GDPR Statement

This document serves as Pebble’s public statement on GDPR and how the Policies and Procedures that have been implemented and executed by Pebble benefit our customers and those whose data is processed.

The biggest change to UK data privacy law comes into effect on 25th May 2018

GDPR, or General Data Protection Regulation, governs the collection, purpose and storage of personal data concerning EU citizens by organisations.

This change is a giant leap towards each individual having greater control over their personal data, and how it is used. Ultimately, this will mean greater protection and privacy for you.

What this means for our Relationships with Schools and other Organisations

When you choose to engage Pebble as a data processor by utilising one of the systems on offer, as the Data Controller you agree for Pebble to perform certain processing activities on your behalf. The GDPR specifies that the relationship between Data Controller and Processor needs to be in writing; under Article 28, electronic forms of this acceptance are applicable. Our Terms & Conditions and Privacy Policy serve as this electronic data processing contract.

Current customers of our Fund Manager & Joinos For Parents solution will require full data to be held for the minimum period of 7 years for financial audit requirements. Following this, if individuals submit right to erasure requests, data can be pseudonymised unless there are mitigating legal requirements. Pseudonymisation can be achieved through functionality within the software.

Pebble’s Responsibilities and Commitments

  • Pebble will keep your data safe and private

  • Pebble will never sell your data

  • Pebble will process your data, only with agreement from the Data Controller

  • Pebble will operate Privacy by Design to safeguard personal data

  • Pebble will adhere to the new Data Protection Bill which will replace the current Data Protection Act 1998


Information about Pebble’s Products and Services

Fund Manager

Purpose: Financial Management

Data Location: London, UK

Host: AWS

The data in Fund Manager is controlled by the customer and the integrations into the system (MISApp, ParentPay, sQuid). The customer controls all data including the data that comes from integrations with 3rd parties.


Data is held in a secure data centre in London hosted by AWS. Access to the system is available via https and ssh. Https is used for our clients to connect to the application and ssh is used so that our developers can build and improve the system.

The personal data held within Fund Manager consists of:

  • Pupil Name

  • Pupil UPN

  • Pupil Class and Year

  • Parent/Guardian Contact Name(s)

  • Address

  • Postcode

  • Phone Number

  • Email Address

  • MISID

  • GUID

This data is processed to provide organisations a tool to reconcile and report upon transactional information. Personal data is required for reporting purposes, ensuring outstanding balances can be calculated, and so purchases can be applied to the correct persons. This data is required for a minimum period of 7 years to meet financial audit requirements.

Joinos for Parents

Purpose: ePayments and School Meals

Data Location: London, UK

Host: AWS

The data in Joinos is controlled by the customer and our integrations into the system (Fund Manager). The customer controls all data including the data that comes from integrations with 3rd parties.

Data is held in a secure data centre in London hosted by AWS. Access to the system is available via https and ssh. Https is used for our clients to connect to the application and ssh is used so that our developers can build and improve the system.

The personal data held within Joinos for Parents consists of:

  • Parent / Guardian Name

  • Address

  • Postcode

  • Email Address

  • Phone Number

  • Child’s Name

  • Files (uploaded by the customer via Fund Manager)

The data is processed to allow schools to send out school meal, trip and other purchase offers to parents / guardians. Personal data is required so parents / guardians can pay for goods and services provided by the school, and so purchases can be applied to the correct persons. This data is required for a minimum period of 7 years to meet financial audit requirements.

MISapp

Purpose: MIS Data Sync with Fund Manager

Data Location: N/A

Host: N/A

MISapp is used for the secure transportation of data from an organisation’s MIS system (SIMS) to Fund Manager. The data is owned by the customer who has full control of the information transferred from SIMS to Fund Manager. MISapp is usually installed on an organisation’s SIMS server and uses a secure method to update personal information within Fund Manager on a daily basis.

The personal data transferred from SIMS to Fund Manager via MISapp consists of:

  • Pupil Name

  • UPN

  • Class

  • Year

  • Parent / Guardian Contact Name

  • Address

  • Postcode

  • Phone

  • Email

  • Pupil Premium

  • Free School Meals

The data is transferred between SIMS and Fund Manager to ensure pupil and parent details are up-to-date and reflect any changes made to SIMS. MISapp does not hold any data itself and is used as a secure alternative to CSV upload. The application code is certified using a Globalsign certificate.

