This page summarises the technical and organisational measures applied to CareJournal. It should be read with the Privacy Policy, Data Protection, Cookie Policy and Terms of Service. Schools, trusts and local authorities may request further supplier-assurance information by contacting hello@carejournal.uk.
1. Definitions
In this page: Special Pathways means Special Pathways, the operator of the Service. The Service or CareJournal means the CareJournal website, web platform and mobile app. School means the school or organisation that subscribes to the Service. User means an individual authorised to access the Service.
2. Hosting and data location
The Service uses UK-based infrastructure and Personal Data is held within the United Kingdom in normal operation. Service providers are assessed for role, location and data-protection safeguards before use. A current list of service providers is available to Schools on request.
3. Access
Access to the Service is controlled by School, role and permission. Authorised Users only see information appropriate to their role. Schools are responsible for deciding who should have access and for keeping access up to date.
4. Authentication
The Service uses secure sign-in processes and applies measures designed to reduce unauthorised access and detect misuse. Users should keep their login details private and report suspected unauthorised access to their school administrator.
5. Encryption
Encrypted connections are used to protect data in transit between Users and the Service. Where supported by the infrastructure, stored data and backups are encrypted at rest. This includes appropriate protection for uploaded files, records and operational data.
6. Audit trails
The Service maintains audit trails to support accountability, security review and school oversight, and to support investigation of issues, access reviews and responses to concerns.
7. Photos and videos
Where the School's policy allows it, photos or short videos may be uploaded as observation evidence. Schools are responsible for compliance with their own safeguarding, consent, acceptable-use and data-protection policies. Uploaded media is protected by the same access controls as the record it belongs to. Pupil photos and videos are not used for advertising, profiling or marketing.
8. Backups and recovery
Backup processes are designed to support service continuity and recovery. Backups are protected and retained for a defined period. On termination, export, deletion and retention are handled in line with the school agreement and applicable data-protection arrangements.
9. Operational security
Operational processes designed to reduce risk and maintain reliability include controlled change management, monitoring, supplier review and incident response. Access to School data by Special Pathways or approved service providers is limited to what is necessary to operate, support, secure or maintain the Service.
10. Service providers
Special Pathways relies on a limited number of service providers to help operate the Service. Each provider acts on our instructions and is only permitted to process Personal Data for the services it provides to us. A current list is available to Schools on request and may be included in the school agreement.
11. Incident response
If Special Pathways becomes aware of a security incident affecting a School's data, the School's nominated contact will be notified without undue delay and provided with the information reasonably needed to assess the incident and meet its own data-protection obligations. Where the School is the controller, the School remains responsible for deciding whether notification to the ICO or affected individuals is required.
12. Vulnerability reporting
Suspected security issues should be reported to hello@carejournal.uk with sufficient detail to investigate. Public disclosure before a reasonable opportunity to review and respond is not permitted.
13. Supplier assurance
Special Pathways supports supplier-assurance, information- governance and data-protection reviews by providing appropriate information on the matters typically requested, including hosting and data location, access controls, audit trails, encryption, backups, service providers, breach notification and data-protection arrangements. Requests: hello@carejournal.uk.
14. Changes to this page
This page may be updated as the Service or the underlying security processes change. Material changes will be communicated to subscribing Schools.
15. Contact
Security queries: hello@carejournal.uk.