Our IDaaS solution has been built from the ground-up as a completely fresh and innovative approach to identity management and single sign-on, with the added benefit of application provisioning.
We have considered the many pitfalls of traditional identity management implementations, together with a significant number of requirements and use cases taken from existing large-scale deployments.
Groupcall IDaaS provides
Groupcall IDaaS is designed to keep things as simple and flexible for users as possible, putting them in full control of their identity but keeping it up to date via data entered into one or more school systems.
Groupcall IDaaS supports forward provisioning to other third party cloud-based products by providing both user and school information and identity to those systems as they require. The specific detail of what is transferred will depend on the third party products(s) that you are using IDaaS to forward provision and is covered in a specific data sharing agreement for each third party product we support. IDaaS is cleverly designed to dynamically adjust the data it requests from your school based on the requirements of the third party systems that it is forward provisioning to.
Overview of IDaaS Data Movement
Groupcall IDaaS uses the existing secure transport mechanism provided by the Groupcall WebService (used in our Emerge product), allowing a school to hold full control over data extraction by IDaaS but also allowing IDaaS to make requests for data that vary depending on the needs of the third party systems to which we forward provisioning. The connection to your school MIS is provided by Groupcall’s established school data extraction product – Groupcall Xporter.
Groupcall Xporter is installed in your school, is connected to your MIS, and uses the Groupcall WebService to connect to IDaaS, which is delivered from Microsoft Azure.
Click image to expand
Once the initial installation is completed the data movement process works like this:
- Your school Xporter notifies IDaaS if data has changed, and IDaaS makes a note to request your school changes as soon as possible.
- As soon as it can, IDaaS connects to the Groupcall WebService and authenticates. It requests recent changes to each area of data needed by IDaaS or for
forward provisioning. - Your school MIS build responses to these requests one at a time to avoid excessive workload and encrypts them using a key unique to your specific school and IDaaS before transmitting them.
- IDaaS applies changes to data within itself as soon as it receives them.
- IDaaS queues changes to data via
forward provisioning as soon as it receives them, but depending on the destination system there may be a delay before the changes appear to users.
IDaaS Fair Use Policy
It is for schools to ensure that as data controllers they have the ability to share data in this way and that they consider there to be appropriate measures in place to ensure that the data is held securely and confidentially. This document sets out how Groupcall supports these objectives.
Groupcall and its suppliers will be acting as ‘data processors’ as defined by applicable data protection legislation such as the GDPR, DPA 2018 and any successors to these. Groupcall has taken all reasonable measures to ensure the safety and security of the personal information, and continues to review these measures on an on-going basis.
While IDaaS can forward provision to third party systems it holds no control over the lifecycle and storage of forward provisioned data. For this reason you must have a separate data sharing agreement with each third party system you use IDaaS to integrate with.
IDaaS Transfer and Use of Personal Information
Groupcall IDaaS securely transports information from your MIS for purposes of:
- Managing the life cycle of user accounts in Groupcall IDaaS;
- Verifying the identity of user accounts in Groupcall IDaaS;
- Forward provisioning information about persons in your school to third party systems you allow
- Forward provisioning information other than persons in your school to third party systems you allow
The data being requested and transmitted is governed by the Data Sharing Agreement you have with each third party system that you have authorised and differs for each third party system. You should refer to their specific data sharing agreement to determine the data that is provided to that particular third party system.
Groupcall IDaaS collections a minimum footprint of data for its own operation, which represents the minimum extraction of personal information from your school MIS; This list will increase to fulfil the requirements of third party systems that you elect to forward provision to.
1. If within the scope of data to be transferred: Personal information about pupils who are currently on roll or are expected to become on roll:
- Name and preferred name
- Identifying numbers such as MIS record ID, Admissions Number and UPN, for purposes of record matching
- Date of birth
- Academic year, registration group, house group and academic classes
- Special educational needs
- School email address
And any other data described in the data sharing agreement for third party systems you consent to forward provision to.
2. If within the scope of data to be transferred: Personal information about adults currently in the employ of the school:
- Name and preferred name
- Work email address
- Membership of school groups, such as registration groups and classes
- Mobile phone number, for purposes of self-service password reset
- MIS record ID, for purposes of record matching
And any other data described in the data sharing agreement for third party systems you consent to forward provision to.
3. If within the scope of data to be transferred (typically used with Groupcall Xpressions): Personal information about pupil contacts with parental responsibility:
- Name and preferred name
- All associated email addresses and mobile phone numbers
- Which students within the school they have parental responsibility for
And any other data described in the data sharing agreement for third party systems you consent to forward provision to.
4. Information about your school:
- School name and establishment number
- Class, registration, year and house groups
And any other data described in the data sharing agreement for third party systems you consent to forward provision to.
IDaaS Data Security
This information gives details of the management of data security in relation to the use of Groupcall IDaaS, which schools may wish to use with their fair use policy.
Groupcall IDaaS encrypts all data during transit using AES 128 encryption, and stores such data in encrypted irreversible Salted hash format within the IDaaS platform. The Groupcall IDaaS platform is hosted in Microsoft Azure in the Europe North territory and you can find out more about this platform at the Windows Azure Trust Centre; however in summary the data in Azure is protected from exposure by multiple layers of firewalling, authentication and physical access control.
Groupcall IDaaS transmits data to selected third party systems that you instruct it to, and does this via suitably secure mechanisms. Any credentials that are required to deliver data to those third party systems are similarly stored within the IDaaS platform.
Revocation of access for IDaaS third party systems does not remove data from those systems; you need to follow through an exit process with each individual third party system in such a case.
