This page sets out the data-protection arrangements that apply to the use of CareJournal by Schools. It should be read with the Privacy Policy, Security, Cookie Policy and Terms of Service.
1. Definitions
In this page: Special Pathways means Special Pathways, the operator of the Service. The Service or CareJournal means the CareJournal website, web platform and mobile app. School means the school or organisation that subscribes to the Service. Personal Data has the meaning given to it under UK GDPR.
2. Controller and processor
For pupil, parent, carer and school staff records held inside CareJournal, the school is normally the data controller. The school decides what is recorded, who has access, how long records are kept and how CareJournal fits with its wider policies and legal responsibilities.
Special Pathways normally acts as the data processor for those records, processing personal information on behalf of the school under a written agreement and on the school's instructions.
For information arising from our own business activities — for example, enquiries, support correspondence and administrative records — Special Pathways may act as a data controller.
3. Children's information
Family access, where available, is controlled by the School. Parents and carers only see information the School chooses to make available to them. Wider commitments relating to children's Personal Data are set out in the Privacy Policy.
4. Lawful basis
The School is responsible for deciding the lawful basis for processing pupil, parent, carer and staff records inside the Service, including any Article 9 condition for special-category data such as information relating to health, disability, care needs or SEND provision. Special Pathways processes such information as processor under contract.
Where Special Pathways acts as controller, the lawful basis will typically be contract, legitimate interests, legal obligation, or consent where required.
5. Data minimisation
The Service is designed to collect only the Personal Data needed to provide the Service and support school-led progress recording. Schools control what is entered. Photos and videos are optional and should only be uploaded where permitted by the School's own policies. The Service does not use advertising trackers or third-party advertising pixels.
6. Access control
The Service uses role-based access so authorised Users only see information appropriate to their role and permissions. Schools are responsible for deciding who should have access and for keeping user access up to date.
7. Retention and deletion
School records are retained for as long as the School uses the Service, unless agreed otherwise in writing or required by law. Schools may request correction, export or deletion of records in line with their agreement and data-protection responsibilities.
On termination, an export is provided and School records are deleted or anonymised within the agreed termination period. The standard period is 30 days after termination, unless the school agreement, legal requirements or operational backup processes require a different period.
8. Rights of pupils, parents, carers and staff
Under UK GDPR, individuals have rights of access, rectification, erasure, restriction, objection and portability, and the right to complain to the Information Commissioner's Office.
Requests relating to school records should be made to the School, as the School is usually the controller. Special Pathways will support the School in responding to valid requests. Direct queries: hello@carejournal.uk.
9. DPIA and supplier assurance
Schools, trusts and local authorities may need to complete a Data Protection Impact Assessment or supplier assurance review before using the Service. Special Pathways provides appropriate information on the matters typically requested, including the purpose of processing, categories of data, access controls, security, retention, service providers, data location and breach notification. Requests: hello@carejournal.uk.
10. Service providers
Special Pathways relies on a limited number of service providers to help operate the Service. Each provider acts on our instructions and is only permitted to process Personal Data for the services it provides to us. A current list is available to Schools on request and may be included in the school agreement.
11. International transfers
Personal Data is stored on UK-based infrastructure. Personal Data is not transferred outside the UK or EEA unless appropriate safeguards are in place. If this position changes, Schools will be informed.
12. Security
Special Pathways applies technical and organisational measures designed to protect Personal Data. A summary is available on the Security page.
13. Breach notification
If Special Pathways becomes aware of a personal-data breach affecting a School's records, the School's nominated contact will be notified without undue delay and provided with the information reasonably needed to assess the incident and meet its own obligations. Where the School is the controller, the School remains responsible for deciding whether a report to the ICO or affected individuals is required.
14. Changes to this page
This page may be updated as the Service develops or as legal, technical or operational requirements change. Material changes will be communicated to subscribing Schools.
15. Contact
Data-protection queries: hello@carejournal.uk.