COPPA and FERPA Compliance NetSupport School and GDPR Compliance

Introduction 

The EU General Data Protection Regulation (“GDPR”) came into force across the European Union on 25th May 2018 and brought with it the most significant changes to data protection law in two decades. Based on privacy by design and taking a risk-based approach, the EU GDPR has been designed to meet the requirements of the digital age. Subsequently, upon leaving the EU, the Data Protection Act 2018 was updated to enact the UK GDPR, replicating the EU GDPR. 

The UK GDPR aims to standardise the regulation of data protection laws and processing across the UK and work alongside the EU regulations, as well as influence other legislation across the globe – affording individuals stronger, more consistent rights to access and control their personal information. 

NetSupport School helps teachers to deliver creative lesson content, work collaboratively and monitor student PCs, ensuring that student attention and focus is maintained at all times. 

A NetSupport School installation processes personal data and, as such, is impacted by the GDPR. This  document will provide you with all the information you need relating to NetSupport School to ensure that personal data is processed in accordance with the GDPR. The following sections are designed to help you with your Record of Processing Activities, any risk assessments you may need to complete, any due diligence needed during purchase/procurement and to help you with information you may need for your Privacy Notice.  

How does NetSupport School process personal data? 

NetSupport School is a classroom management and collaboration tool. It is an on-site solution and so your organisation is both Data Controller and Data Processor for any personal data which is processed. The product has a student module that is installed on the students’ machines. The student module interacts with and monitors  the use of the computer. The student module then sends this data directly to the NetSupport School  Tutor or Tech Console – the data being transmitted using NetSupport’s proprietary protocol which includes encrypting any data sent across the network. Any data is then processed and displayed at the Tutor or Technicians’ Console. 

NetSupport School does not store any personal data in any database or data files automatically; however, the Tutor and Technicians’ Consoles can both be used to save some personal data, as described below. 

Where is the personal data stored? 

NetSupport School does not store any personal data by default, but a range of functions may be enabled to allow the schools to retain and store personal data. Any of the personal data processed by NetSupport School is only available during the current Tutor or Tech Console session, unless it is saved by a manual action initiated by the user of the Tutor or Tech Console application. 

The NetSupport Tutor application has a student register feature that allows the Tutor to initiate a collection of data from the student machines. If the user of the NetSupport School Tutor selects to save the student register, the personal data associated with the student register is saved to a comma-separated values file in the location specified by the user. 

The NetSupport Tutor application has a feature to monitor and record the audio from any microphone attached to the student machine. In the Tutor Console, there is the ability to save this  audio to an audio file, and the user is prompted for a location and name to store the file. 

The NetSupport Tutor application has a feature allowing the Tutor to view any websites visited by the student machines – this can display the URL and title of the page being displayed. This data is not  stored but can be viewed during the current session on the Tutor Console. 

The NetSupport School Tutor and Tech Consoles have the ability to view students’ screens. A screen capture image can also be saved to a file. This is a manually initiated process and the  user is prompted for a location to store the image.  

What data is collected and stored? 

The table below lists all of the personal information that is stored in the NetSupport School database. 

* The Lawful Basis for processing is decided by the Data Controller (the customer) and not by NetSupport. This table gives the suggested basis is for public authorities/companies and other organisations respectively. Please confirm with your Data Protection Officer/Data Protection lead as to the correct Lawful Basis.

NetSupport School and the GDPR Data subject rights 

The GDPR defines eight rights of the individual with regard to the processing of personal data. Part of complying with the new regulations is to ensure that you can comply with these individual rights. In  this section, we explain each right and how it affects NetSupport School. All decisions about how the NetSupport School product supports how the Customer, as the Data Controller, upholds any specified Rights of Data Subjects are totally within the control of the Customer. This information is shared for guidance and support. 

