Xporter On Demand:
Data Sharing Agreement

Version Control Information

Author Date Versions
Tim Verlander 12/06/2016 0.1
Robert Rainey 26/08/2016 1.0
Robert Rainey 17/01/2017 1.1

Table of Contents


This document forms a Data Sharing Agreement between Groupcall Limited (Groupcall) and your school or other education establishment (you, your) for the transit and protection of your school MIS data using Groupcall Xporter-on-Demand (XoD) When you share data with Groupcall third party partners (partners) using Groupcall XoD, Groupcall securely caches your school data within European data boundaries to provide responsiveness and to minimise any impact on your MIS platform. All sensitive and personally identifiable data is encrypted. This agreement outlines how Groupcall protects your data within XoD, but you will also need to consent to specific partner agreements regarding the movement of your school data to those partners when you choose to allow it.

Data Movement Overview

Groupcall Xporter-on-Demand is an automated self-service solution to securely collect and deliver data to one or more selected partners – such as homework systems, behaviour management software, and so on. Enabling XoD for your school opens up easy sharing of your school dataset with over 70 partners.

XoD operates an AES encrypted hot/warm/cold Cloud-based caching layer within European data boundaries to provide responsiveness and to minimise impact on your MIS platform. XoD proactively caches a core high-frequency access dataset within the platform (defined later in this document), and will also cache other data that fulfils both of these requirements:

  1. You allow one or more partners to access the data areas.
  2. One or more partners actually request access to those data areas.

The Xporter-on-Demand platform meets security requirements for the protection of your data because:

  • All personal data is stored AES encrypted at rest.
  • Xporter-on-Demand operates inside of European data boundaries.
  • Xporter-on-Demand utilises the Microsoft Azure cloud platform, which is certified for the storage of personal data.
  • Groupcall carry out periodic vulnerability scans of our platforms.
  • Groupcall are ISO27001 certified.

For school-hosted MIS products such as Capita SIMS .net and Advanced Learning Facility, Groupcall use our on-premise Groupcall Xporter agent to facilitate secure data movement between an on-premise MIS and the Xporter-on-Demand cloud platform; this includes AES encryption of personal data.

For cloud-hosted MIS products such as RM Integris G2 and ScholarPack, Groupcall XoD can either follow the on-premise model as above using an Xporter agent, or you can supply XoD with a specific set of MIS credentials and we will make cloud-to-cloud transfers to ensure fast and reliable service delivery without reliance on your school broadband connection and with much faster support escalation assistance. You can choose either option.

The on-premise Xporter agent will transmit health and performance information to Groupcall on a periodic basis to allow proactive monitoring of installation health and to generate anonymised trending statistics to further improve the service. This includes local server information such as operating system details, server specification, resource utilisation, and networking information.

In instances where your Xporter agent is identified to be in a faulted state the same monitoring service will also transmit error logs to Groupcall servers and allow authorised Groupcall staff to send remedial instructions to your Xporter agent installation to request that it check for and apply updates, re-attempt connection to your MIS or to the XoD platform, restart the Xporter service, or carry out other changes to your Xporter agent configuration required to restore service.

Transfer and Use of Personal Information

Groupcall Xporter-on-Demand facilitates the extraction of data between MIS and partners. The extent of Personal Information shared with these systems will depend upon each partner’s requirements and you must consent an explicit DSA to that effect with each partner. XoD will not allow transfer of data to a partner unless you specifically given permission via the XoD web UI that allows sharing to occur, Groupcall call this a Consent.

A Consent in XoD allows a specific list of data areas to be read/written from your MIS for a specific partner that you gave Consent to. When you give consent, the permission for movement of data within the scope of that Consent is perpetual until you, the partner, or Groupcall withdraws it. When you revoke permission for a partner you must specify an end date for that sharing and XoD will cease allowing access by the partner from that date. If you revoke permission retrospectively then data access may continue for up to 72 hours.

Withdrawing Consent for movement of a specific list of data areas to be read/written by a specific partner does not end your commercial relationship with that partner. If you do withdraw consent for data transfer for a specific partner then you need to also remember to instruct them to cancel any service(s) or contract(s) that you have in place and ensure that they dispose of your school’s data in line with the partner’s specific data sharing agreement that you initially Consented to.

Groupcall XoD proactively caches an encrypted set of data when you enable it; this is to ensure responsiveness and to minimise any impact on your MIS platform. This data includes:

  • Details of your school: including Headteacher name and contact details
  • Details of your school pastoral and timetable structure: including year groups, registration groups, house groups, teaching groups, timetable structure and lessons.
  • Details of your students: including identifiers, names, photos, contact details, addresses, summary attendance statistics, SEN and demographics.
  • Details of your staff: including identifiers, names, photos, contact details, addresses, birthdate, gender, and employment start and end dates.
  • Details of student contacts: including identifiers, names, relationship to student(s), contact details and addresses.

