Privacy Notice

Privacy Notice for Schoolcomms Users

Schoolcomms, part of ParentPay limited, is engaged in the design, development, sales, marketing, supply, maintenance and operation of payment collection, payment processing, parent communication and management information systems and services for the education market.

This notice explains to Schoolcomms Users (“you/your”) how ParentPay (“we/us”) use your personal information.

This privacy notice covers:

Why we use your personal information
The legal basis for processing
What personal information we use
How we use your personal information
Your rights under data protection legislation
Sharing personal information with third parties
How long we may keep your information
Changes to our privacy notice
Contact details for our Data Protection Officer

Why we use your personal information

The Schoolcomms payment solutions and communication platforms provided to schools and their parents, are governed by a contract between us and the schools, Multi-Academy Trust or a Local Education Authority (“Schoolcomms Customer”), and also the Terms and Conditions that you agree with when you sign up (“Schoolcomms User”).

We process your personal data for the following purposes:

to provide you with the service activated and registered for
the verification of your identity where required
for the prevention and detection of crime, fraud and anti-money laundering
for the ongoing administration of the service
to allow us to improve the products and services we offer to our customers
to ask for your opinion about our products and offer surveys
for research and statistical analysis including payment and usage patterns
- We only use the data in an anonymized manner when we use your data for this purpose.
to enable us to comply with our legal and regulatory obligations
to offer new products and services to you which are relevant and appropriate, and only to the extent that would be reasonably expected.

If we plan to introduce further processes for the use of your information, we will provide information about that purpose prior to such processing.

The legal basis for processing

Under Data Protection Law, there are various grounds which are considered to be a ‘legal basis for processing’.
The legal basis for processing should be determined by the Data Controller.

Where we are the Data Processor, the legal basis is determined by the Customer. Typically, the legal basis in this scenario is:
‘processing is necessary for the performance of a task carried out in the public interest’
or
‘processing is necessary for the purposes of legitimate interests pursued by the controller’

Where we are the Data Controller, the legal basis for processing is based on:
‘processing is necessary for the purposes of legitimate interests pursued by the controller’

It should be noted that in some circumstances this legal basis may vary, however, we always operate in full compliance with Data Protection Law and will only process data with a fair and reasonable legal basis for doing so.

What personal information we process

In order to carry out these services, we obtain (either from the Customer and/or from you directly) and process the following information:

