Edtesa Reporting: full specification

What is Edtesa Reporting?

Edtesa Reporting is a reporting service offered by Edtesa to organisations. The service, hosted by Edtesa, consists of a hosted form to capture information or details for anyone who needs to report issues to the management. That information is then saved and a notification email is sent to an email address(es) nominated by the business on each inbox.

It also comprises an alternative SMS service that uses a business specific prefix code to send information to inboxes. Both services can be regarded as anonymous (as between the management and the user) if the user chooses to withhold their personal information in messages.

Whilst some personal data is collected by us in a report (some, only if the user chooses to do so and some as a consequence of the electronic footprint of the report) we do not provide this to a business except in limited circumstances as a business will not be able to access.

Who is the service for?

The service is an open reporting route for any concerns that a whole business community might have, but in particular, issues that affect the safety and well-being of staff. It can be used by staff; or indeed anyone who needs to report an issue to the company anonymously.

How can a business make the service available?

Via the web

Edtesa Reporting can be accessed by users through a unique URL which we assign for setup within the Edtesa Reporting system. You may link to your form on your own website by installing an anchor to your unique link. We provide a facility to generate the required HTML code to achieve this.

By accessing your unique link, either through the company website, via an email, or directly, users will be taken to the company's reporting form that is hosted on our website. 

There is also a way for users to use SMS to report issues to your company using our dedicated SMS number and prefixed with your SMS code (Generated when you setup your form), which you can show on your website. The company will not know if the user accessed the system by the web or SMS; each route creates a notification email to administrators assigned to the receiving inbox.

What can a user report?

We have designed this so that a user can share anything.

This might include:

  • A member of staff being bullied
  • Abuse is taking place
  • Advice on a personal issue
  • If the user feels somebody at work is at risk
  • If the user has a problem that they need to talk about to somebody

Please be aware: The system may filter and block things like swear words that stop messages getting to the company Edtesa Reporting account.

We have produced a short document which is made available when the user makes a report to cover this with important data protection information. This User Notice can be viewed here.

Is reporting to Edtesa Reporting really anonymous?

Edtesa Reporting has been designed for users to be able to report electronically and in private through an online or SMS system that is accessible to staff through an online portal. Personal details are not shared with the company unless a user chooses to include them in the body of the message or adds their name when submitting a message.

When making a report the user can complete contact info boxes; in doing so, the system can alert the user by email or SMS of certain system information such as a URI for the message / connected messages or when the company has responded. Save for the user’s name (if provided), this contact data is not made available to the company, save under limited circumstances of which the user is aware, by way of a notice we give to each user.

See data protection section for more information.

Is it confidential?

Message content is not transmitted via email, and is only available to view through the Edtesa Reporting administration system, which is encrypted using standard TLS encryption. Whilst we make every effort for messages to be secure and confidential, there may be occasions when it could be recorded on company security or other systems.

Users must be aware that monitoring systems may be able to decrypt and monitor traffic flowing across the company network and that email is not 100% secure. Also the system could be accessed by unauthorised persons should an account password be compromised.

A business will decide how they wish to deal with the subject of the message and sometimes in really serious cases (e.g. someone is at risk of harm) the company may share the information a user has provided with the police. The business is solely responsible for the actions it takes and we consider that it is for the company to act in accordance with its own guidelines on policies as relevant.

We appreciate that the data we hold may be important when a serious case is reported but we shall not be able to provide this unless under limited circumstances.

What can a user expect to happen once they have made a report?

This depends. It is up to the business to deal with any issues that involve the safety or well-being of staff, so a user should expect it to be acted upon. If a user wanted to pass on information about someone or something that they are concerned about, the business should investigate the issue further using the information provided. This could mean talking to the people directly involved or any other possible bystanders.

The company will make their best judgements as to how to respond to the user, but should send messages back to the person who submitted a report during or after an investigation, using the messaging facility provided by the Edtesa Reporting system.

How long will it take?

