GDPR and Data Protection

Downsy · 20 Jan 2019 at 21:44

Hello all,
My son’s school has signed up with an app to send through details of events, newsletters, forms etc. which we have been asked to download and enrol. However looking at the privacy policy on the App Store it looks like the app wants access to my Facebook wall, camera, cookies and google drive! Am I just freaking out over nothing or is this a concern? Looking further in to the terms and conditions, it appears it is data harvesting to provide targeted ads. His can’t be right can it?
Anyone else using this with their schools?

MassiveJim · 20 Jan 2019 at 21:50

what happens if you click on deny access ?
I find most of the apps function relatively normally even when you click no on everything.

Azza · 20 Jan 2019 at 22:24

What's the app?

Downsy · 20 Jan 2019 at 22:44

App is called weduc, I cannot find any method within the settings in the app or in IOS settings to do anything apart from turning off access to Siri. The website for the software talks about being gdpr compliant and how it only shares children’s data with parties directly related, but it doesn’t talk about the app. I only noticed it when looking at the privacy policy in the App Store.

Resident · 20 Jan 2019 at 23:20

Downsy said:
Hello all,
My son’s school has signed up with an app to send through details of events, newsletters, forms etc. which we have been asked to download and enrol. However looking at the privacy policy on the App Store it looks like the app wants access to my Facebook wall, camera, cookies and google drive! Am I just freaking out over nothing or is this a concern? Looking further in to the terms and conditions, it appears it is data harvesting to provide targeted ads. His can’t be right can it?
Anyone else using this with their schools?

I'd be speaking with the school to see if they're aware of it. I cannot think of a valid reason as to why an app used to communicate school business to you would need access to any of that other than cookies for ads which you should be able to reject.

I certainly wouldn't install it till I'd spoken with them.

Semple · 20 Jan 2019 at 23:23

This is why you want an Android. As Jim was alluding to, you could just deny access to those specific features and then use the app.

Downsy · 20 Jan 2019 at 23:37

Semple said:
This is why you want an Android. As Jim was alluding to, you could just deny access to those specific features and then use the app.

I’m too far gone! All I can do is serve as a warning to others.

Skynet5 · 20 Jan 2019 at 23:51

Wtf is wrong with email is what I would ask them.
Apps, everyone wants an app.

Raumarik · 21 Jan 2019 at 00:03

https://www.digitalmarketplace.service.gov.uk/g-cloud/services/149651037679171

Apparently it's pen tested annually.

Only Cyber Essentials certified which is the most basic one you can get, I could get the local corner shop that cert in about 30mins. Smaller the company, easier it is to get (it's basically self cert questionnaire).

No ISO 27001 is a bad starting point though, would expect companies like this to have at least gone for that, not difficult to get in a small developer especially one that's been going for 10 years +

Likewise now connection to PSN/SWAN (Public sector networks) makes me think they've had few contracts with anything confidential behind them, or they penny pinch/price themselves too damn low, or the cardinal sin - the public sector organisations working with them have dire security to begin with and just let them RDP in whenever they want.

GDPR/DP it's hard to say, depends what's being shared which isn't specified anywhere. I doubt it's a huge problem though. The permissions it's asking for sound more like it needs them to do all the daft "social media style" functions that is for whatever reason needs..

OspreyO · 21 Jan 2019 at 00:43

Downsy said:
Hello all,
My son’s school has signed up with an app to send through details of events, newsletters, forms etc. which we have been asked to download and enrol. However looking at the privacy policy on the App Store it looks like the app wants access to my Facebook wall, camera, cookies and google drive! Am I just freaking out over nothing or is this a concern? Looking further in to the terms and conditions, it appears it is data harvesting to provide targeted ads. His can’t be right can it?
Anyone else using this with their schools?

I wouldn't use it.

Rainmaker · 21 Jan 2019 at 00:51

Semple said:
This is why you want an Android. As Jim was alluding to, you could just deny access to those specific features and then use the app.

Nope. Apple only offers you permissions for Siri because that's what Apple controls. If it's asking access to Facebook and Google Drive, they're not part of your Apple account or your iPhone - you'd have to sign in to those separately via the app. So guess where you need to go to control the app's access to Facebook and Google? I'll give you two guesses...

OP, I wouldn't touch that with a bargepole. Our daughter's school uses Tapestry, no permissions required and the school just generated us a random login which then allowed us to change the password.

Downsy · 21 Jan 2019 at 15:07

Thanks for all you help guys. I have a meeting with the school tomorrow to go through what other options I have. I think my main talking point is that there has been no communication from the school as to what personal data the app is requiring from the parents to be able to function and why that is necessary.
From what Raumarik has said, and I’m no expert, is that from a security standpoint it seems pretty weak. Lack of an approved ISO 27001 certification seems a little odd for a company performing government work.
I much preferred it when they sent an email newsletter!