EVOLVE
GDPR Policy
We take your privacy very seriously and work to the
highest standards to keep your data safe. We welcome the introduction of the General Data Protection Regulation
(GDPR), which came into force on the 25th May 2018, as it provided everyone
with an opportunity to reflect upon the measures in place to protect data.
eduFOCUS Limited, the providers of the EVOLVE
system, is committed to compliance with all relevant UK and Member State laws
in respect of personal data, and the protection of the rights and freedoms of
individuals whose information we collect and process in accordance with the
General Data Protection Regulation (GDPR). Ongoing compliance is embedded in
all processes and policies throughout our organisation.
We've outlined the policy, system, and operational
changes that have been implemented in EVOLVE and eduFOCUS Ltd to comply with
the GDPR.
Who is responsible for Personal
Data?
Under the GDPR, organisations are recognised
as Data Controllers, Data Processors, or both. The requirements differ depending on your
role in the data collection and handling process. EduFOCUS Ltd is both a data controller (of
data about our customers) and a data processor (of our customers' data) .
As Data
Controllers, our customers decide:
- How and why any personal
information is to be processed.
-
Which information is collected, stored and processed
-
Who can access the system and therefore which users
are permitted to view what information (by setting their account type)
-
To turn on the Visit Register and/or the
Accompanying Staff modules
-
To add custom questions to gather additional
information
-
To require/request files to be attached to visit
forms
-
etc.
As such, the Licensee is responsible for ensuring
that appropriate data is stored and processed and that access to such data is
restricted appropriately.
As Data
Processor, we:
-
Are registered with the Information Commissioner's
Office as Data Processor
-
Utilise a wide range of security measures in line
with the recommendations provided by ICO (Information Commissioner's Office)
-
Implement additional security measures including
advanced firewalls, enterprise-level virus protection on all servers, HTTPS
encryption for all communication between our servers and users, regular data
backup, username/password/PIN to control access, failed log-in attempt logging,
automatic suspicious activity detection and logging etc.
-
Provide Data Controllers with a range of integrated
tools to support you in meeting your obligations as Data Controller
-
Continue to support Data Controllers with their
obligations.
Policy
Updates
Terms and Conditions: Our Terms and
Conditions have been updated to include a new Data Processing Addendum with the
Model Clauses required by the GDPR.
Variation
Letter: We issued a Letter of
Variation to all existing Licensees which included a new Data Processing Addendum
with the Model Clauses required by the GDPR. All new Terms of Contract are fully GDPR compliant.
Privacy
Policy: We'll continue
to share the specific details of personal data collected in our Privacy Policy.
This policy is publicly available on our website.
Cookie
Policy: We updated
our cookie policy to comply with the GDPR.
Operational Updates
Data Mapping Audit: We've completed a comprehensive
audit of the data that we process and store. We've also reviewed our data breach incident response procedure.
Security & Incident
Response Training: All eduFOCUS Ltd staff have
undertaken GDPR training on data management and security. All eduFOCUS Ltd staff are aware of the
incident response procedures. We
continue to conduct comprehensive ongoing security risk assessments. Security
has always been a top priority for eduFOCUS Ltd, and this additional training
and security measures builds on the robust protocols that already exist to
prevent and respond to data breaches and vulnerabilities.
System Updates
Data Usage: We've completed a comprehensive data
audit to ensure we only collect data critical to business needs and will review
our retained data regularly.
Data Access, Portability & Deletion: We have introduce new features
to allow authorised users to hard delete data so that Data Controllers can
comply with their obligations to destroy data where there is no longer a
justifiable reason to retain the data.
Data Security Dashboard: We have introduced a new EVOLVE Data Security Dashboard
which allows System Administrators to configure and implement additional
security features including Two-Factor Authentication, Email Single Sign-On
(ESSO), Password Expiry Periods, Password Reuse Rules, Password Fail Rules,
Session Time-out Periods and a list of all users that have System Administrator
permissions.
Data Centre Security Measures: We have invested in additional data centre
security features to help ensure protection of data, including DDoS security
feature, Web Application Firewalls (WAFs), Proactive Threat Monitoring and Threat
Response. Further information is
available in 'EVOLVE Technical & Security Measures' in Resources.
If you have any questions, please let us know. We're here to help.
Resources
& Further Information
-
EVOLVE Privacy
Policy
-
EVOLVE
Technical & Security Measures
- Information Commissioner's Office