Data sharing agreement

1. Parties to the agreement
2. The purpose of the ESAS website gathering data
3. Organisations involved in processing data
4. What types of data may be processed
5. Special category data
6. The lawful basis for processing data
7. Subject access rights in relation to personal data
8. Governance arrangements
9. Contact details for further information

1. Parties to this agreement

This agreement is between Your Organisation and Rape Crisis Scotland (RCS). RCS has developed the Equally Safe at School website and will continue to own, develop and manage it. This means that RCS is the ‘data controller’ under the Data Protection Act 2018 (hereafter ‘The Act’) in relation to any personal data processed by the website. (See section 5 for details of types of data processed.) Your Organisation is a Data Processor in respect of The Act.

2. What is the purpose of data sharing?

The overarching aim of the ESAS website is to contribute to the promotion of gender equality and the prevention of gender-based violence. The specific purposes for which data will be processed by the website are as follows:

• To enable schools to use interactive tools to undertake ESAS activities, including entering and uploading of data relating to their progress and to support internal planning and communication.
• To enable RCS to monitor usage of the website
• To enable RCS to analyse data to monitor progress towards its funded outcomes
• To enable the University of Glasgow as the ESAS research partner to undertake evaluation of ESAS
• To enable RCS to provide individualised support schools from time to time, as agreed with them.

3. Organisations involved in the data sharing

In addition to RCS, other organisations involved in data sharing include Your Organisation, the host and developer of the website ‘fuzzylime’ and the University of Glasgow.

Your Organisation

This agreement is made by Your Organisation’s Designated Lead for ESAS who is a member of the Senior Leadership Team. As the signatory to this agreement you give consent for RCS to gather, hold and process data relating to Your Organisation’s participation in ESAS in accordance with the provisions of this agreement, and you confirm that Your Organisation as a data processor will comply with the provisions of The Act in your use of the website. Your Organisation or Local Education Authority will also have its own Data Protection policy which governs handling of personal data by employees.

In addition, Your Organisation undertakes to ensure it has appropriate consents to obtain, upload and/or share any images of students or staff, with consideration to the subject matter of ESAS and potential sensitivities or concerns young people may have in the present or future about being associated with any such activities. If Your Organisation wishes to share examples of its activities on the ESAS website it will be asked to confirm it has appropriate consents in relation to any data subjects.

fuzzylime

fuzzylime is the ESAS website developer and host and has access to data to enable it to operate in a support capacity. As such, it is a data processor under The Act and is responsible for ensuring the security of personal data held within the ESAS website.

You can access fuzzylime’s data processing policy including details of security measures at https://www.fuzzylime.co.uk/gdpr/.

The University of Glasgow

The University of Glasgow is the research partner to ESAS and has access to statistical data for analysis, research and evaluation activities. As such it is a data processor under The Act.

4. What types of data will be shared?

The my esas section of the website enables schools with an ESAS account to enter and upload data relating to their progress and to support internal planning and communication.

This will include information about Your Organisation’s activities, and it may also include a small amount of ‘personal data’ as defined under The Act – this is information that relates to an identified or identifiable individual. The key types of personal data are:

• Student school email addresses
• Names of students in relation to tasks, roles or activities relating to ESAS.
• Any information included in files uploaded by staff users

Sections of the website where data may be held

• Monitoring & Evaluation Surveys and Self–Assessment Focus Group Materials

The surveys within the Monitoring & Evaluation section are for use with staff and students, to gather information such as perceptions of issues relating to GBV, experience of sexual harassment and confidence in challenging or reporting GBV. The surveys are for anonymous completion and consist of scale or multiple-choice fields – there are no free text fields into which comments or personally-identifying information can be entered.

They will certain gather demographic data (completion of these fields is optional) though schools themselves will only be able to view the student surveys by gender and year group (with a minimum subset of 30 people), and the staff surveys by gender, so that no individuals will be able to be identified internally. RCS and the University of Glasgow will have access to the full dataset for the purposes listed above. It is very unlikely that an individual could be identified on the basis of demographic data as RCS and University of Glasgow will be operating remotely from schools. See section 5 for further information.

Overall findings may be shared externally but no schools or individuals will be identifiable within these findings.

Within the Self–Assessment section there are also template focus group materials which schools can use to explore staff and student perspectives in more detail. The materials focus on perspectives and attitudes relating to gender equality and GBV. There is a space on the website for schools to record key findings and guidance states that no individuals should be identifiable.

The Self-Assessment and Monitoring & Evaluation sections include guidance on their use and explanatory information for schools, staff and students to explain the purpose of the surveys and focus groups, what kind of data will be gathered and how it will be used.

• The Staff-Student Action Group

The purpose of this section of the website is to enable a small group of students and staff appointed by the Designated Lead to develop and undertake actions to address key priorities.

Student email addresses may be held within this section and there is a message board for group communication which will contain any information posted by action group members.

There is also an action plan for the group to note key actions and progress towards these, and a space to upload relevant files– such as photos, videos, word documents or presentations. Only staff will be able to upload files, so that they can ensure this complies with Your Organisation’s Data Protection policy.

