NetSupport School and GDPR Compliance

Introduction

The EU General Data Protection Regulation (“GDPR”) comes into force across the European Union on 25th  May 2018 and brings with it the most significant changes to data protection law in two decades. Based on privacy by design and taking a risk-based approach, the GDPR has been designed to meet the requirements of the digital age.

NetSupport School provides the ability to orchestrate and deliver lesson content, work collaboratively and monitor student PCs, ensuring that student attention and focus is maintained at all times.

A NetSupport School installation processes personal data and as such, is impacted by GDPR. This document will provide you with all the information you need relating to the NetSupport School product to ensure that personal data is processed in accordance with GDPR.

How does NetSupport School process Personal Data?

NetSupport School is a classroom management and collaboration tool. The product has a student module that is installed on the student’s machines. The student module interacts with and monitors the use of the computer. The student module then sends this data directly to the NetSupport School Tutor or Tech console, the data is transmitted using NetSupport’s Proprietary protocol which includes encrypting any data sent across the network. Any data is then processed and displayed at the Tutor or Technicians console.

The NetSupport School product does not store any personal data in any database or data files automatically; however the Tutor and Technicians consoles can both be used to save some personal data, as described below.

Where is the personal Data Stored?

NetSupport School does not store any personal data automatically. Any of the personal data processed by the NetSupport School application is only available during the current Tutor or Tech console session unless the data is saved by a manual action initiated by the user of the Tutor or Tech console application.

The NetSupport Tutor application has a student register feature that allows the Tutor to initiate a collection of data from the student machines. If the user of the NetSupport School Tutor selects to save the student register, the personal data associated with the student register is saved to a comma separated values file in the location specified by the user.

The NetSupport Tutor application has a feature to monitor and record the Audio from any microphone attached to the student machine. In the tutor console there is the ability to save this audio to an audio file and the user is prompted for a location and name to store the file.

The NetSupport Tutor application has a feature allowing the Tutor to view any websites visited by the student machines, this can display the url and title of the page being displayed. This data is not stored but can be viewed during the current session on the Tutor console.

The NetSupport School Tutor and Tech console have the ability to view the screen of students. A screen capture image can also be saved to a file, this again is a manually initiated process and the user is prompted for a location to store the image.

What Data is collected and stored?

The table below lists all of the personal information that is stored in the NetSupport School database.

Name Purpose Legal Grounds Sensitivity Collection
Name Identification Legitimate interests Personal Data Automatically collected
Logon Name Identification Legitimate interests Personal Data Automatically collected
Class Identification Legitimate interests Personal Data Optional Data
Student ID/No Identification Other Personal Data Optional Data
Screen Capture Student Monitoring Other Sensitive Data Optional Data
Accessed URL Student Monitoring Other Personal Data Optional Data
Tile of Accessed URL Student Monitoring Other Personal Data Optional Data
Audio Capture Student Monitoring Other Sensitive Data Optional Data
Keyboard Capture Student Monitoring Other Sensitive Data Optional Data

NetSupport School and the GDPR Data subject rights

GDPR defines 8 rights of the induvial with regard to the processing of personal data. Part of complying with the new regulations is to ensure that you can comply with these individual rights. In this section we explain each right and how it affects the NetSupport School product.

The right to be informed

Individuals have the right to be informed about the collection and use of their personal data. This is a key transparency requirement under the GDPR. For further information and guidance see https://ico.org.uk/for-organisations/guide-to-the-general-data-protection-regulation-gdpr/individual-rights/right-to-be-informed/

The NetSupport student module does display a student toolbar. This toolbar clearly displays the restrictions and monitoring that is taking place on the student PC. However we would also recommend that you have in place an Acceptable Use Policy and privacy policy that clearly defines what is being monitored on your computers.

The right of access

Under GDPR, individuals have the right to access their personal data. This allows individuals to be aware of and verify the lawfulness of the processing.

See https://ico.org.uk/for-organisations/guide-to-the-general-data-protection-regulation-gdpr/individual-rights/right-of-access/

The NetSupport School product does not automatically store any personal data once the active monitoring session has ended. As such the product does not have any facility to collate information on a specific individual. If you are saving data from the product to electronic files on a file system, then we recommend that you define a data retention policy for this data and you have procedures in place to provide data to the data subject if requested.

The right to rectification

Under Article 16 of the GDPR, individuals have the right to have inaccurate personal data rectified. See https://ico.org.uk/for-organisations/guide-to-the-general-data-protection-regulation-gdpr/individual-rights/right-to-rectification/

As the NetSupport School product does not store any personal data beyond the active session, there is no facility to edit stored data. Any data saved manually is in standard electronic formats.

