White Paper Security. Data Protection and Security in School Management Systems
|
|
- Dustin Bryan
- 8 years ago
- Views:
Transcription
1 White Paper Security Data Protection and Security in School Management Systems This paper clarifies the roles and responsibilities of those dealing with the data that is central to school management systems.
2 Contents Introduction... 2 Data Protection and Security... 2 The Edvance Solution... 6 Summary... 9 Glossary References Copyright 2011 SAMI. All rights reserved 1
3 Introduction As ICT solutions gain greater momentum within school settings, the benefits of school management systems are becoming more apparent. But as a school principal, have you ever wondered where your school data is actually stored and what your responsibilities are in relation to data protection law? In a recent ICT in Schools survey, 25% of the 286 school principals who took part stated that they were not did not have confidence in the security of their systems for storing pupil data. Other high profile data privacy cases, such as the widelyreported Sony security breach in spring 2011, have highlighted the responsibilities associated with the handling of personal data. This paper clarifies the roles and responsibilities of those dealing with the data that is central to school management systems. It shows how the introduction of a school management system can be used to introduce best practices and dramatically improve the processes and procedures associated with the management of this data. It also demonstrates how the careful selection of an online system can ultimately give confidence that data is stored in a secure environment. Data Protection and Security While the far-reaching benefits of web-based school management systems are well documented, it is understandable that school principals may not be entirely comfortable with adopting such an approach to school administration. As data controller for all pupil, staff and parent/guardian information, responsibility for compliance with the Data Protection Acts of 1988 and 2003 falls on the shoulders of the school principal. In the transition from pen and paper or locally-held spreadsheets to web-based management solutions, the role of the school principal as controller of personal data is compounded as the data is potentially centralised and accessed over an internet connection. With several types of solution on offer in the marketplace, potential risks and vendor commitments in relation to data privacy are often unclear or unspecified. The Data Protection Acts of 1988 and 2003 specify responsibilities in terms of defined roles. The data controller is the person who, either alone or with others, controls the contents and use of personal data. In a school management scenario, this is fulfilled by the school principal, who accepts the data from parents, pupils and staff and is responsible for the safe storage and maintenance of this information. The data processor is the person who processes personal data on behalf of a data controller but does not include an employee of a data controller who processes such data in the course of his employment. Where the school management system is in use, the software provider fulfils the role of data processor as it provides the means for the data to be processed. The data subject is clearly the pupil, parent or staff member, who is the subject of personal data. From the initial collection of personal data to the subsequent storage and processing, data protection obligations are shared in several ways between the school and the software provider. The cycle begins with the fair collection of data by the school and the agreement by Copyright 2011 SAMI. All rights reserved 2
4 the data subjects that their data can be processed. Aspects of the data protection act then come into play as the data is stored and processed. 1. Transfer of data outside the EEA: Let s now look at the main considerations governing the location of data: The transfer of personal data to a country or territory outside the European Economic Area may not take place unless that country or territory ensures an adequate level of protection for the privacy and the fundamental rights and freedoms of data subjects in relation to the processing of personal data having regard to all the circumstances surrounding the transfer and, in particular, but without prejudice to the generality of the foregoing, to (a) the nature of the data, (b) the purposes for which and the period during which the data are intended to be processed, (c) the country or territory of origin of the information contained in the data, (d) the country or territory of final destination of that information, (e) the law in force in the country or territory referred to in paragraph (d), (f) any relevant codes of conduct or other rules which are enforceable in that country or territory, (g) any security measures taken in respect of the data in that country or territory, and (h) the international obligations of that country or territory. (Ref: Data Protection Act 1988, Section 11(1)) In addition, a full list of exception to this is provided in Section 11 (4) (A) of the Data Protection Act. However, the relevant exceptions may be summarised as follows: for transfers of personal data to the US, where the US recipient has signed up to the Safe Harbor principles (which impose similar obligations on US companies to those which apply in the EU) where the data controller is based in the EU and the data recipient is based outside the EEA, that the parties enter into a data transfer agreement, in the form approved by the European Commission or that the data subjects have given their consent to the transfer (although this exception is least favoured by the data commissioner) Copyright 2011 SAMI. All rights reserved 3
