GDPR statement - eduFOCUS

EVOLVE GDPR Policy

We take your privacy very seriously and work to the highest standards to keep your data safe. We welcomed the introduction of the General Data Protection Regulation (GDPR), which came into force on the 25th May 2018, as it provided everyone with an opportunity to reflect upon the measures in place to protect data.

eduFOCUS Limited, the providers of the EVOLVE system, is committed to compliance with all relevant EU and Member State laws in respect of personal data, and the protection of the rights and freedoms of individuals whose information we collect and process in accordance with the General Data Protection Regulation (GDPR). Ongoing compliance is embedded in all processes and policies throughout our organisation.

We’ve outlined the policy, system, and operational changes that have been implemented in EVOLVE and eduFOCUS Ltd to comply with the GDPR.

Who is responsible for Personal Data?

Under the GDPR, organisations are recognised as Data Controllers, Data Processors, or both. The requirements differ depending on your role in the data collection and handling process. EduFOCUS Ltd is both a data controller (of data about our customers) and a data processor (of our customers’ data).

As Data Controllers, our customers decide:

How and why any personal information is to be processed
Which information is collected, stored and processed
Who can access the system and therefore which users are permitted to view what information (by setting their account type)
To turn on the Visit Register and/or the Accompanying Staff modules
To add custom questions to gather additional information
To require/request files to be attached to visit forms
etc.

As such, the Licensee is responsible for ensuring that appropriate data is stored and processed and that access to such data is restricted appropriately.

As Data Processor, we:

Are registered with the Information Commissioner’s Office as Data Processor
Utilise a wide range of security measures in line with the recommendations provided by the ICO (Information Commissioner’s Office)
Implement additional security measures including advanced firewalls, enterprise-level virus protection on all servers, HTTPS encryption for all communication between our servers and users, regular data backup, username/password/PIN to control access, failed log-in attempt logging, automatic suspicious activity detection and logging, etc.
Provide Data Controllers with a range of integrated tools to support you in meeting your obligations as Data Controller
Continue to support Data Controllers with their obligations.

How EVOLVE complies with GDPR

Policy Updates

Terms and Conditions: Our Terms and Conditions have been updated to include a new Data Processing Addendum with the Model Clauses required by the GDPR.

Variation Letter: We issued a Letter of Variation to all existing Licensees which included a new Data Processing Addendum with the Model Clauses required by the GDPR. All new Terms of Contract are fully GDPR compliant.

Privacy Policy: We’ll continue to share the specific details of personal data collected in our Privacy Policy. This policy is publicly available on our website.

Cookie Policy: We updated our cookie policy to comply with the GDPR.

Operational Updates

Data Mapping Audit: We’ve completed a comprehensive audit of the data that we process and store. We’ve also reviewed our data breach incident response procedure.

Security & Incident Response Training: All eduFOCUS Ltd staff have undertaken GDPR training on data management and security. All eduFOCUS Ltd staff are aware of the incident response procedures. We continue to conduct comprehensive ongoing security risk assessments. Security has always been a top priority for eduFOCUS Ltd, and this additional training and security measures builds on the robust protocols that already exist to prevent and respond to data breaches and vulnerabilities.

System Updates

Data Usage: We’ve completed a comprehensive data audit to ensure we only collect data critical to business needs and will review our retained data regularly.

Data Access, Portability & Deletion: We have introduce new features to allow authorised users to hard delete data so that Data Controllers can comply with their obligations to destroy data where there is no longer a justifiable reason to retain the data.

Data Security Dashboard: We have introduced a new EVOLVE Data Security Dashboard which allows System Administrators to configure and implement additional security features including Two-Factor Authentication, Email Single Sign-On (ESSO), Password Expiry Periods, Password Reuse Rules, Password Fail Rules, Session Time-out Periods and a list of all users that have System Administrator permissions.

Data Centre Security Measures: We have invested in additional data centre security features to help ensure protection of data, including DDoS security feature, Web Application Firewalls (WAFs), Proactive Threat Monitoring and Threat Response. Further information is available in ‘EVOLVE Technical & Security Measures’ in Resources.

If you have any questions, please let us know. We’re here to help.

Resources & Further Information

Sample EVOLVE Contract Variation. A sample copy of the contract variation signed by clients (useful for schools using EVOLVE via their LA/Trust).
EVOLVE Privacy Policy (go to evolve.online, choose your EVOLVE system and then click the “Privacy Policy” link at the bottom of the page)
EVOLVE Technical & Security Measures
Top Tips for EVOLVE Users
Data Processing Details
EVOLVE User Rights
EVOLVE Password Policy
Information Commissioner’s Office
LGFL GDPR Resource Portal
DfE Data Protection Toolkit for Schools
Full text of GDPR