evolvelogo_new.png

 


EVOLVE GDPR Policy (May 2018)

We take your privacy very seriously and work to the highest standards to keep your data safe. We welcome the introduction of the General Data Protection Regulation (GDPR), which comes into force on the 25th May 2018, as it provides everyone with an opportunity to reflect upon the measures in place to protect data.

eduFOCUS Limited, the providers of the EVOLVE system, is committed to compliance with all relevant EU and Member State laws in respect of personal data, and the protection of the rights and freedoms of individuals whose information we collect and process in accordance with the General Data Protection Regulation (GDPR). Ongoing compliance is embedded in all processes and policies throughout our organisation.

We've outlined the policy, system, and operational changes that have been implemented in EVOLVE and eduFOCUS Ltd to comply with the GDPR.

Who is responsible for Personal Data?

Under the GDPR, organisations are recognised as Data Controllers, Data Processors, or both. The requirements differ depending on your role in the data collection and handling process. EduFOCUS Ltd is both a data controller (of data about our customers) and a data processor (of our customers' data) .

As Data Controllers, our customers decide:

-     How and why any personal information is to be processed.

-      Which information is collected, stored and processed

-      Who can access the system and therefore which users are permitted to view what information (by setting their account type)

-      To turn on the Visit Register and/or the Accompanying Staff modules

-      To add custom questions to gather additional information

-      To require/request files to be attached to visit forms

-      etc.

As such, the Licensee is responsible for ensuring that appropriate data is stored and processed and that access to such data is restricted appropriately. 

As Data Processor, we:

-      Are registered with the Information Commissioner's Office as Data Processor

-      Utilise a wide range of security measures in line with the recommendations provided by ICO (Information Commissioner's Office)

-      Implement additional security measures including advanced firewalls, enterprise-level virus protection on all servers, HTTPS encryption for all communication between our servers and users, regular data backup, username/password/PIN to control access, failed log-in attempt logging, automatic suspicious activity detection and logging etc.

-      Provide Data Controllers with a range of integrated tools to support you in meeting your obligations as Data Controller

-      Continue to support Data Controllers with their obligations.

 

How EVOLVE is preparing for GDPR?

Policy Updates

Terms and Conditions: Our Terms and Conditions have been updated to include a new Data Processing Addendum with the Model Clauses required by the GDPR.

Variation Letter: We'll shortly issue a Letter of Variation to existing Licensees which includes a new Data Processing Addendum with the Model Clauses required by the GDPR.

Privacy Policy: We'll continue to share the specific details of personal data collected in our Privacy Policy. This policy is publicly available on our website.

Cookie Policy: We're updating our cookie policy to comply with the GDPR.

 

Operational Updates

Data Mapping Audit: We've completed a comprehensive audit of the data that we process and store. We've also reviewed our data breach incident response procedure.

Security & Incident Response Training: All eduFOCUS Ltd staff have undertaken GDPR training on data management and security. All eduFOCUS Ltd staff are aware of the incident response procedures. We continue to conduct comprehensive ongoing security risk assessments. Security has always been a top priority for eduFOCUS Ltd, and this additional training and security measures builds on the robust protocols that already exist to prevent and respond to data breaches and vulnerabilities.

 

System Updates

Data Usage: We've completed a comprehensive data audit to ensure we only collect data critical to business needs and will review our retained data regularly.

Data Access, Portability & Deletion: We will be introducing new features to allow authorised users to hard delete data so that Data Controllers can comply with their obligations to destroy data where there is no longer a justifiable reason to retain the data.

Data Security Dashboard: We are introducing a new EVOLVE Data Security Dashboard which allows System Administrators to configure and implement additional security features including Two-Factor Authentication, Email Single Sign-On (ESSO), Password Expiry Periods, Password Reuse Rules, Password Fail Rules, Session Time-out Periods and a list of all users that have System Administrator permissions.

Data Centre Security Measures: We have invested in additional data centre security features to help ensure protection of data, including DDoS security feature, Web Application Firewalls (WAFs), Proactive Threat Monitoring and Threat Response. Further information is available in 'EVOLVE Technical & Security Measures' in Resources.

 

If you have any questions, please let us know. We're here to help.

 

Resources & Further Information

 

-       Sample EVOLVE Contract Variation. A sample copy of the contract variation signed by clients (useful for schools using EVOLVE via their LA/Trust).

-       EVOLVE Privacy Policy (go to evolve.online, choose your EVOLVE system and then click the "Privacy Policy" link at the bottom of the page)

-       EVOLVE Technical & Security Measures

-       Top Tips for EVOLVE Users

-       Data Processing Details

-       EVOLVE User Rights

-       EVOLVE Password Policy

-       Information Commissioner's Office

-       GDPR Guidance for Schools (DfE) (Video: 6 minutes)

-       LGFL GDPR Resource Portal

-       DfE Data Protection Toolkit for Schools

-       Full text of GDPR