Noteable – DPIA Information udpate

The Noteable service providing access to cloud based computational notebooks is now available via the App Library in Glow.

Noteable provides a cloud based environment for coding activities using Python and R/R Studio.  This can be used to support the delivery of Computing Science and Data Science based courses as well as Higher Applications of Mathematics.

  • A DPIA will be required before schools in local authorities can access the service. This document should provide most of the information required for Local Authorities.
  • To access the Noteable app in Unify, the Glow Key Contact has to make contact with RM who will issue an application request form.  Once completed and returned, the app will be made available to admins for the authority who can accept the terms and conditions and install across their establishments

DPIA Support

EDINA, at the University of Edinburgh have provided documentation to help with DPIAs.  This documentation is available below.

Noteable Service DPIA (outwith University of Edinburgh)

Additional Questions and Answers asked by LAs

LA QUESTION:
It states that the legal basis is Contract. What is the basis of the contract? Who is the contract with given the Local Authorities haven’t signed anything directly with Edinburgh University

  • EDINA, at the University of Edinburgh holds an agreement with Education Scotland to integrate and supply the Noteable service through the GLOW system to Scottish schools. Contractual agreements to access GLOW apps fall between Education Scotland and the Local Authority. Service level contracts and agreements between EDINA, the University of Edinburgh and service users are relevant and applicable where there is a legal basis to supply the service as a paid subscription.

LA QUESTION:
Does the Local Authority have to request removal of material from the cloud once the qualification is done or doe this happen automatically?

  • Removal of data on the Noteable service is managed by the Data Retention Policy available on the Noteable website: https://noteable.edina.ac.uk/data-retention/
  • Once a user has been tagged with a ‘Suspended’ or equivalent affiliation by the Identity Management System that feeds into the Noteable system through GLOW, using the SAML2 authentication standard, the user’s account will be made unavailable for access and user accounts are deleted one year after the user’s affiliation is set to ‘Deleted’.User account deletion does not include deleting assignment work submitted to Instructors – this data is considered owned by the relevant Instructor and will remain within their Noteable service user space until the instructor account has been Suspended and Deleted according to the schedules described above.

LA QUESTION:
Please describe the technical measures that will be put in place to support the protection the data in the cloud

  • The Noteable service adopts Jupyter technology into its infrastructure stack and does not link to Jupyter project servers that may be based outside of the United Kingdom. The Noteable hardware and software infrastructure stack are run by and within University of Edinburgh’s IT infrastructure. The Information Security Strategy of the University of Edinburgh includes information on Cyber security incident prevention and management requirements and advice for staff members of the University. (https://www.ed.ac.uk/infosec/information-protection-policies/information-security-required-reading/information-security-strategy).
  • To protect data within the Noteable service, The infrastructure that Noteable is built upon takes nightly backups of the virtual machines running the Noteable service. The service itself runs within Docker containers in those virtual machines. The backups are retained for 4 weeks (this information is available within the Data Retention Policy as well).

LA QUESTION:

University of Edinburgh’s website states: ‘Noteable is integrated with Learn to allow for a central launch point into a pre-set environment without the need for a separate login.’ Are you able to explain what Learn’ is?

LEARN refers to the University of Edinburgh’s specific online learning environment, and in the case of schools the word ‘Learn’ would be replaced with ‘GLOW’ as the equivalent. As these are the University of Edinburgh’s specific websites, information about Noteable will be specific to their use case. Further information on Noteable for schools can be found on our YouTube playlist and website.

LA QUESTION:
Noteable – Cookie Policy (edina.ac.uk) – are you able to clarify the third parties you rely on to sub-contract the processing if this includes personal data

    • Noteable uses New Relic and Google Tag manager for gathering performance and traffic metrics. All data is obfuscated for New Relic and used only for performance metric purposes. Google Tag manager is used on the service launch page and there is no personal data that is fed or added to Google Tag manager.

LA QUESTION:
Will personal data be included on any assignments? E.g. teacher name, signature and pupils name, class, schools?

  • Data securely authenticated by Noteable using the SAML2 authentication protocol used with the GLOW system will possibly include student names to track assignments and school name identification on the launch page and for assignment management.

LA QUESTION:
What departmental controls or controls by University of Edinburgh etc. will be put in place to protect personal data? E.g. ‘Student Guide to using Noteable for Assignments’

  • Personal data is protected and managed by the Noteable service data retention policy: https://noteable.edina.ac.uk/data-retention/
  • Backups of data on the Noteable service are outlined in the policy which includes further information on the virtual machines which run the infrastructure of the service.
  • Personal data is obfuscated in all possible instances and solely used for authentication purposes to access the service and a user’s saved environment and files.

LA QUESTION:
What do teachers have access to?

  • Teachers have access to a user-specific instance of Noteable, including computational notebook files and environments they have created and saved previously, including options to choose computational notebook types with Python and R-based notebooks. Teachers have assignment features enabled when they authenticate into Noteable through GLOW, and can create assignments for their class using the Formgrader tab on the Noteable service dashboard. Teachers have access to the Formgrader feature for releasing assignments to their classes from Noteable as well, which will release an assignment file from the source in the teacher’s user space for students in their class to fetch in the Assignments tab of Noteable.

LA QUESTION:
Do you rely on any sub-processors? The storing of data outside the UK would have to be a yes as University of Edinburgh is a Data Processor. We need to understand if anyone else is ?

  • No personal data that Noteable may use is stored outside of Scotland and the United Kingdom. All data is stored on University of Edinburgh hardware.

Leave a Reply