Who we are, and our role
We are WerAreWe ltd., a company registered in England and Wales, Company number 11629471.
We will terms like “we”, “us” and “our” to refer to WerAreWe ltd.
We act as a Data Processor for information given to us by your users.
Who you are, and your role
We distinguish between the terms “Customer” and “User.”
- A customer is the legal entity that has contracted with us.
- A user is a human being that the customer has authorised to access the platform.
Our customer acts as the Data Controller for all information stored on our platform.
What types of information our platform can store
Users broadly fall into two groups in a school environment – pupils and staff. Our software distinguishes between “pupil access” and “staff access.”
Pupils can only see a limited subset of their own information.
However, because some customers track not only pupils, but also some/all staff, we use the blanket term “tracked people” to refer to those whose location is tracked.
For staff users who are not tracked, our platforms stores only an email address and a password (see below.)
For “tracked people”, our platform additionally stores the following. (Staff users can see this extended information for all tracked people.)
- A current location from the list defined by the customer
- A location history for “a period of time” defined by the customer
- A year group (from a list defined by the customer based on how the school names its years)
- A default location, such as a house (in the boarding school sense)
In addition, some customers choose to store information to make it easier for them to track pupils. This information is visible to all “staff users”, and includes:
- Phone number
- A “Notes field”, which some schools use for things like medical information
- A photograph
It should be noted that staff users have access to a wide variety of reports that aggregate information across all tracked people at this school. This includes functionality such as contact tracing. (Though this should not be used as a substitute for government-provided contact tracing apps.)
Why our platform stores personal information
Some information is required to ensure people can log into out platform. (This applies to email address and password.)
Some information is required to uniquely identify pupils and provide reports that cover specific subsets of pupils. (This applies to year group, and home location.)
Schools have a legal obligation to ensure that staff are aware of where their pupils are, and keep historical records of pupils movements. There are additional obligations placed on boarding schools by section 15.5 of the National Minimum Boarding Standards. (This applies to current location and location history.)
Some schools find WerAreWe a convenient place to store information about the pupils that staff users might need to know quickly. (This applies to phone numbers and “Notes”.)
How our platform obtains personal information
With the exception of “current location”, all information about users is entered into our system by a “system administrator” appointed by the customer. This might be a teacher, member of school admin staff, or a member of a school IT department.
Customers can set up multiple system administrators.
The “current location” information, can be set either be a tracked person, or any staff user, at any time. Our platform keeps a timestamp of who set this information, and when, and how it was set (a self-service website, a mobile app, a kiosk, the staff-website, etc.)
Your right to your personal information
Because our customer is the Data Controller, we can only release information to subjects with this permission.
Our customers typically prefer to manage such information requests themselves.
So to make an information request, you need to contact your school. The process for doing this varies by school, but our contract with schools requires them to warrant to us that they have a legal process in place, and have communicated it to you. (Such processes typically cover multiple platforms, not just ours, used by schools to store personal information.)
As an information processor, we only hold authorisation to refer you to the school’s process.
We do not have access to users’ passwords. Nor can any of our staff set a password for a user.
No user has access to any password other than their own.
This is because passwords are auto-allocated by our platform and emailed directly to our users (both when new accounts are created, and when password resets are requested.) Users can then, if they wish, change their passwords.
These system-generated passwords follow the guidance from the UK government’s National Cyber Security Centre. You can read their guidance on their website by clicking here.
Our platform then stores a “one way encrypted, salted” text generated from that password. We update the encryption standards used to store this from time to time as IT security standards evolve.
It should be noted, however, that because passwords allocated by us are emailed to users, they are visible to anyone with access to read the email of the user. In schools in particular, it is a relatively common pattern to have certain staff about to monitor pupils’ emails. Whether this happens is outside of our control, and we are not party to individual customers’ policies.