- What personal information is being collected by PCSchool
- With whom the information may be shared
- What confidentiality procedures are in place to protect the loss, misuse, or alteration of information under the company’s control
- How the information is used
- PCSchool’s software Compliance with the Australian Privacy Principles
- Client School Obligations under this policy
What personal information is collected?
PCSchool gathers information voluntarily provided by you both in written form and electronic form via the Website or email. The information includes
- School contact information
- School Staff contact information
- External login credentials where appropriate for external support of PCSchool
- Backups of school database for the purpose of testing and/or fault finding. This data includes
- Caregiver, Staff and Student demographic data
- School financial data
- Caregiver, Staff and Student personal data
- Unless permission is granted to PCSchool, no disclosure of any individual’s or organisation information will be made available.
- Initial sales and support requests via email, web site or telephone are passed on to the appropriate personnel.
- From time to time it may be necessary for PCSchool to access a client’s PCSchool web portal. PCSchool warrants the non-disclosure of any staff, student, family, or financial information available through that portal.
- From time to time, and only with the express permission of the school, PCSchool may seek to use a school’s PCSchool portal by way of demonstration. Under these circumstances express permission must be gained, and content of the demonstration will be of a general nature ensuring that no sensitive or personal data will be exposed.
All information about PCSchool clients is strictly confidential and not released to anyone outside of PCSchool and our direct business partners for any purpose, other than pertaining to servicing our customer base, unless permission is granted. PCSchool manage client information in the following ways:
- All client files received are stored in a secure folder on our network and are deleted upon completion of work.
- Under no circumstances is any paper relating to a client’s data, to be taken from the premises of PCSchool other than to the client site.
- All paper material containing any client information is destroyed in a secure manner.
How the information is used
We use this information to:
- Provide client sales and support to our client organisations
- Inform client organisations via post and email of updates, and events
PCSchool Software Compliance with the Australian Privacy Principles
The PCSchool software suite complies with the guidelines (March 2014) specified in the Australian Privacy Principles under the Privacy Act 1988 in that the information stored within PCSchool:
- is accurate, subject to due diligence on the part of the organisation utilising the software. It is regularly updated through the normal business process and as such is a trusted source of that information.
- is solely for the purpose of education and the business requirements associated with that endeavor and as such is relevant to the task for which the business is operated.
- is sensitive to the request of the individual in areas such as:
- photo publication privacy
- publication of contact details in organisational publications
- is secured either within the local organisational network, or on the cloud. Transport of information across the web is via https and as such is protected by the securities provided by this standard.
- is protected at rest subject to the security protocols implemented by the host organisation using the software. This protection, where locally hosted falls outside the scope of PCSchool’s assurances, and is therefore reliant on the schools:
- internal ICT security
- access security protocols
- physical security
- internal practices and systems
- school governance and training in these areas
- is protected by a granular user security platform embedded within the software. This security setup is subject to satisfactory allocation of securities by the school itself however as shipped all users are denied access absolutely. Users will be restricted to access data based on the securities they have been provided within the organisation. Where appropriate internal embedded and default securities ensure that information appropriate to a teacher or officer of the organisation is not by default made available to caregivers or students, and that information made available to caregivers or students is confined to that individual and non-shareable with other caregivers or students.
- where particularly sensitive, e.g. medical, guidance, financial details, and secure comments that this data is stored in an encrypted format so that it will only be available via the PCSchool interface and as such is protected from any breach of access directly to the database files.
- where stored on the cloud, or hosted locally, is subject to permanent removal and deletion as directed by the school utilising that software.
Policy Specific to the PCSchool App
The PCSchool App provides remote access to
- Student data including
- Attendance details
- Subject data along with assessment results
- Caregiver details inc
- Names and contact details
- Notification of student absence
- Staff details
- Contact details
- Subjects taught
- Generic School Calendar data
All data and images transmitted through the app is based on data stored within the PCSchool School Management Platform and deemed appropriate for all users of the app including children.
Data transmitted to the individual app is via https transfer. Schools are required to utilise https certificated traffic.
Data relayed to staff is controlled by the embedded security level of that staff member and is in accord with securities set in the centralised PCSchool software package.
The app requires staff to log in to enable access to personalised data. To limit the access to personalised data staff are required to use a 4-digit pin each and every time they wish to access student or caregiver data.
Students are required to login to the app via username and password. Once access is gained, they will be confined exclusively to their own data. There are no search facilities for them to browse another student. Data available will be restricted by the app based on the logged in student and the security settings within PCSchool.
Caregivers are required to login to the app via username and password. Once access is gained, they will be confined exclusively to students within their family. There are no search facilities for them to browse other students. Data available will be restricted by the app based on the logged in parent, their access rights to specific students, and the security settings within PCSchool.
Roles and Responsibilities of Client Schools
Client Schools using PCSchool must acknowledge their responsibilities to protect the privacy of the data held within PCSchool. These responsibilities relate to
- Maintenance of an operational software system ensuring
- Minimum down time
- Tailored security access built around a strong password policy
- Regular review of internal PCSchool security to ensure it reflects the currency of the role of the individual.
- Regular backup policy, including regular testing of the potential retrieval of the database
- Secure storage of backup including
- Depth of backup e.g.
- Offsite secure storage
- Protection of data security with backups at rest
- Secure storage and very limited availability of system passwords associated with PCSchool
- Immediate reporting of vulnerabilities and breaches of the security of the database.
- Reduced access to the SQL backend database except through, and controlled by, PCSchool’s internal or API security system. Such external access makes available to outside sources all aspects of data stored within the PCSchool system.
- Ensuring the security and availability of backup data at rest. Such data can be stored as SQL backups, including server image backups, as well as exported plain text backups. Schools must have policies in place to ensure the security and limited access to this “at rest” data and should implement policies around its scheduled destruction when no longer relevant.
- Schools should ensure that staff are aware of the school’s internal security policies as they relate to
- Protection of staff login credentials
- Autocompleting of passwords on machines that may be available to other members of the school community.
- Display of sensitive data on public screens or white boards
- Leaving systems logged in to sensitive data
- Immediate reporting of breaches or vulnerabilities relating to system security.
- Security associated with storage and eventual disposal of data output, either as reports or downloads, recognising the ongoing obligations to stakeholders re data security and protection.