Edit
Data Subject (Who)	Data Category (What)	Description	Module
Student	Achievement records	Achievement records entered into the Schools MIS.	Online Reporting
Student	App status	Is the pupil using the School Gateway app	Core
Student	Assessment reports	Annual assessment reports generated by the school using their MIS.	Online Reporting
Student	Authentication data	Students School Gateway PIN	Core
Student	Behaviour incident records	Behaviour incidents recorded on the Schools MIS.	Online Reporting
Student	Club Attendance Records	Club attendance which is recorded by school within Schoolcomms	Clubs
Student	Club balances	Separate balances for each club the student attends	Clubs
Student	Club Session Bookings	Club sessions booked by parents or school	Clubs
Student	Curriculum Timetable	This is the pupil’s timetable.	Online Reporting
Student	Dinner Bookings	Dinner bookings made by parents or school.	Dinners
Student	Dinner plan balance	Dinner plan balance if School uses Schoolcomms Dinners Module	Dinners
Student	Exam timetables	The students exam timetables	Online Reporting
Student	Forename	This is the forename of the pupil.	Core
Student	Free School Meals	Whether the pupil is eligible for Free School Meals.	Dinners
Student	Gender	This is the pupil’s gender	Core
Student	Groups	Active groups set up by the school containing the pupil.	Messaging
Student	Identifiers	MIS ID, Roll Number and UPN	Core
Student	In-app messages	Messages sent from parents to school within the School Gateway application	Messaging
Student	Known as	This is the name that the pupil is known as.	Core
Student	Linked People	Contact’s linked to the child that meet import criteria specified by school	Core
Student	Meal Selections and spend history	This is a record of the students meal spend, this is imported from the schools cashless retailer, SIMS Dinner money or recorded within Schoolcomms Dinners	Online Reporting
Student	Medical Information	Student Medical Conditions	Online Reporting
Student	Message History	Email or SMS messages sent to the user by the school or vice versa	Messaging
Student	MIS Groups	Active groups set up in the schools MIS system containing the pupil	Messaging
Student	Mobile OS	This is the operating system (iOS or Android) of the mobile phone used to access School Gateway.	Core
Student	Mobile Telephone	This is the pupil’s mobile telephone number used to receive alerts from the school and to verify the pupil’s School Gateway account.	Core
Student	Paypoint Data	Data used to issue a Paypoint voucher linking a student and payment item	Payments
Student	Postal Address	The student’s postal address	Online Reporting
Student	Pre-admission Status	Students Pre-admission status	Core
Student	Primary email address	This is the pupil’s primary email address used to receive communications from the school and to verify the pupil’s School Gateway account.	Core
Student	Pupil Premium Questionnaire Results	Results of the School Gateway Pupil Premium Questionnaire	Core
Student	Registration Group	The registration group of the pupil.	Core
Student	School Gateway activation date	This is the date the user activated and first logged into the School Gateway portal.	Core
Student	SIMS Dinner Money / Cashless Retailer Balance	The balance from the schools cashless retailer or SIMS Dinner Money	Payments
Student	SIMS profile report	This is a SIMS profile report for the student	Online Reporting
Student	Surname	This is the surname of the pupil.	Core
Student	Unexplained absence records	Any unexplained absences recorded by the school for AM or PM registration.	Messaging
Student	Year Group	The year group of the Pupil.	Core

Contact	Authentication data	The contact’s School Gateway PIN	Core
Contact	Bank account details	Bank account details are captured and passed to a 3rd party for authorisation	Payments
Contact	Forename	This is the contact’s forename.	Core
Contact	Billing Address	Billing address details are captured and shared with payment service providers so that they can complete important security and fraud checks for processing card payments.	Payments
Contact	House Name	The text entered as the contact’s house name.	Core
Contact	In-app messages	Messages sent from parents to school within the School Gateway application	Messaging
Contact	Locality	The text entered as the contact’s locality.	Core
Contact	Message History	Email or SMS messages sent to the user by the school or vice versa	Messaging
Contact	MIS Contact priority	The priority of contacts connected to a student. (i.e. 1 & 2 may be immediate family whereas 3 & 4 may be distant relatives for emergency contact purposes).	Core
Contact	Mobile OS	This is the operating system (iOS or Android) of the mobile phone used to access School Gateway.	Core
Contact	Mobile Telephone	This is the contact’s mobile telephone number used to receive alerts from the school and to verify the contacts School Gateway account. Mobile number is shared with payment service providers so that they can complete important security and fraud checks for processing card payments.	Core, Payments
Contact	Parental responsibility status	This is a marker used by schools to identify if a contact has parental responsibility over a student (allowed to give consent etc. ).	Core
Contact	Payment card details	Payment card details are captured and passed to a 3rd party for authorisation.	Payments
Contact	Payment History and balances	This is the contact’s payment and transaction history	Payments
Contact	Postcode	The text entered as the contact’s post code.	Core
Contact	Primary Email address	This is the contact’s primary email address used to receive communications from the school and to verify the contacts School Gateway account. Email address is shared with payment service providers so that they can complete important security and fraud checks for processing card payments.	Core, Payments
Contact	Prime Parent Status	Indicates whether a contact is a prime parent or seconday parent	Core
Contact	School Gateway activation date	This is the date the user activated and first logged into the School Gateway portal.	Core
Contact	School Gateway app status	Identifies whether a user is logged into the School Gateway mobile application.	Core
Contact	Street	The text entered as the contact’s street.	Core
Contact	Surname	This is the contact’s surname.	Core
Contact	Town	The text entered as the contact’s town.	Core

