School Software Company (SSC) are the providers of Sleuth and process data on behalf of the school (data controller) to track the behaviour and personal development progress of their pupils.
The following information provides an overview of where Sleuth fits within the GDPR framework. Please do contact us if you have any specific questions, we are very happy to support schools to plan and meet their obligations as data controllers.
We process data for you because you requested us to do so within the terms and conditions of a contractual agreement. We do so lawfully and in a fair and transparent manner, limiting our processing only to what is relevant and adequate for the purposes of providing our products and services for your use.
This graphic highlights the key roles defined by GDPR and how they apply to Sleuth. Each role is described in more detail below.
The school determines why, how and what personal data will be processed using Sleuth. A contract between the school and SSC will set out the details of how Sleuth processes personal data to comply with GDPR. The school chooses how to populate Sleuth with personal data and decides which events and details it wishes to track about data subjects. The school is responsible for authorising access to Sleuth for staff. Schools may also wish to authorise access to parents and/or pupils.
SSC processes personal data on behalf of the school using the Sleuth application. As providers of Sleuth, SSC will process personal data fairly, lawfully and in a transparent manner only using it for specified and legitimate purposes. Appropriate security will be in place to protect personal data held in Sleuth. SSC will not keep personal data any longer than is necessary.
The data controller may choose to use the Sleuth Importer software tool to synchronise census data in Sleuth with data in their MIS. The Sleuth Importer uses a third-party product called Xporter provided by an SSC partner, Groupcall, who are therefore a sub-processor of personal data. SSC will ensure Groupcall's GDPR compliance.
Personal data about staff, students and parents is held in Sleuth for accurately tracking involvement in events, for communication and for controlling access to Sleuth. For a more detailed description of the personal data held about each data subject please contact us or refer to your Sleuth contract.
Sleuth data is held on servers in physically secure datacentres with server support 24×7. The data is held encrypted at rest in both the database and file storage areas. The Sleuth servers are on their own private network behind a firewall.
The school controls who has access to Sleuth. A small group of trained key-users have access to the Sleuth Administrator menu to manage Sleuth login details. There are three types of user access: for staff, parents/carers and pupils. Parents can only see select information explicitly shared with them about their children. Pupils can only see select information about themselves that the school have chosen to share via the MySleuth module.
In addition to controlling user accounts, a school can also specify an IP range or specific IP addresses to prevent access to their Sleuth database from unidentified PCs. This can restrict access to only the PCs within school, for example.
For support and data administration purposes, trained senior SSC staff have access to Sleuth databases, only permitted through restricted IP addresses.
SSC will only process data for a school for as long as a contract is in place to do so. Tools are available in Sleuth for schools to extract and save any information they wish to retain once their contract ends. Up to one month after the end of a contract the data held in Sleuth is archived and then permanently destroyed after six months.
Return to GDPR Compliance page.