Revision as of 08:51, 15 July 2020 by Anthony
The UK / EU General Data Protection Regulation (GDPR) replaces the existing 1995 EU Data Protection Directive (European Directive 95/46/EC), it imposes strict controls on how all organisations collect and process personal data within the UK / EU and/or the personal data of UK / EU citizens. We’re constantly improving the technical and organisational security measures we have in place to protect your data and are committed to being fully compliant with GDPR and our role as a data processor.
It is our policy to keep data private, secure and safe. We do this in several ways, including:
- Data is collected only for specific, explicit and legitimate purposes.
- Sensitive data is encoded whilst on and before it leaves your computer.
- Data is also further encrypted with AES-256 encryption locally and/or with us (optionally turned off).
- Passwords are stored with us as one-way salted hashes.
- SSL technology is used to ensure data is private during communication.
- Data is retained only for as long as necessary.
- Regular backups are made in-case we ever need to recover data.
- Personal data can be exported in a machine-readable format.
Why data may sometimes be sent outside of the UK / EU and why encryption is optional:
A small percentage of our customers are not within the UK / EU, in that unusual case we will have to send data outside of the UK / EU to those specific customers - this is so they can edit their reports. The customers in some of those countries may also not legally be allowed to encrypt data, for that reason we have the option to turn off either local and/or server encryption for their data. The default for these settings are 'local off, server on'. In any event, data is also encoded and not stored in plain text. The settings for encryption are in Admin>School Details. The reason we recommend local encryption off is so that if you have a local hard drive fault then recovery software will have a better chance of working.
Where is data stored?
We use DreamHost to store data. DreamHost has included the Model Clauses in its Data Processing Addendum which is legally sufficient for meeting the GDPR's requirements for exporting data to a non-EU country in lieu of Privacy Shield: https://www.dreamhost.com/legal/customer-eu-data-processing-addendum (Please see Section 6 and Schedule B.)
Why we would sometimes provide third parties with your information:
An example of an abnormal condition that could arise would be if we were asked by a school to directly interface with a third-party support team that the school uses or if we were forced to provide information to a third party if we are requested by the police/court - e.g. for a set of past school reports for a particular pupil.
Who has access to your information:
Only a few select staff have access to the school licence name and password - our admin system checks their IP address as well as their password and will prevent logging in if incorrect. All our staff are DBS (Disclosure and Barring Service) checked. All passwords are stored using a one-way salted hash code - that is why we can't recover teacher passwords, just replace them. Our server checks IP addresses for direct data access and only allows specific IP addresses to directly log into the database, everything else has to go through our web API with requires the username and password to gain access. Full backups are made daily between 2 am and 3 am to a secure machine in a different location to the main server.
Data is backup up on average once per 24 hours and is stored on a secure server managed by Deluxe Pixel Limited in Preston, United Kingdom.
Website logs are encrypted and deleted after 72 hours.
Our registration with the ICO:
The enforcement of the GDPR is overseen by the United Kingdom’s supervisory authority, the Information Commissioner’s Office (ICO). It ensures that everyone is playing by the rules and that the rights of data subjects - the people whose data is being processed - are correctly protected.
We are registered with the Information Commissioner's Office in the UK (ID: ZA551060).
Your school contact:
Under the GDPR, those collecting or processing data at 'large scale', collecting or processing certain types of sensitive data, or who is a 'public authority or body' may need to designate a Data Protection Officer (DPO) and/or a UK / EU representative. This is the person who we would normally contact regarding data protection.
Administrators will see a screen similar to this if we do not know who to contact regarding data protection.
Within the program, administrators will also see a GDPR option in the Administrator menu that shows who and when you informed us who your data protection contact is.
If you ever want to contact us about GDPR, data protection or to find out more about how we process your data, please feel free to drop an email to our Data Protection Officer (DPO) and they will get back to you as soon as possible.
GDPR Backup (Administrators only):
As the Administrator, you can make a backup of all your school data using the GDPR Export feature. The backup can be made once every 90 days and only when our servers are in a low usage state. The file produced is a machine-readable compressed file that can be used to import your school data into another school report writing system.
You can access the 'GDPR Export' feature at the login window by first clicking 'Options' to reveal the Options panel. Select the Administrator in the list of users and enter the Admin password. In the options panel, now click the 'GDPR Export' button.
We allow schools that no longer have an active licence to make one backup of their data from our servers, this allows you to move your school data (past reports, layouts, images, etc) to the report writing system your school currently uses.
If you have created a GDPR Export within the last 90 days then you will see a message that will inform you of the date you can make your next proper GDPR Export. Until then you can export the cached data on your computer.
You can also perform a GDPR export by clicking the 'Backup' icon on the main toolbar. If you are logged in as the Admin then on the menu that appears you should see 'GDPR Data Export', click it.
It may take some time to download all your school's data from our servers, it's done in such a way to minimise disruption to other schools who may also be using the server at that time.
Once the data has fully downloaded to the 'cache' on your computer, you will be prompted to click the 'Save' button. Once you click 'Save' then the data that has been downloaded will be compressed and collected together into a '.gdpr' file.
Note: Some of the data in the '.gdpr' file may be encrypted, the decryption key is your school 'licence code'.