5 What does this mean for the school? As controller of the personal data collected, the school must guarantee that it will not transfer personal data outside the European Economic Area (EEA) to a country which is not recognised as having an adequate level of protection for privacy, unless it can rely on one of the exceptions. Where the transfer of personal data outside the EEA is carried out by the software provider with the school s approval, it remains the responsibility of the school to ensure that an exception can be relied upon. The software provider may provide a clear guarantee that this obligation is met by the school by providing a solution that is hosted on dedicated servers located within the EEA. In contrast, some commercial solutions make use of cloud-based messaging and collaboration platforms such as Google Apps that are hosted at geographically-distributed data centres in unidentified locations. For data protection compliance, it is essential that the providers of such cloudbased solutions can either guarantee that the storage of data is limited to the EEA or prove that one of the exceptions applies. If neither of these is possible, it is ultimately the school that is in breach of data protection law. 2. Security Measures: Next, let s consider the required security measures: Appropriate security measures shall be taken against unauthorised access to, or alteration, disclosure or destruction of, the data and against their accidental loss or destruction. (Ref: Data Protection Act 1988, Section 2(1)(d)) (See also Sections 2C(1), 2C(2), and 2C(3)) What does this mean for the school? As data processor, the software provider must ensure that it takes appropriate security measures to protect personal data against unauthorised access, unauthorised alteration, disclosure, destruction and other unlawful forms of processing, in particular where processing involves transmission of data over a network. The security measures taken by the software provider should be clearly-stated and prove to provide adequate protection. At a minimum, there must be adequate encryption on the stored data, security on all network connections and stringent processes and procedure for all data access. 3. Duty of Care: Also important is the duty of care that the data controller and data processor must demonstrate: Copyright 2011 SAMI. All rights reserved 4
6 For the purposes of the law of torts and to the extent that that law does not so provide, a person, being a data controller or a data processor, shall, so far as regards the collection by him of personal data or information intended for inclusion in such data or his dealing with such data, owe a duty of care to the data subject concerned (Ref: Data Protection Act 1988, Section 7) What does this mean for the school? As data processor, the software provider must guarantee a duty of care to the owner of the personal data. In addition to the security measures above, the software supplier should ensure that transparent and stringent data protection procedures among staff members who have access the data and the production environment. 4. Disclosure to Third-parties Finally, let s consider the restrictions on third-party disclosures: Personal data processed by a data processor shall not be disclosed by him, or by an employee or agent of his, without the prior authority of the data controller on behalf of whom the data are processed. (Ref: Data Protection Act 1988, Section 21) What does this mean for the school? The software provider must obtain the school s prior authority in the event that it intends to disclose personal data to a third party. To achieve maximum data privacy, it is advisable for the software provider to eliminate the need for disclosures to any third-parties. This can clearly be achieved by using a privately-owned and privately-managed hardware and software infrastructure to host the service. In contrast, some commercial solutions make use of Cloudbased messaging and collaboration platforms such as Google Apps that are managed by a third-party and are not entirely under the control of the software provider. In order to comply with the data protection act, the supplier must should either include a reference to such disclosure in its Terms of Use and/or Privacy Statement, or otherwise ensure that it obtains prior authority from each school to disclose personal data to the third-party. With due care and open co-operation between the school and the software provider, all of the potential issues above can be tackled comprehensively and ultimately give confidence that the school s data protection obligations are being met. Copyright 2011 SAMI. All rights reserved 5
7 The Edvance Solution Software Asset Management Ireland (SAMI) is an Irish-owned company that provides a comprehensive school management system called Edvance. With successful installations in many Irish primary schools, Edvance has proven to be a robust and secure solution. With data security as an utmost priority, SAMI has invested in its own hardware and software infrastructure to provide a hosting solution that can answer all of the questions that should be asked of any system under consideration: Where is the data hosted? Edvance data is hosted within a highly-secure data centre, which is located in the College and Technology park in Dublin. Custom built for maximum security and uptime, this data centre provides a guarantee of physical security and data security. The data centre is a fully Irish owned company and is operated, with its own independent network infrastructure and data centre facilities. What security measures are provided as part of the service? The data centre is manned and monitored 24 hours a day, 365 days a year by a team of skilled and trained Network Operations Centre engineers located onsite. It is positioned in a secured park whose entrance is manned 24x7, by security personnel. In addition, equipment is monitored via CCTV camera. The hosting core network contains redundant Cisco Firewall, IDS and DDoS mitigation services. What other guarantees are provided? The hosting agreement is governed by a strict penalty-driven service level agreement (SLA) that has been agreed between Digiweb and SAMI. It guarantees 99.99% network and power uptime, while also allowing 24 / 7 / 365 access to approved SAMI staff. Who owns the hardware? SAMI owns the high-specification servers that host the Edvance solution (Xeon E5520-2x2.27GHz processor, 32GB RAM). SAMI has invested substantially in the hardware infrastructure to ensure reliability, security and allow full control over the system, while housing it in a secure, monitored environment. The infrastructure has been carefully designed for scalability so that the solution can grow effectively as our business grows. Choosing and owning our hardware allows full control over the infrastructure so that it can be tailored to satisfy the needs of Copyright 2011 SAMI. All rights reserved 6
