Data Sharing Agreement

Schools registering for an Equally Safe At School (ESAS) account will be asked to accept the following Data Sharing Agreement when they do so. The Data Sharing Agreement, and any period updates that may be issued by RCS, can be accepted by any members of staff with ‘school management’ level account access. They will be asked to confirm that they have the permission of a member of their school’s leadership team to do so.

The Data Sharing Agreement explains key details including what data may be processed by Rape Crisis Scotland through the ESAS website, the purpose and lawful basis for processing it and which organisations are involved in processing, with reference to the Data Protection Act 2018.

Data Sharing Agreement
When schools register for an ESAS account they will be able to use the interactive tools to enable them to carry out and monitor ESAS activities. In doing so, they may enter data, some of which may constitute personal data under the Data Protection Act 2018 (hereafter ‘The Act’). Rape Crisis Scotland (RCS) will also be able to access data to help monitor progress against its outcomes. This document constitutes the Data Sharing Agreement between RCS and your school (hereafter ‘Your Organisation’.) Schools are asked to read and confirm their acceptance before they can register their ESAS account. A copy of the agreement will be available in the Senior Lead’s dashboard area of MyESAS.

The key details outlined in this document are as follows:

1. Parties to the agreement
2. The purpose of the ESAS website gathering data
3. Organisations involved in processing data
4. What types of data may be processed 
5. The lawful basis for processing data 
6. Subject access rights in relation to personal data 
7. Governance arrangements 
8. Contact details for further information

1. Parties to this agreement
This agreement is between Your Organisation and RCS. RCS has developed the Equally Safe at School website and will continue to own, develop and manage it. This means that RCS is the ‘data controller’ under The Act in relation to any personal data processed by the website. (See section 4 for details of types of data processed.) Your Organisation is a Data Processor in respect of The Act. 

2. What is the purpose of data sharing?
The overarching aim of the ESAS website is to contribute to the promotion of gender equality and the prevention of gender-based violence (GBV). The specific purposes for which data will be processed by the website are as follows:

• To enable schools to use interactive tools to undertake ESAS activities, including entering and uploading of data relating to their progress and to support internal planning and communication.
• To enable RCS to monitor usage of the website
• To enable RCS to analyse data to monitor progress towards its funded outcomes and to communicate externally about this
• To enable the University of Glasgow as the ESAS research partner to undertake evaluation of ESAS
• To enable RCS to provide individualised support to schools from time to time, as agreed with them.

3. Organisations involved in the data sharing
In addition to RCS, other organisations involved in data sharing include Your Organisation, the host and developer of the website ‘fuzzylime’ and the University of Glasgow.

Your Organisation
This agreement is made by Your Organisation’s Designated Lead for ESAS who is a member of the Senior Leadership Team, or who has been delegated authority to do so by them. As the signatory to this agreement you give consent for RCS to gather, hold and process data relating to Your Organisation’s participation in ESAS in accordance with the provisions of this agreement, and you confirm that Your Organisation as a data processor will comply with the provisions of The Act in your use of the website as relates to any data defined by The Act as personal data. Your Organisation or Local Education Authority will also have its own Data Protection policy which governs handling of personal data by employees.

In addition, Your Organisation undertakes to ensure it has appropriate consents to obtain, upload and/or share any images of students or staff, with consideration to the subject matter of ESAS and potential sensitivities or concerns young people may have in the present or future about being associated with any such activities. If Your Organisation wishes to share examples of its activities on the ESAS website it will be asked to confirm it has appropriate consents in relation to any data subjects. 

fuzzylime
fuzzylime is the ESAS website developer and host and has access to data to enable it to operate in a support capacity. As such, it is a data processor under The Act and is responsible for ensuring the security of personal data held within the ESAS website.
You can access fuzzylime’s data processing policy including details of security measures.

The University of Glasgow
The University of Glasgow is the research partner to ESAS and has access to statistical data for analysis, research and evaluation activities. As such it is a data processor under The Act.

4. What types of data will be shared?
The MyESAS section of the website enables schools with an ESAS account to enter and upload data relating to their progress and to support internal planning and communication. 

This will include information about Your Organisation’s activities, and it may also include a small amount of ‘personal data’ as defined under The Act – this is information that relates to an identified or identifiable individual. The key types of personal data are:

• Student school email addresses: these can be entered into the website by those with school management access in order to send students a link to the student survey. The ESAS website does not retain the students’ email addresses, and the survey responses cannot be linked to students’ email addresses. The website developer’s system retains a code to ensure the same student cannot complete the survey twice, but this cannot be linked back to the original email address.
• Staff email addresses: these can be entered into the website by those with school management access in order to set up staff ESAS accounts. This enables staff to access parts of the website including interactive sections where they may enter data relating to school activities and practice. Staff accounts are not intended to gather or process personal information about staff.
• Personal data as relates to staff and student surveys: 

The surveys within the Monitoring & Evaluation section are for use with staff and students, to gather information such as perceptions of issues relating to GBV, student experience of sexual harassment and confidence in challenging or reporting GBV. The surveys are anonymous and consist of scale or multiple-choice fields – there are no free text fields into which comments or personally-identifying information can be entered. Students access the surveys via a link sent to their email addresses, and staff access the survey through their ESAS account, but responses cannot be linked back to email addresses. 

The surveys gather some demographic data (completion of these fields is optional) though schools will only be able to view the student surveys by male and female gender and year group (with a minimum subset of 30 people), and the staff surveys by male and female gender (with a minimum subset of 5 people), so that no individuals will be able to be identified internally. RCS and the University of Glasgow will have access to the full dataset for the purposes listed above but would be unable to identify individuals.