• Other sections

There are other sections within my esas where school management and staff (but not students) can upload text and other files which may in principal contain personal data. As noted below the Designated Lead must undertake to comply with the Act in their use of the site as a condition of registering an account.

People in Your Organisation having access to data

The Designated Lead will have access to all areas of Your Organisation’s ESAS account and all data held therein.

Other staff will have to access certain sections of the website and be able to enter and to view data. The Designated Lead can also nominate staff members as Team Leads to administer and enter data into the Action Group section.

Students taking part in the action group will have access to the Action Group section (their access can be enabled by the Designated Lead, or Action Group team leads).

5. Special category data

Data gathered through the student survey may in very limited circumstances qualify as Special Category data. This is because the survey collects demographic information relating to ‘racial or ethnic origin’, and ‘sexual orientation’ and asks questions which may qualify as relating to ‘sex life’ as categorised by The Act. If this were personal data (data which identified an individual) it would qualify as Special Category data. However the surveys are anonymous and the possibility of an individual being identified from demographic data is very unlikely. RCS as the data controller, and University of Glasgow and Fuzzy Lime as data processors will have access to the survey data, but are remote from schools and therefore unable to connect demographic data with individuals. Schools will not have access to the full data; they will only be able to view by gender and year group with a minimum subset of 30 people so would be unable to identify an individual. There is the remote possibility that in the event of a data breach individuals could be connected to demographic data, but this is judged to be very low risk.

With reference to Article 9 of the Act, RCS meets the condition for processing any data which may constitute Special Category data as a not-for-profit organisation.

6. Lawful basis for data sharing

With reference to Article 6 of The Act, RCS has a legitimate interest in processing personal data (including any data which may qualify as Special Category data) in the pursuance of the aims of ESAS (to promote gender equality and prevent gender-based violence) and RCS’s charitable purposes.

7. Individual subject access rights

Under the Act RCS is obliged to observe certain rights of individuals in relation to their personal data. Data subjects have the following rights:

• to request information about what personal data RCS processes, how and on what basis.
• to access their own personal data by way of a subject access request.
• To correct any inaccuracies in personal data.
• to request that RCS erase personal data where we were not entitled under the law to process it or it is no longer necessary to process it for the purpose it was collected.
• While data subjects are requesting personal data is corrected or erased or are contesting the lawfulness of processing, data subjects can apply for its use to be restricted while the application is made.
• Data subjects have the right to object to data processing where RCS is relying on a legitimate interest to do so and data subjects think their rights and interests outweigh our own and they wish us to stop.
• Data subjects have the right to object if we process personal data for the purposes of direct marketing
• Data subjects have the right to receive a copy of their personal data and to transfer personal data to another data controller. We will not charge for this and will in most cases aim to do this within 30 days.
• With some exceptions, data subjects have the right not to be subjected to automated decision-making.
• Data subjects have the right to be notified of a data security breach concerning their personal data.
• In most situations, RCS will not rely on consent as a lawful ground to process personal data. If we do however request consent to the processing of personal data for a specific purpose, data subjects have the right not to consent or to withdraw consent later.
• Data subjects have the right to complain to the Information Commissioner. Data subjects can do this by contacting the Information Commissioner’s Office directly. Full contact details, including a helpline number, can be found on the Information Commissioner’s Office website (www.ico.org.uk). This website has further information on data subjects’ rights and RCS’s obligations.

To exercise any of these rights Data Subjects should contact RCS on 0141 331 4180, info@rapecrisisscotland.org.uk or by writing to us at Rape Crisis Scotland, Abbey House, 10 Bothwell Street, Glasgow, G2 6LU. Please mark your query for the attention of the Data Protection Officer.

8. Information governance arrangements

All parties’ handling of personal data is governed by their respective Data Protection policies.

RCS may share names of schools participating in ESAS with leaders and key partners in their local authority, as well as with their local Rape Crisis centre, but will not otherwise share any data that would identify a school with any other party, or share any personal data, unless:

• It is required to share information with statutory bodies in accordance with its Child or Vulnerable Adult Protection obligations.
• Your Organisation gives its consent to such sharing

RCS will retain Your Organisation’s data as long as Your Organisation maintains its ESAS account. Should Your Organisation wish to close its account, RCS may retain data for the period of time required to completing monitoring activities (usually the lapse of the current grant funding cycle). However Your Organisation may request RCS to delete all or part of its data at an earlier point and RCS will grant this request, except in relation to any data which forms part of a larger data set and does not identify Your Organisation or any data subjects. Should Your Organisation’s ESAS account remain inactive for a prolonged period, RCS may contact Your Organisation to ask if it wishes to retain the account. If no response is received after 3 attempts RCS may close Your Organisation’s account, and data relating to Your Organisation including any data relating to data subjects will be deleted within 12 months from the time of closing the account.

In addition, data subjects have specific rights in relation to personal data as set out in section 7.

9. Contact

For further information on any issue relating to data processing please contact Rape Crisis Scotland through the ESAS contact page or on 0141 331 4180.

Or to exercise any of rights relating to a Data Subjects please contact the Data Protection Officer at RCS on 0141 331 4180, info@rapecrisisscotland.org.uk or by writing to us at Rape Crisis Scotland, Abbey House, 10 Bothwell Street, Glasgow, G2 6LU.