8 our growing customer base. How secure is data in the database? Before data is transferred to the database, it is encrypted using 256-bit encryption. This mitigates against data security risks on the network and separates data security from database-specific security measures. How secure is data that is transferred between the browser and server? The data is transferred over a secure channel that uses SSL to provide data security. How is data backed up? A full backup of data is performed nightly and stored on our backup servers, which are also located in the secure environment provided by the data centre. Who as access to the system? Access to the system is limited to SAMI staff. Strong password as used as per defined procedures and passwords are available to a limited sub-team only. Due to investment in our infrastructure as per the measures outlined above, SAMI can commit to: As a result of the above, what guarantees are provided? a. at all times comply with Irish and EU data protection laws b. use the data lawfully and only for the intended purpose c. no personal information will be collected unless provided voluntarily d. never transmit your data outside of Ireland e. never share your data with any third party unless required to by law f. never store your data on any equipment that is not owned or under the direct control of SAMI Copyright 2011 SAMI. All rights reserved 7
9 The investment in a robust architecture for Edvance and the secure measures that have been put in place allow SAMI to address the data protection obligations in the following ways: 1. Transfer of data outside the EEA: Edvance is hosted on a high-specification dedicated server that is owned by the software provider, SAMI. It is located within a data centre in Ireland and is controlled exclusively by employees of SAMI. These measures provide a guarantee that the data is held within the EEA. This relieves the school of concerns over the location of the data and helps the school to fulfil their obligations in relation to this responsibility. 2. Security Measures: Edvance data is hosted within a private database on a dedicated server that is owned by the software provider, SAMI. The data is encrypted using symmetric SHA-1 encryption and the connection from the browser to the server is protected using SSL. 3. Duty of Care: Employees of SAMI have signed a data privacy agreement, committing to stringent measures when processing third-party data. E.g. Access to school data is restricted to a well-defined team On transfer from schools to SAMI, all data is password protected Data is stored in a dedicated area that is password protected and limited to a well-defined team Data is not stored on local machines. It is not ed externally or internally outside the Edvance data team CDs used to transfer data from schools to SAMI are shredded after use Edvance provides tightly-controlled logins that limit access to particular data depending on the role group of the user: Principal Teacher Secretary Logins can be managed solely by the school principal or secretary. 4. Disclosure to Third-parties Edvance is hosted on a high-specification dedicated server that is owned by the software provider, SAMI. It is located within a data centre in Ireland and is controlled exclusively by employees of SAMI. SAMI does not use any third-parties to process data on their behalf. Copyright 2011 SAMI. All rights reserved 8
10 These measures provide a guarantee that the data is not disclosed to any third parties and is handled exclusively within an environment that is controlled by SAMI. It removes concerns over adequate data protection and relieves the school of obligations in relation to this responsibility. Summary School management systems can be used not only to ease the burden of administration but also to centralise sensitive data and to help fulfil data protection obligations. The careful selection of a school management system plays a key role in determining whether data protection obligations are met by the school, which is ultimately responsible for the data of its pupils, staff and parents/guardians. In selecting a school management system, it is essential that the school gains an understanding of the underlying technology in the product, the precise location of their data, the security measures that are being taken by staff while processing the data and to be aware of third parties involved in the storage and processing of data. At a minimum, it is recommended that the data is stored on a dedicated server at a known location within the EEA, the data is stored and accessed securely and that security procedures of the supplier are adequate. SAMI s Edvance product is a comprehensive solution that employs industry-standard security protocols for the storage and handling of school data. It has implemented stringent data protection procedures among the limited team that has access to production data. Most of all, SAMI has invested in its infrastructure by using its own dedicated servers that are housed at a secure location in Ireland. This not only helps to fulfil the obligations of the software supplier but goes the extra mile to remove obligations that would normally lie with the school itself. *The information provided in this document is relevant as per time of authorship and is subject to change. Copyright 2011 SAMI. All rights reserved 9
11 Glossary Data: Automated data: Manual data: Personal data: Sensitive personal data: Data controller: Data processor: Data subject: automated data and manual data information that (a) is being processed by means of equipment operating automatically in response to instructions given for that purpose, or (b) is recorded with the intention that it should be processed by means of such equipment information that is recorded as part of a relevant filing system or with the intention that it should form part of a relevant filing system data relating to a living individual who is or can be identified either from the data or from the data in conjunction with other information that is in, or is likely to come into, the possession of the data controller personal data as to (a) the racial or ethnic origin, the political opinions or the religious or philosophical beliefs of the data subject, (b) whether the data subject is a member of a trade union, (c) the physical or mental health or condition or sexual life of the data subject, (d) the commission or alleged commission of any offence by the data subject, or (e) any proceedings for an offence committed or alleged to have been committed by the data subject, the disposal of such proceedings or the sentence of any court in such proceedings a person who, either alone or with others, controls the contents and use of personal data a person who processes personal data on behalf of a data controller but does not include an employee of a data controller who processes such data in the course of his employment an individual who is the subject of personal data References Data Protection Commissioner Resources: SAMI Website: Edvance Website: Copyright 2011 SAMI. All rights reserved 10
