DATA PROTECTION POLICY - GDPR 2018
This documents lays out the procedures and principles of data protection that will be followed by all employees at Prodeo LTD.
All employees have completed the Prodeo GDPR Training Session and the Employee of Prodeo LTD - GDPR Compliance Document (Appendix A).
GDPR: General Data Protection Regulation
Controller: A controller determines the purposes and means of processing personal data.
Processor: A processor is responsible for processing personal data on behalf of a controller.
Personal Data: The GDPR applies to 'personal data' meaning any information relating to an identifiable person who can be directly or indirectly identified in particular by reference to an identifier.
Personal Data Breach: A breach of security leading to the accidental or unlawful destruction, loss, alteration, unauthorised disclosure of or access to, personal data transmitted, stored of otherwise processed.
PRODEO LTD: PROCESSER
As defined above, Prodeo LTD (Trading as SMID) acts as a processor of data on behalf of controllers (Education establishments, namely secondary schools).
As a processor of personal data we are required under the GDPR to provide information on the following key protection areas:
Lawful basis for processing
Data Types Stored
Data Storage - Security
Data Subject Access
Data Breach procedures
Data Protection Officer
LAWFUL BASIS FOR PROCESSING
GDPR requires that a processor must have a valid lawful basis in order to process personal data. There are six available lawful bases for processing:
1. Consent - The individual has given clear consent for you to process their personal data for a specific purpose.
2. Contract - The processing is necessary for a contract you have with the individual or because they have asked you to take specific steps before entering into a contract.
3. Legal obligation - The processing is necessary for you to comply with the law (not including contractual obligations).
4. Vital interests - The processing is necessary to protect someone's life.
5. Public task - The processing is necessary for you to perform a task in the public interest or for your official functions and the task or function has a clear basis in law.
6. Legitimate interests - The processing is necessary for your legitimate interests or the legitimate interests of a third party unless there is a good reason to protect the individuals personal data which overrides those legitimate interests. (This cannot apply if you are a public authority processing data to perform your official tasks).
Prodeo LTD is processing the data on behalf of an educational establishment, with which we have an annual contract in order to provide access to our cloud based software. Therefore SMID meets the lawful obligation point 2 which state the processing is necessary for a contract you have with the individual. It is important that the school as a controller of the data has the necessary consent in place when obtaining certain data from students who attend the school.
DATE TYPES STORED
Prodeo LTD requires the following personal data as a minimum to use the SMID cloud software:
Code - This can be decided by the school, commonly admission number but may be UPN or candidate number.
Classes - The classes a student is currently studying.
Report Grades - Assigned within school or from final exams.
Optional Data (Required for full functionality)
Pupil Groups - A school can choose which data to include as pupil groups common examples are Free School Meals (FSM), Pupil Premium (PP) and Prior Ability Grouping.
Attitude To Learning Score - Scores assigned within school to categorise students behaviour.
Attendance - % attendance scores may be added to the system to monitor attendance patterns.
DATA STORAGE AND SECURITY
Prodeo LTD trading as SMID will not supply any of your data to any third party and will only use the data you provide to support your school:
Prodeo Limited is registered with the Information Commissioners Office (ZA138870) in accordance with the Data Protection Act of 1998 and the code of practice issued by the regulators of England, Wales and Northern Ireland.
The personal data stored within the SMID Report and Dashboard includes Names, School Selected Pupil Groups e.g. Pupil Premium, Grades, Gender and Attendance. The data will only be used within the context of the SMID Dashboard and Report and will only be used to identify the progress made by students from any schools that is a member. When accessing the SMID Dashboard you will be using a Secure Hyper Text Transfer Protocol (HTTPS) along with Secure Sockets Layer (SSL) Protection. This provides encrypted access to our servers protecting you from others accessing the data. All data is hosted using Amazon S3 Servers, which are secure and encrypted.
Security information from host website, Heroku
Heroku's physical infrastructure is hosted and managed within Amazons secure data centres and utilize the Amazon Web Service (AWS) technology. Amazon continually manages risk and undergoes recurring assessments to ensure compliance with industry standards. Amazons data centre operations have been accredited under:
SOC 1 and SOC 2/SSAE 16/ISAE 3402 (Previously SAS 70 Type II)
PCI Level 1
Sarbanes - Oxley (SOX)
Heroku utilizes ISO 27001 and FISMA certified data centres managed by Amazon located in Ireland (EU - West - 1) Amazon has many years of experience in designing, constructing and operating largescale data centres. This experience has been applied to the AWS platform and infrastructure. AWS data centres are housed in nondescript facilities and critical facilities have extensive setback and military grade perimeter control berms as well as other natural boundary protection.
Physical access is strictly controlled both at the perimeter and at building ingress points by professional security staff utilizing video surveillance, state of the art intrusion detection systems, and other electronic means. Authorized staff must pass two-factor authentication no fewer than three times to access data centre floors. All visitors and contractors are required to present identification and are signed in and continually escorted by authorised staff.
Amazon only provides data centre access and information to employees who have a legitimate business need for such privileges. When an employee no longer has a business need for these privileges. When an employee no longer has a business need for these privileges, his or hers access is immediately revoked, even if they continue to be an employee of Amazon or Amazon Web Services. All physical and electronic access to data centres by Amazon employees is logged and audited routinely.