Staff Member	Authentication data	The staff member’s School Gateway PIN	Core
Staff Member	Bank Account Details	Bank account details are captured and passed to a 3rd party for authorisation	Payments
Staff Member	Billing Address	Billing address details are captured and shared with payment service providers so that they can complete important security and fraud checks for processing card payments.	Payments
Staff Member	Card Details	Payment card details are captured and passed to a 3rd party for authorisation.	Payments
Staff Member	Club Attendance Records	Club attendance which is recorded by school within Schoolcomms	Clubs
Staff Member	Club Balances	Separate balances for each club the staff member attends	Clubs
Staff Member	Club Bookings	Club bookings made by staff member or school.	Clubs
Staff Member	Curriculum timetable	This is the staff members timetable.	Online Reporting
Staff Member	Dinner Bookings	Dinner bookings made by staff member or school.	Dinners
Staff Member	Dinner Money / Caterer Balance	The balance from the schools cashless retailer or SIMS Dinner Money	Payments
Staff Member	Dinner Plan Balance	Dinner plan balance if School uses Schoolcomms Dinners Module	Dinners
Staff Member	Forename	This is the staff member’s forename.	Core
Staff Member	Groups	Active groups set up by the school containing the pupil.	Messaging
Staff Member	In-app messages	Messages sent from parents to school within the School Gateway application	Messaging
Staff Member	Linked People	MIS contacts linked to the staff member who meet the Schoolcomms import critera set by the school.	Core
Staff Member	Meal Spend History	This is a record of the staff members meal spend, this is imported from the schools cashless retailer, SIMS Dinner money or recorded within Schoolcomms Dinners	Payments
Staff Member	Medical Conditions	Staff Member Medical Conditions	Online Reporting
Staff Member	Message History	Email or SMS messages sent to the user by the school or vice versa	Messaging
Staff Member	MIS ID	Staff members MIS ID	Core
Staff Member	Mobile OS version	This is the operating system (iOS or Android) of the mobile phone used to access School Gateway.	Core
Staff Member	Mobile telephone	This is the contact’s mobile telephone number used to receive alerts from the school and to verify the contacts School Gateway account. Mobile number is shared with payment service providers so that they can complete important security and fraud checks for processing card payments.	Core, Payments
Staff Member	Payment History	The staff members payment history	Payments
Staff Member	PayPoint Data	Data used to issue a Paypoint voucher linking a staff member and payment item	Payments
Staff Member	Postal Address	The staff member’s postal address	Core
Staff Member	Postcode	The staff member’s postal code	Core
Staff Member	Primary email	This is the contact’s primary email address used to receive communications from the school and to verify the contacts School Gateway account. Email address is shared with payment service providers so that they can complete important security and fraud checks for processing card payments.	Core, Payments
Staff Member	Role	The staff member’s role at the school	Core
Staff Member	School Gateway activation date	This is the date the staff member activated and first logged into the School Gateway portal.	Core
Staff Member	School Gateway app status	Identifies whether a staff member is logged into the School Gateway mobile application.	Core
Staff Member	Surname	This is the staff member’s surname.	Core
Staff Member	Title	This is the staff member’s title (Mr, Mrs, Ms, etc.).	Core

Other	Browser Type and Version	The type of Web Browser your device is using	Core
Other	Cookies	Special records in your browser to help the website operate	Core
Other	IP Address	The network address of your device or internet connection	Core
Other	Web Analytics	Generalised information about browsing behaviour and page statistics	Core

How we process your personal information

We use your personal information, and some of our employees have access to such information, only to the extent required to carry out the services for you and on behalf of the Customer.

We have introduced appropriate technical and organisational measures to protect the confidentiality, integrity and availability of your personal information during storage, processing and transit.