12 ICT in Schools Survey 2011: Software Asset Management Ireland, 8/9 Hanover Street East, Dublin 2, Ireland
GUIDE TO THE ISLE OF MAN DATA PROTECTION ACT. CONTENTS PREFACE 1 1. Background 2 2. Data Protections Principles 3 3. Notification Requirements 4
GUIDE TO THE ISLE OF MAN DATA PROTECTION ACT CONTENTS PREFACE 1 1. Background 2 2. Data Protections Principles 3 3. Notification Requirements 4 PREFACE The following provides general guidance on data protection
More informationDublin City University
Dublin City University Data Protection Policy Data Protection Policy Contents Purpose... 1 Scope... 1 Data Protection Principles... 1 Disclosure of Personal Data... 2 Summary of Responsibilities... 3 Rights
More informationData Protection in Ireland
Data Protection in Ireland 0 Contents Data Protection in Ireland Introduction Page 2 Appointment of a Data Processor Page 2 Security Measures (onus on a data controller) Page 3 8 Principles Page 3 Fair
More informationCORK INSTITUTE OF TECHNOLOGY
CORK INSTITUTE OF TECHNOLOGY DATA PROTECTION POLICY APPROVED BY GOVERNING BODY ON 30 APRIL 2009 INTRODUCTION Cork Institute of Technology is committed to a policy of protecting the rights and privacy of
More informationData protection policy
Data protection policy Introduction 1 This document is the data protection policy for the Nursing and Midwifery Council (NMC). 2 The Data Protection Act 1998 (DPA) governs the processing of personal data
More informationData Security and Extranet
Data Security and Extranet Derek Crabtree Schools ICT Support Manager derek.crabtree@merton.gov.uk Target Operating Model 2011 Merton Audit Organisation name: London Borough of Merton Periodic plan date:
More informationPolicy and Procedure Title: Maintaining Secure Learner Records Policy No: CCTP1001 Version: 1.0
PROVIDER NAME: POLICY AREA: College of Computing Technology (CCT) Standard 10: Information Management, Student Information System & Data Protection Policy and Procedure Title: Maintaining Secure Learner
More informationMerthyr Tydfil County Borough Council. Data Protection Policy
Merthyr Tydfil County Borough Council Data Protection Policy 2014 Cyfarthfa High School is a Rights Respecting School, we recognise the importance of ensuring that the United Nations Convention of the
More informationData Protection Policy
Data Protection Policy CONTENTS Introduction...2 1. Statement of Intent...2 2. Fair Processing or Privacy Statement...3 3. Data Uses and Processes...4 4. Data Quality and Integrity...4 5. Technical and
More informationData Protection Act 1998. Guidance on the use of cloud computing
Data Protection Act 1998 Guidance on the use of cloud computing Contents Overview... 2 Introduction... 2 What is cloud computing?... 3 Definitions... 3 Deployment models... 4 Service models... 5 Layered
More informationThe Manitowoc Company, Inc.
The Manitowoc Company, Inc. DATA PROTECTION POLICY 11FitzPatrick & Associates 4/5/04 1 Proprietary Material Version 4.0 CONTENTS PART 1 - Policy Statement PART 2 - Processing Personal Data PART 3 - Organisational
More informationDATA PROTECTION POLICY
Reference number Approved by Information Management and Technology Board Date approved 14 th May 2012 Version 1.1 Last revised N/A Review date May 2015 Category Information Assurance Owner Data Protection
More informationData Protection Good Practice Note
Data Protection Good Practice Note This explanatory document explains what charities and voluntary organisations need to do to comply with the Data Protection Act 1988 as amended by the Data Protection
More informationData Protection Policy A copy of this policy is published in the following areas: The school s intranet The school s website
Data Protection Policy A copy of this policy is published in the following areas: The school s intranet The school s website Date created: November 2015 Date for review: July 2016 Created by: Mark Vanstone,
More informationAlixPartners, LLP. General Data Protection Statement
AlixPartners, LLP General Data Protection Statement GENERAL DATA PROTECTION STATEMENT 1. INTRODUCTION 1.1 AlixPartners, LLP ( AlixPartners ) is committed to fulfilling its obligations under the data protection
More informationPrivacy Policy for Data Collected by Blue State Digital s Clients
Privacy Policy for Data Collected by Blue State Digital s Clients Blue State Digital LLC. ("Blue State Digital", BSD or "we") provides various services to nonprofits and business entities ("Clients"),
More informationtechnical factsheet 176
technical factsheet 176 Data Protection CONTENTS 1. Introduction 1 2. Register with the Information Commissioner s Office 1 3. Period protection rights and duties remain effective 2 4. The data protection
More informationCorporate ICT & Data Management. Data Protection Policy
90 Corporate ICT & Data Management Data Protection Policy Classification: Unclassified Date Created: January 2012 Date Reviewed January Version: 2.0 Author: Owner: Data Protection Policy V2 1 Version Control
More informationUniversity of Limerick Data Protection Compliance Regulations June 2015
University of Limerick Data Protection Compliance Regulations June 2015 1. Purpose of Data Protection Compliance Regulations 1.1 The purpose of these Compliance Regulations is to assist University of Limerick
More informationCloud Computing Legal Considerations for Data Controllers
Cloud Computing Legal Considerations for Data Controllers CLOUD COMPUTING LEGAL CONSIDERATIONS FOR DATA CONTROLLERS What is cloud computing and why is it relevant? Cloud computing can be described as technology
More information2. Scope 2.1 This policy covers all the activities and processes of the University that uses personal information in whatever format.
University of Westminster Personal Data Protection Policy For Compliance with the Data Protection Act 1998 1. Background 1.1 The Data Protection Act 1998 (DPA) defines personal data as data and information
More informationPERSONAL INJURIES ASSESSMENT BOARD DATA PROTECTION CODE OF PRACTICE
PERSONAL INJURIES ASSESSMENT BOARD DATA PROTECTION CODE OF PRACTICE ADOPTED ON 9 th January 2008 TABLE OF CONTENTS Page No. 1 Introduction...3 2 Glossary...3 3 Types of Personal Data held by Us...3 4 Obligations
More informationProcessor Binding Corporate Rules (BCRs), for intra-group transfers of personal data to non EEA countries
Processor Binding Corporate Rules (BCRs), for intra-group transfers of personal data to non EEA countries Sopra HR Software as a Data Processor Sopra HR Software, 2014 / Ref. : 20141120-101114-m 1/32 1.