COPPA and FERPA Compliance

Children’s Online Privacy Protection Act of 1998 (COPPA) places requirements on operators of websites or online services directed to children under the age of 13 years old, and on operators of websites or online services that have actual knowledge that they are collecting personal information online from a child under the age of 13 years. The Family Educational Rights and Privacy Act (FERPA) protects the privacy of student education records. It protects personally identifiable information (PII) in students’ information records from unauthorized disclosure.

NetSupport School fully meets the requirements for compliance as it is a fully on-premise solution. No data is shared with NetSupport or third-party services, and any information collected within NetSupport School is solely used for the purpose of creating and managing classes, or to support targeted areas of academic progress.

The right to be informed 

Individuals have the right to be informed about the collection and use of their personal data. This is a key transparency requirement under the GDPR. For further information and guidance, see https://ico.org.uk/for-organisations/guide-to-the-general-data-protection-regulation-gdpr/individual-rights/right-to-be-informed/ 

The NetSupport Student Module displays a student toolbar that clearly shows the restrictions and monitoring that are taking place on the student PC. However, we would also recommend that you have in place an Acceptable Use Policy and Privacy Policy that clearly define  what is being monitored on your computers, and when this occurs. 

The right of access 

Under the GDPR, individuals have the right to access their personal data. This allows individuals to be  aware of and verify the lawfulness of the processing. 

See https://ico.org.uk/for-organisations/guide-to-the-general-data-protection-regulation-gdpr/individual-rights/right-of-access/ With the exception of the Journal or assessment tools, NetSupport School does not store any personal data by default, but a range of functions may be enabled to allow the schools to retain and store personal data as part of manual saving of files or data. As such, the product does not have any specific facility to collate information on a specific individual. If you are saving data from NetSupport School to electronic files on a file system, then we recommend that you define a Data Retention Policy for this data and have procedures in place to provide data to the data subject, if requested. Information recorded in the Journal or results within assessments are held within the organisation’s on-site storage locations, and retained until processed according to its retention policy.  

The right to rectification 

Under Article 16 of the GDPR, individuals have the right to have inaccurate personal data rectified. See https://ico.org.uk/for-organisations/guide-to-the-general-data-protection-regulation- gdpr/individual-rights/right-to-rectification/ 

With the exception of the Journal or assessment tools, NetSupport School does not store any personal data beyond the active session – there  is no specific facility to edit stored data. Any data saved manually is in standard electronic formats. Information recorded in the Journal or results within assessments are held within the organisation’s on-site storage locations, and retained until processed according to its data retention policy.  

The right to erasure 

Under Article 17 of the GDPR, individuals have the right to have personal data erased. This is also known as the ‘right to be forgotten’. The right is not absolute and only applies in certain circumstances. For information on when this right is applicable, see the ICO guidance at https://ico.org.uk/for-organisations/guide-to-the-general-data-protection-regulation-gdpr/individual-rights/right-to-erasure/ 

With the exception of the Journal or assessment tools, NetSupport School does not store any personal data beyond the active session – there  is no specific facility to delete stored data. Information recorded in the Journal or results within assessments is held within the organisation’s on-site storage locations and retained until processed according to its data retention policy.  

The right to restrict processing 

Article 18 of the GDPR gives individuals the right to restrict the processing of their personal data in certain circumstances. The right is not absolute and only applies in certain circumstances. In most cases, you will not be required to restrict an individual’s personal data indefinitely but will need to  have the restriction in place for a certain period of time. 

 See https://ico.org.uk/for-organisations/guide-to-the-general-data-protection-regulation-gdpr/individual-rights/right-to-restrict-processing/ 

 If you need to temporarily stop monitoring a specific student machine, you can exclude a machine  from a specific class. 

The right to data portability 

The right to data portability only applies:  

• to personal data an individual has provided to a controller 
• where the processing is based on the individual’s consent or for the performance of a contract, and 
• when processing is carried out by automated means. 