We are a Level 2 PCI-DSS certified organisation and operate an ISO27001 compliant security programme to help protect your data at all times.

The Schoolcomms Products and Services only processes your personal information in the UK.

Some of our supporting services (for example Microsoft CRM), might use cloud platforms that operate from Third Countries outside of the EEA. Where this is the case, we ensure that adequate safeguards are established to protect your data.

Your rights under Data Protection Law

Right to Access

You have the right of access to your personal information that we process and details about that processing.
You can usually access that information directly within the Schoolcomms Products and Services (self-service). However, should this not be possible, you can raise a Data Subject Access Request (DSAR) to receive this information in another format.

Right to Rectification

You have the right to request that information is corrected if it’s inaccurate. You can usually update your own information using the Schoolcomms Products and Services (self-service). However, should this not be possible, your child’s school will need to correct the data held by them and provided to us for processing.

Right to Erasure (Right to be Forgotten)

You have the right to request that your information is removed; depending on the circumstances, we may or may not be obliged to action this request.

Right to Object

You have the right to object to the processing of your information; depending on the circumstances, we may or may not be obliged to action this request.

Right to Restriction of Processing

You have the right to request that we restrict the extent of our processing activities; depending on the circumstances, we may or may not be obliged to action this request.

Right to Data Portability

You have the right to receive the personal data which you have provided to us in a structured, commonly used and machine readable format suitable for transferring to another controller.

Right to lodge a complaint with a supervisory authority

If you think we have infringed your privacy rights, you can lodge a complaint with the relevant supervisory authority. You can lodge your complaint in particular in the country where your live, your place of work or place where you believe we infringed your right(s).

You can exercise your rights be sending an e-mail to dpo@parentpay.com. Please state clearly in the subject that your request concerns a privacy matter, and provide a clear description of your requirements.

Note: We may need to request additional information to verify your identity before we action your request.

Sharing personal information with third parties

We use a range of trusted service providers to help deliver our services. All of our suppliers are subject to appropriate safeguards, operating in accordance with our specific instructions and limitations, and in full compliance with Data Protection Law.

These service providers include:

Payment Processors- to securely process your bank transfer and card payments (we do not see, or store payment card details)
SMS Providers – to send out our SMS notifications or messages sent by Customers using Schoolcomms Products and Services
Email Providers – to send out our email notifications or messages sent by Customers using Schoolcomms Products and Services
Hosting Providers – to manage our secure enterprise datacentres
Security Providers – to protect our systems from attack
Telephony Providers – we might record calls for training, quality and security purposes
Support Portal (ZenDesk) – so that you can easily ask for help
Wonde (Data Integrator) – so that schools can safely manage their data
Feedback Platforms (Optional) – working with SurveyMonkey

We may also have access to your personal information as part of delivering the service.

If we need to change or add additional third parties, we will always update our Privacy Notice accordingly.

We will only disclose your information to other parties in the following limited circumstances

where we are legally obliged to do so, e.g. to law enforcement and regulatory authorities
where there is a duty to disclose in the public interest
where disclosure is necessary to protect our interest e.g. to prevent or detect crime and fraud
where you give us permission to do so e.g. by providing consent within the Schoolcomms Products and Services or via an online application or consent form

How long we may keep your personal information

We will only retain information for as long as is necessary to deliver the service safely and securely. We may need to retain some records to maintain compliance with other applicable legislation – for example finance, taxation, fraud and money laundering law requires certain records to be retained for an extended duration, in some cases for up to seven years.

Changes to our Privacy Notice

This policy will be reviewed regularly and updated versions will be posted on our websites.

Contact details for our Data Protection Officer

We have appointed a Data Protection Officer (DPO); their contact details are as follows:

dpo@parentpay.com

Data Protection Officer

ParentPay

Coventry Building Society Arena

Phoenix Way

Coventry

CV6 6GE