More informationDATA PROTECTION ACT 1998 COUNCIL POLICY
DATA PROTECTION ACT 1998 COUNCIL POLICY Page 1 of 5 POLICY STATEMENT Blackpool Council recognises the need to fully comply with the requirements of the Data Protection Act 1998 (DPA) and the obligations
More informationCloud Software Services for Schools
Cloud Software Services for Schools Supplier self-certification statements with service and support commitments Supplier name Address Contact name Contact email Contact telephone Parent Teacher Online
More informationThe supplier shall have appropriate policies and procedures in place to ensure compliance with
Supplier Instructions for Processing of Personal Data 1 PURPOSE SOS International has legal and contractual obligations on the matters of data protection and IT security. As a part of these obligations
More informationOffice of the Data Protection Commissioner of The Bahamas. Data Protection (Privacy of Personal Information) Act, 2003. A Guide for Data Controllers
Office of the Data Protection Commissioner of The Bahamas Data Protection (Privacy of Personal Information) Act, 2003 A Guide for Data Controllers 1 Acknowledgement Some of the information contained in
More informationFIRST DATA CORPORATION PROCESSOR DATA PROTECTION STANDARDS
FIRST DATA CORPORATION PROCESSOR DATA PROTECTION STANDARDS As a world leader in electronic commerce and payment services, First Data Corporation and its subsidiaries ( First Data entity or entities ),
More informationGuidelines on Data Protection. Draft. Version 3.1. Published by
Guidelines on Data Protection Draft Version 3.1 Published by National Information Technology Development Agency (NITDA) September 2013 Table of Contents Section One... 2 1.1 Preamble... 2 1.2 Authority...
More informationUNIVERSITY OF ABERDEEN POLICY ON DATA PROTECTION
UNIVERSITY OF ABERDEEN POLICY ON DATA PROTECTION The Data Protection Act 1998 (DPA) was passed in order to implement the EU Data Protection Directive (95/46/EC) and applies to all data relating to, and
More informationATMD Bird & Bird. Singapore Personal Data Protection Policy
ATMD Bird & Bird Singapore Personal Data Protection Policy Contents 1. PURPOSE 1 2. SCOPE 1 3. COMMITMENT TO COMPLY WITH DATA PROTECTION LAWS 1 4. PERSONAL DATA PROTECTION SAFEGUARDS 3 5. ATMDBB EXCEPTIONS:
More informationData Compliance. And. Your Obligations
Information Booklet Data Compliance And Your Obligations What is Data Protection? It is the safeguarding of the privacy rights of individuals in relation to the processing of personal data. The Data Protection
More informationData Protection for the Guidance Counsellor. Issues To Plan For
Data Protection for the Guidance Counsellor Issues To Plan For Author: Hugh Jones Data Protection Specialist Longstone Management Ltd. Published by the National Centre for Guidance in Education (NCGE)
More informationHow To Understand The Data Protection Act
DATA PROTECTION ACT 2002 The Basics Purpose of the Act Balance the rights of an individual with an organisation s legitimate need to process personal data Promote openness and transparency Establish and
More informationHERTSMERE BOROUGH COUNCIL
HERTSMERE BOROUGH COUNCIL DATA PROTECTION POLICY October 2007 1 1. Introduction Hertsmere Borough Council ( the Council ) is fully committed to compliance with the requirements of the Data Protection Act
More informationCloud Software Services for Schools. Supplier self-certification statements with service and support commitments. SafeGuard Software Limited
Cloud Software Services for Schools Supplier self-certification statements with service and support commitments Supplier name Address Contact name Contact email Contact telephone SafeGuard Software Limited
More informationROEHAMPTON UNIVERSITY DATA PROTECTION POLICY
ROEHAMPTON UNIVERSITY DATA PROTECTION POLICY Originated by: Data Protection Working Group: November 2008 Impact Assessment: (to be confirmed) Recommended by Senate: 28 January 2009 Approved by Council:
More informationData Protection Policy
1 Data Protection Policy Version 1: June 2014 1 2 Contents 1. Introduction 3 2. Policy Statement 3 3. Purpose of the Data Protection Act 1998 3 4. The principles of the Data Protection Act 1998 4 5 The
More informationThis Applicant Privacy Notice Continental Europe is dated: July 2012 WILLIS.COM: PRIVACY NOTICE
Applicant Privacy Notice for Positions in Willis Companies Located in the European Union and European Economic Area Excluding the United Kingdom ( Applicant Privacy Notice Continental Europe ) This Applicant
More informationOffice 365 Data Processing Agreement with Model Clauses
Enrollment for Education Solutions Office 365 Data Processing Agreement (with EU Standard Contractual Clauses) Amendment ID Enrollment for Education Solutions number Microsoft to complete 7392924 GOLDS03081
More informationHow To Protect Your Data In European Law
Corporate Data Protection Code of Conduct for the Protection of the Individual s Right to Privacy in the Handling of Personal Data within the Deutsche Telekom Group 2010 / 04 We make ICT strategies work
More informationOBJECTS AND REASONS. (a) the regulation of the collection, keeping, processing, use or dissemination of personal data;
OBJECTS AND REASONS This Bill would provide for (a) the regulation of the collection, keeping, processing, use or dissemination of personal data; (b) the protection of the privacy of individuals in relation
More informationPRIVACY POLICY. Any form of reproduction in whole or in part of the content of this document is prohibited.
