SWIMPHONY LEGAL AND GDPR COMPLIANCE
The GDPR’s updated requirements are significant and our teams have adapted the Swimphony product offerings, operations and contractual commitments to help comply with the regulation. Measures we have implemented include:
- Audited and improved the security of the Swimphony Web Portals and Swimphony App
- Invested in and modified our security infrastructure
We continually monitor the guidance around GDPR compliance and update our product features and contractual commitments accordingly. Any updates will be published on this page and communicated to all customers and users via email.
Here are some of the frequently asked questions we receive in relation to data, data processing and GDPR. If you have any further questions, please send us an email to firstname.lastname@example.org
Swimphony processes pupil data for 2 specific reasons;
Firstly, we require pupil data to ensure that the swimming lessons that pupils attend are delivered in a safe and controlled environment, that can be effectively planed and risk assessed by the swimming teacher. Secondly, we require pupil data to ensure that we can link the attendance and attainment data that is collected by Swimphony to the correct pupil. This ensures that schools are able to fulfil their obligation to publish year 6 national curriculum swimming outcome data, provides schools with the ability to identify pupils that might need additional support in their swimming lessons, and allows schools to reward the successful attainment of swimming skills, awards, and distances.
All Swimphony data is encrypted to Advanced Encryption Standard (AES) 256-bit. This standard of encryption is used when pupil and user data is stored at rest within our databases, and also when this data is in transit between the Swimphony database and the Swimphony Swimming Teacher App. AES 256-bit is one of the most secure encryption methods, and is used in most modern encryption algorithms, protocols and technologies including AES and SSL.
All Swimphony data is stored and processed within Europe (Dublin) using Amazon Web Services (AWS) to ensure compliance with GDPR. Amazon Web Services is a secure cloud services platform, offering compute power, database storage, content delivery and other functionality to millions of customers across the world.
Under GDPR, organisations must store data for the shortest time possible. That period should take into account the reasons why your organisation needs to process the data, as well as any legal obligations to keep the data for a fixed period of time. Therefore, Swimphony will automatically delete the personal and attainment data of all pupils 12 months after they have left year 6. This timeframe is provided to ensure that schools are given sufficient time to produce the national curriculum swimming outcome reports that they are obliged to publish on their school website for all year 6 pupils. It is important to note that schools are free to delete pupil data permanently from the database whenever they wish, but this data cannot be recovered if pupil data is deleted by mistake.
Swimphony will allow a school to upload pupil medical conditions and data relating to ethnic origin subject to very specific criteria. When schools are uploading their pupil data into Swimphony they must confirm that any medical conditions and data relating to ethnic origin is being uploaded with express parental consent. These data fields are completely optional and in the absence of parental consent this information shouldn’t be uploaded into Swimphony under any circumstances.
The swimming teachers that are scheduled to deliver the swimming lesson(s) for your pupils are given access to limited types of your pupils data:
- English as an additional language status
- SEND status
- Medical conditions (this information should only be uploaded with express parental consent)
This data is required to ensure that the swimming lessons that pupils participate in are delivered in a safe and controlled environment that can be effectively planned and risk assessed by the swimming teacher.
Specific employees of Swimphony and the local authority / leisure operator that delivers your swimming lessons can access your Swimphony school portal in order to provide support, but it is important to note that only the forename, surname, reg group, year group, and attainment data of pupils is visible to them. All other pupil data is redacted and cannot be viewed under any circumstances by employees of Swimphony or the local authority / leisure operator that delivers your swimming lessons.
Every school has access to their own secure Swimphony School Portal that can be accessed via the internet. This portal is safeguarded by SSL (Secure Sockets Layer) which is the standard security technology for establishing an encrypted link between a web server and a browser. This link ensures that all data passed between the web server and browsers remain private and integral.
Swimphony also provides two factor authentication as standard to all schools that use Swimphony in order to provide an additional layer of protection from unauthorised access to your Swimphony School Portal. Two factor authentication works by sending a randomly generated 4 digit code to the email address of the authorised user from your school that has successfully entered a valid username and password. This randomly generated code is only valid for 15 minutes, and a new code is generated each time an authorised user attempts to access Swimphony.
Swimphony allows schools to delete all information relating to an individual pupil (or all or their pupils) via their Swimphony School Portal whenever they wish. Please note that if a school decides to delete pupil data from Swimphony, we will remove all data (including swimming attainment data) from our database, which may compromise their ability to fulfil their national curriculum reporting obligations. This data cannot be recovered when it is deleted.
Any user of Swimphony, including swimming teachers, can request deletion of their Swimphony data at any time by sending an email to email@example.com and this request will be honoured within 2 working days. Please note that any requests for deletion will prevent any further use of Swimphony and access to Swimphony by that user or swimming teacher.