We advise companys who use Edtesa Reporting to respond to any reports within 24 hours during company time. At weekends this may very well be longer and any time the company is closed, the service may not be available. To fully investigate issues will take longer depending on the complexity of the case, so users should be informed of progress through the messaging facility of the Edtesa Reporting system if no other contact details have been provided.

You can provide more information on how quickly you expect to respond to reports using the free text boxes provided in the Edtesa Reporting Forms setup dialogue.

Where are reports, contact data and other data stored and for how long?

Reports, messages, contact data and some location data is stored by us as we require it to provide the service.

Reports will be available to access by the designated member(s) of the business for as long as the report is deemed to still be active, plus the period as specified by the data retention policy specified as part of the setup process.

Reports will be exportable from the system and once in the hands of the company the company is responsible for storage and retention of these outside of the system.

We will process contact data and some location data as required for the service provision and analytical purposes.

Regarding data retention, we have an automated process in place. The business can choose how long personal data is retained for (6/12/24/36 months), and after the selected period, the names, reports, chat messages, email addresses, telephone numbers, IP addresses are erased.

The records are retained with the report categories, dates, APNs, locations (i.e. no personal data) and we use this for analytical purposes.

If you end the service, we will work with you to provide you with the text of messages which have not yet been erased.

Data protection treatment

We consider that Edtesa and a business are both data controllers in respect of the message content and so we “share” this data and we each have obligations under the data protection laws to the users and, for the company this extends policies for their duties to other data subjects who may be identified by the user in the body of the message;

Edtesa’s involvement is limited to processing the message / responses in each chain (an Interaction) and sharing this with the business. We do not monitor the content of any messages. We will share this data as relevant for providing the Services and store it safely.

The company is solely responsible for acting on the information it receives from the User in accordance with its own policies and procedures (eg. Bullying / harassment etc).

The business may save the message content in its own systems and in doing so is responsible for these aspects of processing as a controller outside of the confines of the system (i.e. the business is responsible for putting in place appropriate information and notices for its user community) taking into account that messages may include personal data concerning the user but other data subjects from time to time.

User contact data

We are the data controller in respect of this data and we will use these details only to provide the email notifications and other functionality in the system. We are aware that a company may wish us to provide contact details where a message causes concern (i.e. that a user is at risk of harm or similar for the person they have identified in the message); and we will do under limited circumstances such as where this is ordered by a court, the police of any other administrative body outside of the business or the user gives consent.

The messages will also generate some other types of data such as locations data, IP etc and we are the data controller of this and apply the same principles as for user contact data to this.

We explain all this to the user in the User Notice [URL].

Technical information about a report

There are currently two entry points into the Edtesa Reporting system for reports, and the data that could be collected is as follows:

  • Via Web Form

    • Creating a report
      • Name entry is optional – if no name is entered, the user will be seen as [Anonymous] – This is shared with the company.
      • Report is required and could contain personal information – This is shared with the company.
      • Email Address entry is optional, and is used for the purpose of notifying the reporter when their report gets a response – The company does not have access to this
      • IP Address is recorded internally, along with the approximate location and APN of that IP address – The company does not have access to this
      • Each report gets assigned a unique link, which is revealed to the user, they can access the chat through this
        • If they entered their email they will have the link emailed to them
    • Responding to reports
      • Company does not know whether the user used the web form or SMS
      • Company responds via a chat interface in the backend system connected to the report
      • If the user entered an email address, the user will get an email notifying them of a response
      • The user can access messages via their unique link
      • The user will see the first name of the admin
      • The IP address, APN and approximate location will be recorded for each message that is sent between the two parties –the company does not have access to this
  • Via SMS

    • Creating a report
      • System records the telephone number of the user – the company does not have access to this
      • The report sent in the text message is viewable by the company
      • Name will be [Anonymous]
      • The user will receive an automated text message in response containing their unique link should they wish to continue the conversation through the webchat interface
    • Responding to reports
      • The company does not know whether the user used the web form or SMS
      • When the compnay replies, this will be sent to the user’s phone via SMS
      • Users can respond to messages within the same thread by not using a prefix