Groupcall Support Personnel & Data Security
The Support team at Groupcall are able to resolve or advise you on any technical issues that you encounter while using Groupcall products, however they are unable to advise on any other issues affecting Groupcall Partner products and in such instances you should refer to the support arrangements for that specific Groupcall Partner.
Often it is necessary for a Groupcall support technicians to view the issue with you, in order to diagnose it fully and offer a solution. In circumstances where support technicians need to view the issue with, you they may use remote access tools to view your computer with you, in which case you should remain at your computer and supervise the entire session. All of our remote sessions allow you to retain control and allow you to terminate the session at any time. If your issue escalates and an additional support technician is required, then additional Groupcall staff may join the remote session.
If your issue is a platform issue or requires changes to your account configuration, then Groupcall staff may perform such configuration on your behalf from our secure management platform without requirement for remote access.
You are reminded that you should avoid sending personal information, such as student/contact records, to Groupcall directly. You certainly should only send such information when supported by strong encryption, if there is an explicit requirement to do so. Groupcall staff will advise the most secure method for transfer if there is such an explicit requirement.
IDaaS Data Lifecycle
Your data’s point of origin remains in the school MIS and IDaaS is populated by the detection of such changes in your MIS system. Where third party systems are forward provisioned, they also rely upon IDaaS detecting changes and instructing them to the third party system.
New or changed records
When a staff, student, contact or other person or record is created or changed in your MIS the next request of data by IDaaS will contain that new or changed record if it is part of the set of data the third party systems requests.
Deleted records
When a staff, student, contact or other record is deleted from your MIS< or falls outside of the selection criteria (for example a student becomes off roll) then they stop appearing in data sets returned to IDaaS; However IDaaS retains users even when they are not associated to any schools, for a defined period of time e.g. 6 months, to allow for Summer break and travelling families and in order to allow migration of users throughout the education sector.
Termination of service
Revocation of access for IDaaS third party systems does not remove data from those systems; you need to follow through an exit process with each individual third party system in such a case.
If an IDaaS user is registered by virtue of two or more schools then they will retain their identity but the data for that user relating to your school establishment will be removed.
IDaaS Privacy Policy
This forms part of the application process to use Groupcall IDaaS; The Head Teacher or an authorised member of staff will agree to have read and understood the terms and conditions outlined below:
Who is responsible for managing my information?
Groupcall IDaaS is provided by Groupcall Limited (“Groupcall”) to Groupcall Partner organisations for purposes of forward provisioning data to third party systems. Groupcall are responsible for ensuring that your data is adequately protected in relation to the operation of the Groupcall IDaaS platform itself. Third party systems are responsible for the protection of scope of data in their care and this is covered by a separate agreement.
What information do we collect?
Groupcall IDaaS will collect and store data from your school as per the list on page 5 and maintain that data according to the life cycle on page 8. This scope will increase in line with the needs of third party systems that you request IDaaS forward provisions to, and those increases are covered in your separate data sharing agreement with each third party system.
What is my information used for?
Groupcall IDaaS securely transports information from your MIS for purposes of:
- Managing the life cycle of user accounts in Groupcall IDaaS;
- Verifying the identity of user accounts in Groupcall IDaaS;
- Forward provisioning information about persons in your school to third party systems you allow;
- Forward provisioning information other than persons in your school to third party systems you allow
How is my information held?
Groupcall IDaaS encrypts all data during transit using AES128 encryption, and stores data within the Groupcall IDaaS platform. The Groupcall IDaaS platform is hosted in Microsoft Azure in the Europe North territory and you can find out more about this platform at the Windows Azure Trust Centre; however in summary the data in Azure is protected from exposure by multiple layers of firewalling, authentication and physical access control.
Data that is forward provisioned to third party systems is subject to the conditions of your specific data sharing agreement with that particular third party system.
How long will my information be held for?
Groupcall IDaaS retains data from an individual school while it is applicable to current or future learners and staff within the school. When this ceases to be the case IDaaS will no longer retain school data for learners or staff who have registered with IDaaS but will continue to provide their identity username and password, for purposes of continuity throughout their education.
Data that is forward provisioned to third party systems is subject to the conditions of your specific data sharing agreement with that particular third party system.
How can I update my data?
The data delivered by Groupcall IDaaS reflects the data in your school MIS system; hence to correct any inaccuracies in that data you should correct the data in your MIS and await the refresh of that data across destination systems.
How do I delete my data?
Revocation of access for IDaaS third party systems does not remove data from those systems; you need to follow through an exit process with each individual third party system in such a case.
If an IDaaS user is registered by virtue of two or more schools then they will retain their identity but the data for that user relating to your school establishment will be removed.
If you require your individual data deleted from the IDaaS platform then you need only contact Groupcall Support.
Will you ever update this privacy policy?
We may update this privacy policy from time to time in the interests of maintaining a secure and efficient service. The latest version of this document will always be available from Groupcall Support.
Who can I contact if I have queries about this privacy policy?
If you are already a Groupcall IDaaS customer then please contact Groupcall Support. If you are a prospective customer then please contact our sales team via sales@groupcall.com.
IDaaS Browser Cookies
Groupcall IDaaS is a federated identity service that provides and manages authentication of users for both itself and for third party systems; it make use of browser cookies for the following purposes:
- Managing the registration process
- Managing the login of individual identities and making ‘claims’ regarding that identity to other third party systems
- Profiling user access to the IDaaS admin interface for purposes of security monitoring and product improvement.
Please also note that third party systems may also use cookies, their use is subject to the conditions of your specific data sharing agreement with that particular third party system.