Deck S.r.l. Via Cesareo Console 3 80132 Napoli (NA) P. iva: 04846431213 Cf: 04846431213 Rea 717835 Reg. Imp. di Napoli Cap. Soc. 15.000 PRIVACY POLICY Protecting and defending your privacy is important
More informationBRITISH COUNCIL DATA PROTECTION CODE FOR PARTNERS AND SUPPLIERS
BRITISH COUNCIL DATA PROTECTION CODE FOR PARTNERS AND SUPPLIERS Mat Wright www.britishcouncil.org CONTENTS Purpose of the code 1 Scope of the code 1 The British Council s data protection commitment and
More informationData Protection Policy
Data Protection Policy September 2015 Contents 1. Scope 2. Purpose 3. Data protection roles 4. Staff training and guidance 5. About the Data Protection Act 1998 6. Policy 7. The Information Commissioner's
More informationCloud Software Services for Schools. Supplier self-certification statements with service and support commitments
Cloud Software Services for Schools Supplier self-certification statements with service and support commitments Supplier name Address Contact name Contact email Meritec Limited Meritec House, Acorn Business
More informationCloud Software Services for Schools
Request for information on the document re: cloud and secure storage posted on the DfE website, response provided by DfE and Schools Commercial team: The focus of the project is on data security/safety
More informationTHE TRANSFER OF PERSONAL DATA ABROAD
THE TRANSFER OF PERSONAL DATA ABROAD MARCH 2014 THIS NOTE CONSIDERS THE SITUATION OF AN IRISH ORGANISATION OR BUSINESS SEEKING TO TRANSFER PERSONAL DATA ABROAD FOR STORAGE OR PROCESSING, IN LIGHT OF THE
More informationEMMANUEL COLLEGE THE APPLICATION OF THE DATA PROTECTION ACT 1998. Contents
EMMANUEL COLLEGE THE APPLICATION OF THE DATA PROTECTION ACT 1998 Contents 1. Introduction Page 2 2. The Data Protection Act 1998 Page 2 3. Review of data used in College departments Page 3 4. Security
More informationScottish Rowing Data Protection Policy
Revision Approved by the Board August 2010 1. Introduction As individuals, we want to know that personal information about ourselves is handled properly, and we and others have specific rights in this
More informationHuman Resources and Data Protection
Human Resources and Data Protection Contents 1. Policy Statement... 1 2. Scope... 2 3. What is personal data?... 2 4. Processing data... 3 5. The eight principles of the Data Protection Act... 4 6. Council
More informationThe Anti-Corruption Compliance Platform
The Anti-Corruption Compliance Platform DATA COLLECTION RISK IDENTIFICATION SCREENING INTEGRITY DUE DILIGENCE CERTIFICATIONS GIFTS, TRAVEL AND ENTERTAINMENT TRACKING SECURITY AND DATA PROTECTION The ComplianceDesktop
More informationCloud Software Services for Schools
Cloud Software Services for Schools Supplier self-certification statements with service and support commitments Please insert supplier details below Supplier name Address Contact name Contact email Contact
More informationRick Parsons Information Governance Officer County Hall 01865 323593 rick.parsons@oxfordshire.gov.uk
Rick Parsons Information Governance Officer County Hall 01865 323593 rick.parsons@oxfordshire.gov.uk 1 THE DATA PROTECTION ACT 1998 2 Requirements of the Act Roles & Responsibilities Best Practice 3 The
More informationwww.neelb.org.uk Web Site Download Carol Johnston
What I need to know about data protection and information security when purchasing a service that requires access to my information by a third party. www.neelb.org.uk Web Site Download Carol Johnston Corporate
More informationBinding Corporate Rules ( BCR ) Summary of Third Party Rights
Binding Corporate Rules ( BCR ) Summary of Third Party Rights This document contains in its Sections 3 9 all provision of the Binding Corporate Rules (BCR) for Siemens Group Companies and Other Adopting
More informationData Protection Policy
Data Protection Policy Responsible Officer Author Date effective from July 2009 Ben Bennett, Business Planning & Resources Director Julian Lewis, Governance Manager Date last amended December 2012 Review
More informationInformation Governance Policy
Information Governance Policy 1 Introduction Healthwatch Rutland (HWR) needs to collect and use certain types of information about the Data Subjects who come into contact with it in order to carry on its
More informationPolicy and Procedure for approving, monitoring and reviewing personal data processing agreements
Policy and Procedure for approving, monitoring and reviewing personal data processing agreements 1 Personal data processing by external suppliers, contractors, agents and partners Policy and Procedure
More informationLittle Marlow Parish Council Registration Number for ICO Z3112320
Data Protection Policy Little Marlow Parish Council Registration Number for ICO Z3112320 Adopted 2012 Reviewed 23 rd February 2016 Introduction The Parish Council is fully committed to compliance with
More informationPrivacy Policy for Data Collected by Blue State Digital
Privacy Policy for Data Collected by Blue State Digital Overview Blue State Digital LLC. ( Blue State Digital, BSD or we ) provides various services to non- profit entities and other related businesses
More informationPolicy Document Control Page
Policy Document Control Page Title Title: Data Protection Policy Version: 3 Reference Number: CO59 Keywords: Data, access, principles, protection, Act. Data Subject, Information Supersedes Supersedes:
More informationDATA PROTECTION AUDIT GUIDANCE
DATA PROTECTION AUDIT GUIDANCE CONTENTS Section I: Section II: Audit of Processing of Personal Data Audit Procedure Appendices: A B C D E Audit Form List of Purposes List of data subjects List of data
More informationIndex. Definitions. What is Data Protection? Rights of Individuals. The 8 Principles of Data Protection
Data Protection Awareness Based on DIT s Data Protection Policy, the Data Protection Acts, 1988 & 2003 and guidance from the Office of the Data Protection Commissioner Index Definitions What is Data Protection?