There are also feedback surveys for staff following completion of the e-Module and in the enhanced staff training. Staff follow a link to complete these surveys and their responses cannot be linked to their email address. The surveys do not ask for any identifying information. Most questions are multiple choice but there are some free-text boxes for individual comments about the training. RCS reviews these for any identifying information before sharing this data with the University of Glasgow for use within their evaluation of ESAS. The survey responses are held on RCS’s intranet and can only be accessed by designated staff.

Overall findings may be shared externally but no schools or individuals will be identifiable within these findings.

• Self–Assessment Focus Group Materials:  Within the Self–Assessment section of MyESAS there are also template focus group materials which schools can use to explore staff and student perspectives in more detail. The materials focus on perspectives and attitudes relating to gender equality and GBV. There is a space on the website for schools to record key findings, and guidance states that no individuals should be identifiable.
  The Self-Assessment and Monitoring & Evaluation sections include guidance on how to use these parts of the website along with explanatory information for schools, staff and students on the purpose of the surveys and focus groups, what kind of data will be gathered and how it will be used.
• The Staff-Student Action Group:  The purpose of this section of the website is to enable a small group of students and staff appointed by the Designated ESAS Lead to develop and undertake actions to address key priorities. 
  There is an action plan for the staff to note key actions and progress, and a space to upload relevant files– such as photos, videos, word documents or presentations. Staff are asked to confirm that any data they upload complies with Your Organisation’s Data Protection policy.
• Other sections:  There are other sections within MyESAS where school management and staff can upload text and other files which may in principal contain personal data. As noted below the Designated ESAS Lead must undertake to comply with the Act in their use of the site as a condition of registering for an account.

People in Your Organisation having access to data 
The Designated ESAS Lead will have access to all areas of Your Organisation’s ESAS account and all data held therein. 

Other staff will have to access certain sections of the website and be able to enter and to view progress data. The Designated ESAS Lead can also nominate staff members as Team Leads to administer and enter data into the Action Group section.

6. Lawful basis for data sharing
With reference to Article 6 of The Act, RCS has a legitimate interest in processing personal data in the pursuance of the aims of ESAS (to promote gender equality and prevent gender-based violence) and RCS’s charitable purposes.

7. Individual subject access rights
Under the Act RCS is obliged to observe certain rights of individuals in relation to their personal data. Data subjects have the following rights:

• To request information about what personal data RCS processes, how and on what basis. 
• To access their own personal data by way of a subject access request. 
• To correct any inaccuracies in personal data.
• To request that RCS erase personal data where we were not entitled under the law to process it or it is no longer necessary to process it for the purpose it was collected.
• While data subjects are requesting personal data is corrected or erased or are contesting the lawfulness of processing, data subjects can apply for its use to be restricted while the application is made.
• Data subjects have the right to object to data processing where RCS is relying on a legitimate interest to do so and data subjects think their rights and interests outweigh our own and they wish us to stop.
• Data subjects have the right to object if we process personal data for the purposes of direct marketing.
• Data subjects have the right to receive a copy of their personal data and to transfer personal data to another data controller. We will not charge for this and will in most cases aim to do this within 30 days.
• With some exceptions, data subjects have the right not to be subjected to automated decision-making.
• Data subjects have the right to be notified of a data security breach concerning their personal data.
• In most situations, RCS will not rely on consent as a lawful ground to process personal data. If we do however request consent to the processing of personal data for a specific purpose, data subjects have the right not to consent or to withdraw consent later.
• Data subjects have the right to complain to the Information Commissioner. Data subjects can do this by contacting the Information Commissioner’s Office directly. Full contact details, including a helpline number, can be found on the Information Commissioner’s Office website. This website has further information on data subjects’ rights and RCS’s obligations.

To exercise any of these rights Data Subjects should contact RCS on 0141 331 4180, mailto:gdpr@rapecrisisscotland.org.uk or by writing to us at Rape Crisis Scotland, 2nd Floor, 134-138 West Regent Street, Glasgow G2 2RQ. Please mark your query for the attention of the Data Protection Officer.

8. Information governance arrangements 
All parties’ handling of personal data is governed by their respective Data Protection policies.

RCS may share names of schools participating in ESAS with partner agencies working towards GBV prevention. RCS may also share key details of schools’ progress with relevant officers in their local authority, as well as with their local Rape Crisis centre. RCS will not share any personal data processed by the ESAS website (with the exception of designated school management email addresses) unless:

• It is required to share information with statutory bodies in accordance with its Child or Vulnerable Adult Protection obligations.
• Your Organisation gives its consent to such sharing

RCS will retain Your Organisation’s data as long as Your Organisation maintains its ESAS account. Should Your Organisation wish to close its account, RCS may retain data for the period of time required to completing monitoring activities (usually the lapse of the current grant funding cycle). However Your Organisation may request RCS to delete all or part of its data at an earlier point and RCS will grant this request, except in relation to any data which forms part of a larger data set and does not identify Your Organisation or any data subjects. Should Your Organisation’s ESAS account remain inactive for a prolonged period, RCS may contact Your Organisation to ask if it wishes to retain the account. If no response is received after 3 attempts RCS may close Your Organisation’s account, and data relating to Your Organisation including any data relating to data subjects will be deleted within 12 months from the time of closing the account. 

In addition, data subjects have specific rights in relation to personal data as set out in section 7.

9. Contact
For further information on any issue relating to data processing please contact Rape Crisis Scotland through the ESAS contact page or on 0141 331 4180.
Or to exercise any rights relating to Data Subjects please contact the Data Protection Officer at RCS on 0141 331 4180, gdpr@rapecrisisscotland.org.uk or by writing to us at Rape Crisis Scotland, 2nd Floor, 134-138 West Regent Street, Glasgow G2 2RQ