The right to erasure

Under Article 17 of the GDPR, individuals have the right to have personal data erased. This is also known as the ‘right to be forgotten’. The right is not absolute and only applies in certain circumstances. For information on when this right is applicable see the ICO guidance at https://ico.org.uk/for-organisations/guide-to-the-general-data-protection-regulation-gdpr/individual-rights/right-to-erasure/

As the NetSupport School product does not store any personal data beyond the active session, there is no facility to delete stored data.

The right to restrict processing

Article 18 of the GDPR gives individuals the right to restrict the processing of their personal data in certain circumstances. The right is not absolute and only applies in certain circumstances. In most cases you will not be required to restrict an individual’s personal data indefinitely, but will need to have the restriction in place for a certain period of time.

See https://ico.org.uk/for-organisations/guide-to-the-general-data-protection-regulation-gdpr/individual-rights/right-to-restrict-processing/

If you need to temporally stop monitoring a specific student machine you can exclude a machine from a specific class.

The right to data portability

The right to data portability only applies:

  • to personal data an individual has provided to a controller;
  • where the processing is based on the individual’s consent or for the performance of a contract; and
  • When processing is carried out by automated means.

See https://ico.org.uk/for-organisations/guide-to-the-general-data-protection-regulation-gdpr/individual-rights/right-to-data-portability/

As the NetSupport School product does not store any personal data after the session is ended, this would not apply.

The right to object

The Guidance from the ICO states that:

“Individuals must have an objection on ‘grounds relating to his or her particular situation’. And that you must stop processing the personal data unless, you can demonstrate compelling legitimate grounds for the processing, which overrides the interests, rights and freedoms of the individual”.

See https://ico.org.uk/for-organisations/guide-to-the-general-data-protection-regulation-gdpr/individual-rights/right-to-object/

In the case of NetSupport School, monitoring students in education is classed as compelling legitimate grounds for processing.

Rights in relation to automated decision making and profiling

The GDPR has provisions on:

  • automated individual decision-making (making a decision solely by automated means without any human involvement); and
  • profiling (automated processing of personal data to evaluate certain things about an individual). Profiling can be part of an automated decision-making process.

See https://ico.org.uk/for-organisations/guide-to-the-general-data-protection-regulation-gdpr/individual-rights/rights-related-to-automated-decision-making-including-profiling/

The NetSupport School product does not perform any automated decision making.

Some common Questions

Is NetSupport the data processor or the data controller?

For a customer using NetSupport School, NetSupport does not have access to any school’s data. Once the product is installed, all of the data is stored locally on the school’s servers. Therefore, within the context of NetSupport School, NetSupport is neither the data controller nor the data processor.

Is the school the data processor or the data controller within the context of NetSupport systems?

For users of NetSupport School, schools remain the data controller of their own data on the system.

Does NetSupport School process Personal Data?

Personal information associated with individual students and staff is processed by NetSupport School, therefore the rules of GDPR apply to its use. NetSupport School does not automatically store any personal data. If the user of the product manually saves any data then the location of this data is defined by the user of the product.

Does NetSupport School process Sensitive Data?

Screen capture data; audio capture data and keyboard monitor data are all collected by the NetSupport School product. Due to the possible nature of this data, it could contain sensitive data and as such we recommend that this data be assumed as sensitive data.

Do I need to get consent from all staff and pupils before I can monitor them in school with NetSupport School?

No – You do however need to give a clear notification that the there is a monitoring system in place. This notification should explain that NetSupport School will record what they type and do, so staff and pupils understand what is monitored for safeguarding or training purposes. Schools should very clearly state why it’s necessary to monitor students’ access (and where applicable that of staff) and how that data will be processed, stored and deleted.

What if a child/parent doesn’t consent to them being monitored in school?

As above consent is not required.  It is important to explain the need to monitor children in school and the reasons why. The ICO gives guidance on the lawful basis for processing information. See: https://ico.org.uk/for-organisations/guide-to-the-general-data-protection-regulation-gdpr/lawful-basis-for-processing/

The reasons will be a combination of public task (for maintained schools), legitimate interests (for independent schools) and the school’s legal or contractual obligations, including for child safety.

 

If you have any further questions regarding this document or any other queries regarding NetSupport School, please contact us.

Sales enquiries Purpose Technical support
+44(0)1778 382270 +44(0)1778 382270 +44(0)1778 382272
press@netsupportsoftware.com sales@netsupportsoftware.com support@netsupportsoftware.com