More informationPRIVACY POLICY Personal information and sensitive information Information we request from you
PRIVACY POLICY Business Chicks Pty Ltd A.C.N. 121 566 934 (we, us, our, or Business Chicks) recognises and values the protection of your privacy. We also understand that you want clarity about how we manage
More informationPolice Financial Services Limited Copyright exists in this document Privacy Policy 1
Privacy January 2015 Policy Police Financial Services Limited ABN 33 087 651 661 ('we', 'us', 'our', BankVic ) is bound by the Australian Privacy Principles under the Privacy Act 1988 (Cth) (Privacy Act).
More informationDATA PROTECTION POLICY
DATA PROTECTION POLICY Approval date: June 2014 Approved by: Board Responsible Manager: Executive Director of Resources Next Review June 2016 Data Protection Policy 1. Introduction Data Protection Policy
More informationHuman Resources Policy documents. Data Protection Policy
Policy documents Aims of the Policy apetito is committed to meeting its obligations under data protection law. As a business, apetito handles a range of Personal Data relating to its customers, staff and
More informationDATA PROTECTION POLICY
DATA PROTECTION POLICY The information and guidelines within this Policy are important and apply to all members, Fellows and staff of the College 1. INTRODUCTION Like all educational establishments, the
More informationData Protection. Processing and Transfer of Personal Data in Kvaerner. Binding Corporate Rules Public Document
Data Protection Processing and Transfer of Personal Data in Kvaerner Binding Corporate Rules Public Document 1 of 19 1 / 19 Table of contents 1 Introduction... 4 1.1 Scope... 4 1.2 Definitions... 4 1.2.1
More informationData Processing Agreement for Oracle Cloud Services
Data Processing Agreement for Oracle Cloud Services Version December 1, 2013 1. Scope and order of precedence This is an agreement concerning the Processing of Personal Data as part of Oracle s Cloud Services
More informationCloud Software Services for Schools
Cloud Software Services for Schools Supplier self-certification statements with service and support commitments Please insert supplier details below Supplier name Address Contact name Contact email Contact
More informationCloud Software Services for Schools
Cloud Software Services for Schools Supplier self-certification statements with service and support commitments Please insert supplier details below Supplier name Address Isuz Ltd. trading as Schoolcomms
More informationData Protection and Information Security Policy and Procedure
Data Protection and Information Security Policy and Procedure Document Detail Category: Data Protection Authorised By: Full Governing Body Author: School Business Manager Version: 1 Status: Approved May
More informationHow To Choose A Cloud Service From One Team Logic
Cloud Software Services for Schools Supplier Self Certification Statements with Services and Support Commitments Supplier Name One Team Logic Limited Address Unit 2 Talbot Green Business Park Heol-y-Twyn
More informationProposal of regulation Com 2012 11/4 Directive 95/46/EC Conclusion
Page 1 sur 155 Proposal of regulation Com 2012 11/4 Directive 95/46/EC Conclusion Legal nature of the instrument Règlement Directive Directly applicable act in internal law 91 articles 34 articles Art.
