We take your privacy very seriously and work to the
highest standards to keep your data safe. We welcome the introduction of the General Data Protection Regulation
(GDPR), which came into force on the 25th May 2018, as it provided everyone
with an opportunity to reflect upon the measures in place to protect data.
eduFOCUS Limited, the providers of the EVOLVE
system, is committed to compliance with all relevant UK and Member State laws
in respect of personal data, and the protection of the rights and freedoms of
individuals whose information we collect and process in accordance with the
General Data Protection Regulation (GDPR). Ongoing compliance is embedded in
all processes and policies throughout our organisation.
We've outlined the policy, system, and operational
changes that have been implemented in EVOLVE and eduFOCUS Ltd to comply with
Under the GDPR, organisations are recognised
as Data Controllers, Data Processors, or both. The requirements differ depending on your
role in the data collection and handling process. EduFOCUS Ltd is both a data controller (of
data about our customers) and a data processor (of our customers' data) .
- How and why any personal
information is to be processed.
Which information is collected, stored and processed
Who can access the system and therefore which users
are permitted to view what information (by setting their account type)
To turn on the Visit Register and/or the
Accompanying Staff modules
To add custom questions to gather additional
To require/request files to be attached to visit
As such, the Licensee is responsible for ensuring
that appropriate data is stored and processed and that access to such data is
Are registered with the Information Commissioner's
Office as Data Processor
Utilise a wide range of security measures in line
with the recommendations provided by ICO (Information Commissioner's Office)
Implement additional security measures including
advanced firewalls, enterprise-level virus protection on all servers, HTTPS
encryption for all communication between our servers and users, regular data
backup, username/password/PIN to control access, failed log-in attempt logging,
automatic suspicious activity detection and logging etc.
Provide Data Controllers with a range of integrated
tools to support you in meeting your obligations as Data Controller
Continue to support Data Controllers with their
We've completed a comprehensive
audit of the data that we process and store. We've also reviewed our data breach incident response procedure.
All eduFOCUS Ltd staff have
undertaken GDPR training on data management and security. All eduFOCUS Ltd staff are aware of the
incident response procedures. We
continue to conduct comprehensive ongoing security risk assessments. Security
has always been a top priority for eduFOCUS Ltd, and this additional training
and security measures builds on the robust protocols that already exist to
prevent and respond to data breaches and vulnerabilities.
We've completed a comprehensive data
audit to ensure we only collect data critical to business needs and will review
our retained data regularly.
We have introduce new features
to allow authorised users to hard delete data so that Data Controllers can
comply with their obligations to destroy data where there is no longer a
justifiable reason to retain the data.
We have introduced a new EVOLVE Data Security Dashboard
which allows System Administrators to configure and implement additional
security features including Two-Factor Authentication, Email Single Sign-On
(ESSO), Password Expiry Periods, Password Reuse Rules, Password Fail Rules,
Session Time-out Periods and a list of all users that have System Administrator
We have invested in additional data centre
security features to help ensure protection of data, including DDoS security
feature, Web Application Firewalls (WAFs), Proactive Threat Monitoring and Threat
Response. Further information is
available in 'EVOLVE Technical & Security Measures' in Resources.
If you have any questions, please let us know. We're here to help.