DATA SUBJECT ACCESS
Under the right of subject access, an individual is entitled to request a copy of the personal data held about them.
Valid Subject Access Request
For a subject access request to be valid, it should be made in writing. In order for a subject access request to be made successfully we will require proof of a persons identify and legitimacy to make the request. Should any request be made our data protection officer will contact the designated data controller at the relevant establishment to fully confirm the legitimacy of a request. We will then move forward in providing the data in an appropriate format.
For example in the unlikely event of a parent or a pupil contacting Prodeo LTD directly with a subject access request. We would clearly inform them that we would be contacting the school data protection officer in order to verify the request and all communication would come through the school.
We do not expect the above scenario to be a common occurrence but should it arise the school data protection officer will always be our first point of contact.
Request Procedure / Format
Under GDPR legislation an organisation is not allowed to require an individual to complete a subject access request in a certain format. Therefore Prodeo LTD does not require an individual to complete a specific form to make the request. It is recommended that any request should be sent by email to email@example.com so that we can deal with your request as quickly as possible. Should a subject access request be made to another member of staff or in a different format such as a written letter all staff are fully aware of GDPR procedures and will take any request and pass them on to the data protection office.
Prodeo LTD will meet the GDPR requirements that state the information provided to the individuals is in an intelligible form. Any response made by Prodeo LTD will be sure to include a glossary of terms should any technical information be included that may not be understood by the average person.
Subject Access Request Cost
Prodeo LTD will not require any charge for any request made.
DATA BREACH POLICY
A data breach occurs when personal information is lost or subject to unauthorised access.
Definition of Personal Data Breach
A personal data breach can be broadly defined as a security incident that has affected the confidentiality, integrity or availability of personal data. In short, there will be a personal data breach whenever any personal data is lost, destroyed, corrupted or disclosed; if someone accesses the data or passes it on without proper authorisation; or if the data is made unavailable, for example, when it has been encrypted by ransomware or accidentally lost or destroyed.
Data Breach Response Team
The Data Breach Response Team has been set up with any form of data breach which can occur.
ICO provides examples of data breaches which range from an email being sent to the incorrect individual through to stolen data from a breach of the database. Prodeo LTD takes data protection extremely seriously encrypting all data at rest, however if a breach were to occur Prodeo LTD will contact all schools with the following information:
The name and contact details of your data protection officer (if your organisation has one) or other contact point where more information can be obtained.
A description of the likely consequences of the personal data breach.
A description of the measures taken or proposed to be taken to deal with the personal data breach and including, where appropriate, of the measures taken to mitigate any possible adverse effects.
When a data breach occurs Prodeo LTD will establish whether the breach needs to be reported to ICO. This is only the case if there is likely to be a risk to peoples rights and freedoms.
Prodeo LTD will record any breaches that occur even if they don't need to be reported to ICO.
Any school that terminates their contract with SMID will have all data removed from SMID's live database within 1 week of the end of the subscription.
Data will still exist within backups for 3 months after the end of the subscription after which it will be destroyed.
DATA PROTECTION IMPACT ASSESSMENT (DPIA)
The ICO recommends that you carry out a DPIA if you plan to use processors that are likely to result in 'a high risk to individuals'. If you wish to carry out a DPIA before starting or during your contract with SMID we will fully support you with this process.
Please find further information on conducting a DPIA here: ICO Website
As with the DPIA if as a controller you wish to carry out a data audit, we will support you with this process. We can provide you with detailed information on the data processed by Prodeo LTD specifically for your establishment.
APPENDIX A: EMPLOYEE OF PRODEO LTD - GDPR COMPLIANCE DOCUMENTATION - MAY 2018
This document is to notify that all staff have received training and fully understand the GDPR on data processing within Prodeo LTD.
All staff that are employed by Prodeo LTD must complete the GDPR Training Session. This provides staff with a detailed overview of the data protection procedures carried out whilst data processing occurs. It also provides all employees with the opportunity to raise any queries they may have regarding GDPR and its impact on Prodeo.
I fully understand and agree to abide by the following statements:
Prodeo LTD processes personal data on the SMID online platform.
All data is stored in an encrypted format on Amazon AWS (European based) platform.
Any data processing that is carried out to support schools must be removed from any local machines after it has been completed.
No personal data relevant to SMID will be stored on a local machine beyond the time it is being processed.
Data will not be sent to schools by email as this is not a secure method of transferring personal information.
If a school sends data by email, this must be transferred to Amazon AWS to the encrypted folders and then removed from the email account.
All passwords that allow access to the super admin section of the SMID platform must be secure. This requires them to be more than 8 characters, include at least one number, one capital letter and one special character.
Data should only be processed on work machines, NO personal laptops/any devices should be used to carry out data processing.
A school that terminates their contract with SMID will have all their data removed from the live database within 1 week. The data will continue to remain in backups for 3 months at which point will be removed.
I have completed the Prodeo GDPR Training Session and have had any necessary questions answered about GDPR and the impact is has on the role.
I understand that at any point if I am unsure on any aspect of GDPR I will contact the Data Protection Officer.