Groupcall does not transmit this data to any partner unless there is a Consent in place specifically covering the data areas requested. For example, while student demographics are proactively cached with at-rest encryption, they will not be released to any partner unless there is an active Consent in place for that partner that includes the “StudentDemographic” permission.

Groupcall Support Personnel & Data Security

The support team at Groupcall are able to resolve or advise you on any technical issues that you encounter while using Groupcall products, however they are unable to advise on any other issues affecting partner products and in such instances you should refer to the support arrangements for that specific partner.

If you have an on-premise Xporter agent deployed then it may be necessary for a Groupcall support technicians to view the issue with you, in order to diagnose it fully and offer a solution. In circumstances where support technicians need to view the issue with, you they may use remote access tools to view your computer with you, in which case you should remain at your computer and supervise the entire session. All of our remote sessions allow you to retain control and allow you to terminate the session at any time. If your issue escalates and further technical specialists are required, then additional Groupcall staff may join the remote session.

If your issue is a platform issue or requires changes to your account configuration, then Groupcall staff may perform such configuration on your behalf from our secure management platform without requirement for remote access. This will not include carrying out any Consent on your behalf.

You are reminded that you should avoid sending personal information, such as student/contact records, to Groupcall directly, for example via email. You certainly should only send such information when supported by strong encryption, if there is an explicit requirement to do so. Groupcall staff will advise the most secure method for transfer if there is such an explicit requirement.

Data Lifecycle

Your data’s point of origin remains in the source MIS system and is transported via Groupcall XoD based upon agreed rules, in-line with 3rd party specification.

Due to the caching nature of the XoD platform, some data changes in your MIS may take up to 24 hours to propagate to partners. If this presents an issue for you in a specific matter, please do contact Groupcall support for assistance and to expedite a cache refresh of all appropriate data. If your school MIS is inaccessible, XoD may return data from our encrypted caches in the interests of service continuity.

The XoD platform automatically disposes of expired cache data from the platform when it is 30 days out of date. Any fresher data supplied to XoD will overwrite existing data of the same type for your school. In practice the maximum cache validity in XoD is 7 days (for photos) and so our automatic disposal policy means that any data held by Xporter-onDemand will be automatically and permanently purged from our storage a maximum of 37 days after you cease to use the platform or after all partner(s) cease accessing an area of your data.

Privacy Policy

This forms part of the application process to use relevant Groupcall Products. The Head Teacher or an authorised member of staff will agree to have read and understood the terms and conditions outlined below:

Use of Data

The Use of Data policy is provided for schools to ensure that as data controllers they have the ability to share data, and that they consider there to be appropriate measures in place, ensuring that the data is held securely and confidentially.

This document sets out how Groupcall supports these objectives.

Groupcall and its suppliers will be acting as ‘data processors’ as defined by applicable data protection legislation such as the GDPR, DPA 2018 and any successors to these. Groupcall has taken all reasonable measures to ensure the safety and security of the personal information, and continues to review these measures on an on-going basis.

Who is responsible for managing my information?

The Groupcall XoD service is provided by Groupcall Limited and its suppliers. We are responsible for ensuring that your data is adequately protected in relation to the operation of the all Groupcall platforms.

You, as Head Teacher or authorised member of staff, are responsible for which partners you consent to access your school data, ensuring that you are satisfied with their data protection compliance and that you withdraw consent in a timely manner in the event of ending agreement with them.

Who can I contact if I have queries about this privacy policy?

Please contact Groupcall Support by emailing support@groupcall.com, calling 0208 506 6100, or using the live chat on www.groupcall.com.

Will you ever update this privacy policy?
We may update this privacy policy from time to time and we will send notification to your main account contact if this is the case. For specific optional functionality within the Groupcall XoD service we may also issue appendices to this agreement.
How can I update my data?

The data in Groupcall XoD reflects the data in your school MIS system. Hence, to correct any inaccuracies in the data, you should correct the data in your MIS and allow an overnight update to occur.

If it is important that data changes are shown in the Groupcall Product more urgently. For example, if a parent has been restricted from contact with their child by court order, then you can contact Groupcall Support for assistance in expediting the transfer of this information.

What information do we collect?

We collect students, staff and parental contact and grouping information such as school record identifiers, names, gender, date of birth, electronic contact details, language preference and recent attendance marks. Further information may be securely stored (with AES encryption in flight and at rest) dependent upon the Consent(s) that you make with partners. The full information we proactively collect and securely store with AES encryption in flight and at rest is detailed under the "Transfer and Use of Personal Information" section earlier in this document.

For each specific partner you should also refer to their Data Sharing Agreement.

Xporter Browser Cookies

Groupcall XoD will store browser cookies on your system for purposes of authentication and security, and for purposes of gathering anonymous statistical information regarding usage and improvement of our products and services.