Data Protection Protocol

Guidance: This Data Protection Protocol is for use alongside the NHS terms and conditions where the Supplier (Data Processor) will be processing personal data on behalf of the Authority (Data Controller).


Table – Processing, Personal Data and Data Subjects


Description Details
Subject matter of the Processing Allow the staff member to create and manage a Profile Account in order to access the system and scan CAT QR Codes generated by the Authority.
Data Controller under the Data Protection Act 2018 (as amended) (“DPA”) The Authority, for example, NHS Organisation or University.
Data Processor under the Data Protection Act 2018 (as amended) (“DPA”) Shinetech Europe Limited, 8 Devonshire Square, London EC2M 4PL, United Kingdom. Registered UK Company Number 07141834
Nature and purposes of the Processing

Allow the staff member to create and manage a Profile Account containing these 9 fields:

  • (1) First Name
  • (2) Last Name
  • (3) Student Number (Optional)
  • (4) Position Title
  • (5) Department
  • (6) Employee Number (Optional)
  • (7) Organisation
  • (8) Email Address
  • (9) Profile ID*

*The Profile ID is the unique identifier for the staff member’s Profile Account. The Profile ID is used because other fields can change and cause duplicate records, incomplete records and nullify the validity of portable evidence (as required by GDPR 'Right to data portability')


During the Profile Account set up process, the staff member is asked for their NI number, however, the NI number is not stored in the system; The NI number is converted into an encrypted version of the NI number, using an industry award winning crypto algorithm, when the staff member clicks the Encrypt button.

When the staff member has created their Profile Account, the system sends their Profile Account fields to the registered Email Address so that the staff member can verify their Email Address.

Once the staff member has activated their Profile Account by verifying their Email Address, the staff member can access any associated systems.

The Authority has access to the back-end of the system via multi-factor authentication in order to create CAT QR codes and manage staff attendance records.

The Authority will create a CAT QR code that is shown to the staff member in class on a projector screen, tablet or any other device on an internet browser.

The staff member will scan the CAT QR code using their CATQR app. The decoded text from the CAT QR Code is displayed on the staff member’s CATQR app as 3 fields:

  • (1) Class Title
  • (2) Class Date
  • (3) Organisation
Type of Personal Data

Allow the staff member to create and manage a Profile Account containing these 9 fields:

  • (1) First Name
  • (2) Last Name
  • (3) Student Number (Optional)
  • (4) Position Title
  • (5) Department
  • (6) Employee Number (Optional)
  • (7) Organisation
  • (8) Email Address
  • (9) Profile ID*

The staff member will scan the CAT QR code using their CATQR app. The decoded text from the CAT QR Code is displayed on the staff member’s CATQR app as 3 fields:

  • (1) Class Title
  • (2) Class Date
  • (3) Organisation
Categories of Data Subject Employees, Students, Volunteers
Plan for return and destruction of the data once the Processing is complete unless requirement under union or member state law to preserve that type of data The Data Subject can Withdraw Consent of their Profile Account any time by using the Profile Account functionality.

The Authority will have their own Data Retention Policy.
Privacy Policy https://www.classattendancetracker.com/privacypolicy

Face to Face Completion History

Total Points Gained: