cookies for any functionality.