See https://ico.org.uk/for-organisations/guide-to-the-general-data-protection-regulation-gdpr/individual-rights/right-to-data-portability/  

With the exception of the Journal or assessment tools, NetSupport School does not store any personal data by default, but a range of functions may be enabled to allow the schools to retain and store personal data as part of manual saving of files or data. Any requirement to make data portable would be solely dependent on the Data Controller’s choice of lawful basis for processing meeting the above requirements. 

The right to object 

The guidance from the ICO states that: 

“Individuals must have an objection on ‘grounds relating to his or her particular situation’. And that you must stop processing the personal data unless, you can demonstrate compelling legitimate grounds for the processing, which overrides the interests, rights and freedoms of the individual”. 

See https://ico.org.uk/for-organisations/guide-to-the-general-data-protection-regulation-gdpr/individual-rights/right-to-object/ 

NetSupport School is used by educational institutes and other organisations to facilitate the delivery of education (including course content) to students, demonstrating compelling legitimate grounds for processing. Any objection to processing data is likely to have a significant impact on the organisation’s ability to deliver lessons or course content. 

Rights in relation to automated decision making and profiling 

The GDPR has provisions on:  

• automated individual decision-making (making a decision solely by automated means without any human involvement), and 
• profiling (automated processing of personal data to evaluate certain things about an individual). Profiling can be part of an automated decision-making process. 

See https://ico.org.uk/for-organisations/guide-to-the-general-data-protection-regulation- gdpr/individual-rights/rights-related-to-automated-decision-making-including-profiling/ 

NetSupport School does not perform any automated decision making. Where assessments are in place, these are designed and constructed by school staff and any resulting personal data, including scores, is held and controlled by the school. 

Some common questions 

Is NetSupport the data processor or the data controller? 

For a customer using NetSupport School, NetSupport does not have access to any school’s data. Once the product is installed, all of the data is stored locally on the school’s servers. Therefore, within the context of NetSupport School, NetSupport is neither the data controller nor the data processor. 

Is the school the data processor or the data controller within the context of NetSupport systems? 

For users of NetSupport School, schools remain the data controller of their own data on the system. 

Does NetSupport School process personal data? 

Personal information associated with individual students and staff is processed by NetSupport School, therefore the rules of the GDPR apply to its use. With the exception of the Journal or assessment tools, NetSupport School does not store any personal data by default, but a range of functions may be enabled to allow the schools to retain and store personal data as part of manual saving of files or data.. If the user of the product manually saves any data, then the location of this data is defined by them. 

Does NetSupport School process sensitive data? 

Screen capture data, audio capture data and keyboard monitor data are all collected by NetSupport School. Due to the possible nature of this data, it could contain sensitive data and, as such, we recommend that it be assumed as sensitive data. However, a decision about this should be recorded as part of any risk assessment. 

Do I need to get consent from all staff and pupils before I can monitor them in school with NetSupport School? 

Consent is not normally be seen as being required. You do, however, need to give a clear notification that there is a system in place which enables staff to view and interact with the students. This notification should explain that NetSupport School will record what they type and do, so staff and pupils understand what is monitored for safeguarding or training purposes. Schools should state very clearly why it is necessary to view students’ activities during lessons  (and, where applicable, those of staff) and how that data will be processed, stored and deleted. 

What if a child/parent doesn’t consent to them being monitored in school? 

As above, consent is not normally be seen as being required. It is important to explain the need to monitor children in school and the reasons why. The ICO gives guidance on the lawful basis for processing information. See: https://ico.org.uk/for-organisations/guide-to-the-general-data-protection-regulation-gdpr/lawful- basis-for-processing/ 

 The reasons are likely to  be a combination of public task (for maintained schools), legitimate interests (for independent schools and other organisations), to deliver a contract (for independent schools and other organisations) and the organisation’s legal or contractual obligations, including for  safeguarding of children, vulnerable adults and/or employees. 

If you have any further questions regarding this document or any other queries regarding NetSupport School, please contact us.