We know that it is important for you to understand where your data is and what it is used for. This is an essential part of a school’s obligations as a Data Controller under GDPR. The purpose of this article is to explain how we treat your data in RM Unify so that you can be confident of meeting your obligations under GDPR.
Data into RM Unify from MIS and Active Directory
In order to provision accounts to cloud apps and provide users with SSO (Single Sign On), RM Unify extracts data from your MIS and Active Directory and stores it in the cloud. The data collected depends on which data sources you have chosen to connect:
- MIS only (MIS Create-mode or CSV with MIS linking)
- Active Directory only (via AD Sync)
- MIS and Active Directory (e.g. AD Sync with MIS linking)
We store a set of user attributes in RM Unify from these data sources but we only store the user data that we need. Parent/carer-student relationships are stored, for example, if this data is available, to allow schools to provision accounts for parents and carers. We do not store any other data related to a student's home, however, such as their home address, as RM Unify does not need this data.
In some cases we always collect a particular attribute, for example User Role. Other attributes are optional depending on whether the data is available from the particular source, for example Surname from the Active Directory or D.O.B. from the MIS.
A full list of all of the user attributes that we hold in RM Unify and which attributes should be considered as personally identifiable (PII) data is available in the TEC article.
Data held in RM Unify
User data held in RM Unify is stored securely. All user data is encrypted within our databases in Microsoft's European Azure datacentres and only accessed through encrypted connections to ensure that data is protected from any unauthorised access or interference.
Data out from RM Unify to Apps (Including G Suite and O365 Productivity Platforms)
As an RM Unify Admin you decide what apps to connect. As part of the app installation process, RM Unify Admins are required to review and accept each app's individual data requirements. During the process we remind you of the significance of connecting the app and at the same time clearly display the data release policy. This helps you to meet your obligations under GDPR by ensuring that you can be clear about any data that will be shared with an app. We keep a record of all app sign-ups for auditing purposes and we will only share data that you have explicitly given permission to release.
Full details of the processes described here can be found in the related TEC article which in turn links out to related documents.