Information about Integrations and Suppliers

There are a number of 3rd party integrations within Fund Manager. Please see each organisation link for their GDPR information:

Integrations are used to enhance the products and services we offer and improve the ways our customers transfer their data between different systems.

Information about your School and Individual School Contacts

Pebble holds personal information about customers to enable us to deliver and support the products and services we offer. Please see below for GDPR and privacy information from the organisations we utilise:

Personal information stored within 3rd party products is audited on a regular basis and access is restricted to specific roles within the company.

For more information regarding Pebble’s GDPR policies and procedures or for any Data Protection concerns or requests please contact data@mypebble.co.uk

Frequently Asked Questions

Below we have outlined key questions that Schools will have regarding Pebble and GDPR compliance, many of which may address topics required for you to complete a detailed data register.

  • Is Pebble the Data Processor or the Data Controller?

    • Primarily, Pebble is the Data Processor when you engage our products to manage your customers and perform data processing tasks using Fund Manager and Joinos.

(Note - Pebble is also the Data Controller regarding data we collect on our customers to be able to provide Software as a Service products, this data is held to allow us to fulfill our contractual obligations to our customers.)

  • Where does data processed by Pebble come from?

    • Data processed by Pebble comes from the Data Controller (the school) or other Data Processors (agreed Third Parties) that ultimately receive the data from the Data Controller.

  • What data is used by Pebble?

    • Pebble processes data of both a personal and financial nature

  • Why is this data held?

    • Pebble holds and processes this data to allow the Data Controller the ability to utilise software purchased by the Controller.

  • Where is data held by Pebble?

    • Data is held by Pebble in England, and is not transferred outside of the EEA (European Economic Area).

  • Can the data be shared with others?

    • Data will only be shared with the consent of the Data Controller

  • For how long will the data be retained?

    • Pebble will not hold data for longer than is necessary according to Information Commissioner's Office Guidelines

  • Can Pebble provide Subject Access?

    • Yes, Pebble will always provide Subject Access as enforceable under GDPR, including if a Subjects data is being processed, and the extent to which it is being processed.

  • Does the system contain personal data?

    • Pebble processes personal data including but not limited to names, identification numbers and location data.

  • Does the system contain sensitive data?

    • Pebble does process sensitive data, as information can concern Minors.

  • Can a child or teacher’s data be anonymised/erased?

    • Data can be anonymised upon request.

  • How is data anonymised/erased?

    • Data can, first and foremost, be easily anonymised by the Data Controller who has access to the software, any further removal of data can be done by Pebble upon request as per ICO guidelines.

Please issue any Data Protection concerns or requests to data@mypebble.co.uk

What should your School be doing for GDPR?

GDPR is built upon fundamental principles that are already in the current Data Protection Act (DPA), as such, if you are complying with current law as expected then much of this will remain valid under GDPR and provides a great starting point upon which to strengthen.

There are new elements and enhancements under GDPR, so there are definitely new processes and policies required. Specific guidance for schools and educational bodies implementing GDPR compliance is available on the ICO website, however below are a few key points you will want to assess sooner rather than later.

  • Ensure key decision makers are aware GDPR is coming into effect, and register with the ICO

  • Appoint a Data Protection Officer (DPO), or be appointed one by your Local Authority

  • Conduct a data audit to identify what data you hold, and where it came from

  • Identify how and when data is transferred, shared or processed, and whether this operates internationally

  • Review how data consent is gained, held and managed; and how you verify individuals’ ages and to obtain parental or guardian consent

  • Identify how data breaches are detected, managed and reported to the ICO

  • Implement procedures to comply to individuals rights, such as the right to erasure

  • Implement appropriate measures to integrate data protection into your processing activities

  • Identify and document the legal basis for you to process data and update any Privacy Policies to include this.

  • Ensure all Data Processors you collaborate with are GDPR compliant and seek information such as this as validation

  • Visit https://ico.org.uk/for-organisations/education/ for further information