More informationPRIVACY REGULATIONS regarding the Web Health History ("W.H.H.") Service called LifepassportPRO provided by Meshpass SA
PRIVACY REGULATIONS regarding the Web Health History ("W.H.H.") Service called LifepassportPRO provided by Meshpass SA Updated: 20 Jun 2015 (substitutes previous versions) This Privacy Policy describes
More informationHampstead Parochial CofE Primary School Data Protection Policy Spring 2015
Hampstead Parochial CofE Primary School Data Protection Policy Spring 2015 1. Introduction and Scope 1.1 The Data Protection Act 1998 is the law that protects personal privacy and applies to any school
More informationAppendix 11 - Swiss Data Protection Act
GLEIF- LOU Restricted Appendix 11 - Swiss Data Protection Act GLEIF Revision Version: 1.0 2015-09-23 Master Copy page 2 of 11 Applicable Provisions of the Swiss Data Protection Act (DPA) including the
More informationData Protection in the Charity & Voluntary Sector
1 Data Protection in the Charity & Voluntary Sector Guidelines April 2011.Version 5.0 Office of the Data Protection Commissioner 2 CONTENTS Page INTRODUCTION 3 1. Key Recommendations 4 2. Donor Databases
More informationHIPAA Privacy & Security White Paper
HIPAA Privacy & Security White Paper Sabrina Patel, JD +1.718.683.6577 sabrina@captureproof.com Compliance TABLE OF CONTENTS Overview 2 Security Frameworks & Standards 3 Key Security & Privacy Elements
More informationADVANCED CABLE COMMUNICATIONS WEBSITE PRIVACY POLICY COLLECTION AND USE OF INFORMATION FROM USERS
ADVANCED CABLE COMMUNICATIONS WEBSITE PRIVACY POLICY Advanced Cable Communications ( Company ) strives to offer visitors to its website (the Site ) the many advantages of Internet technology and to provide
More informationTERMS & CONDITIONS of SERVICE for MSKnote. Refers to MSKnote Limited. Refers to you or your organisation
TERMS & CONDITIONS of SERVICE for MSKnote Definitions: "Us or Our or We or Company" You or Your or Client Refers to MSKnote Limited Refers to you or your organisation Information about us: We are MSKnote
More informationCorporate Guidelines for Subsidiaries (in Third Countries ) *) for the Protection of Personal Data
Corporate Guidelines for Subsidiaries (in Third Countries ) *) for the Protection of Personal Data *) For the purposes of these Corporate Guidelines, Third Countries are all those countries, which do not
More informationPrivacy and Electronic Communications Regulations
ICO lo Notification of PECR security breaches Privacy and Electronic Communications Regulations Contents Introduction... 2 Overview... 2 Relevant security breaches... 3 What is a service provider?... 3
More informationData Protection Avoiding Information Commissioner Fines. Caroline Egan 5 June 2014
Data Protection Avoiding Information Commissioner Fines Caroline Egan 5 June 2014 Why is data protection a hot topic in pensions? Pension schemes hold large amounts of personal data Individuals more aware
More informationData controllers and data processors: what the difference is and what the governance implications are
ICO lo : what the difference is and what the governance implications are Data Protection Act Contents Introduction... 3 Overview... 3 Section 1 - What is the difference between a data controller and a
More informationData Protection Acts 1988 and 2003: Informal Consolidation
Page 1 of 55 Data Protection Acts 1988 and 2003: Informal Consolidation IMPORTANT NOTICE This document is an informal consolidation of the Data Protection Acts 1988 and 2003, prepared by the Office of
More informationBRING YOUR OWN DEVICE
BRING YOUR OWN DEVICE Legal Analysis & Practical TIPs for an effective BYOD corporate Policy CONTENTS 1. What is BYOD? 2. Benefits and risks of BYOD in Europe 3. BYOD and existing Policies 4. Legal issues
More informationData Protection Guidance
53 September 2010 Management Circular No. 53 Glasgow City Council Education Services Wheatley House 25 Cochrane Street Merchant City GLASGOW G1 1HL To Heads of all Educational Establishments Data Protection
More informationIRISH BANKING FEDERATION DATA PROTECTION GUIDE MAY 2013
IRISH BANKING FEDERATION MAY 2013 1. INTRODUCTION...2 Data Protection and Other Legislation... 2 Definitions... 3 2. DATA PROTECTION PRINCIPLES...5 2.1 Obtain and process data fairly... 5 2.2 Process it
More informationGSK Public policy positions
Safeguarding Personally Identifiable Information A Summary of GSK s Binding Corporate Rules The Issue The processing of Personally Identifiable Information (PII) 1 and Sensitive Personally Identifiable
More informationon the transfer of personal data from the European Union
on the transfer of personal data from the European Union BCRsseptembre 2008.doc 1 TABLE OF CONTENTS I. PRELIMINARY REMARKS 3 II. DEFINITIONS 3 III. DELEGATED DATA PROTECTION MANAGER 4 IV. MICHELIN GROUP
More informationData Protection Policy June 2014
Data Protection Policy June 2014 Approving authority: Consultation via: Court Audit and Risk Committee, University Executive, Secretary's Board, Information Governance and Security Group Approval date:
More informationQUEENSLAND COUNTRY HEALTH FUND. privacy policy. Queensland Country Health Fund Ltd ABN 18 085 048 237. better health cover shouldn t hurt
QUEENSLAND COUNTRY HEALTH FUND privacy policy Queensland Country Health Fund Ltd ABN 18 085 048 237 better health cover shouldn t hurt 1 2 contents 1. Introduction 4 2. National Privacy Principles 5 3.
More informationSecurity & Infra-Structure Overview
Security & Infra-Structure Overview Contents KantanMT Platform Security... 2 Customer Data Protection... 2 Application Security... 2 Physical and Environmental Security... 3 ecommerce Transactions... 4
More informationData Protection Act. Privacy & Security in the Information Age. April 26, 2013. Ministry of Communications, Ghana
Data Protection Act Privacy & Security in the Information Age April 26, 2013 Agenda Privacy in The Information Age The right to privacy Why We Need Legislation Purpose of the Act The Data Protection Act
More informationPrivacy Policy. February, 2015 Page: 1
February, 2015 Page: 1 Revision History Revision # Date Author Sections Altered Approval/Date Rev 1.0 02/15/15 Ben Price New Document Rev 1.1 07/24/15 Ben Price Verify Privacy Grid Requirements are met
More informationData Sharing Protocol
Data Sharing Protocol Agreement for Sharing Data Between Partners of the South Dublin Childrens Services Committee Version 0.4 Final Draft June 2009 Contents 1 Preface...3 2 Introduction & Overview...3
More information