White Paper Security. Data Protection and Security in School Management Systems

Save this PDF as:
 WORD  PNG  TXT  JPG

Size: px
Start display at page:

Download "White Paper Security. Data Protection and Security in School Management Systems"

Transcription

1 White Paper Security Data Protection and Security in School Management Systems This paper clarifies the roles and responsibilities of those dealing with the data that is central to school management systems.

2 Contents Introduction... 2 Data Protection and Security... 2 The Edvance Solution... 6 Summary... 9 Glossary References Copyright 2011 SAMI. All rights reserved 1

3 Introduction As ICT solutions gain greater momentum within school settings, the benefits of school management systems are becoming more apparent. But as a school principal, have you ever wondered where your school data is actually stored and what your responsibilities are in relation to data protection law? In a recent ICT in Schools survey, 25% of the 286 school principals who took part stated that they were not did not have confidence in the security of their systems for storing pupil data. Other high profile data privacy cases, such as the widelyreported Sony security breach in spring 2011, have highlighted the responsibilities associated with the handling of personal data. This paper clarifies the roles and responsibilities of those dealing with the data that is central to school management systems. It shows how the introduction of a school management system can be used to introduce best practices and dramatically improve the processes and procedures associated with the management of this data. It also demonstrates how the careful selection of an online system can ultimately give confidence that data is stored in a secure environment. Data Protection and Security While the far-reaching benefits of web-based school management systems are well documented, it is understandable that school principals may not be entirely comfortable with adopting such an approach to school administration. As data controller for all pupil, staff and parent/guardian information, responsibility for compliance with the Data Protection Acts of 1988 and 2003 falls on the shoulders of the school principal. In the transition from pen and paper or locally-held spreadsheets to web-based management solutions, the role of the school principal as controller of personal data is compounded as the data is potentially centralised and accessed over an internet connection. With several types of solution on offer in the marketplace, potential risks and vendor commitments in relation to data privacy are often unclear or unspecified. The Data Protection Acts of 1988 and 2003 specify responsibilities in terms of defined roles. The data controller is the person who, either alone or with others, controls the contents and use of personal data. In a school management scenario, this is fulfilled by the school principal, who accepts the data from parents, pupils and staff and is responsible for the safe storage and maintenance of this information. The data processor is the person who processes personal data on behalf of a data controller but does not include an employee of a data controller who processes such data in the course of his employment. Where the school management system is in use, the software provider fulfils the role of data processor as it provides the means for the data to be processed. The data subject is clearly the pupil, parent or staff member, who is the subject of personal data. From the initial collection of personal data to the subsequent storage and processing, data protection obligations are shared in several ways between the school and the software provider. The cycle begins with the fair collection of data by the school and the agreement by Copyright 2011 SAMI. All rights reserved 2

4 the data subjects that their data can be processed. Aspects of the data protection act then come into play as the data is stored and processed. 1. Transfer of data outside the EEA: Let s now look at the main considerations governing the location of data: The transfer of personal data to a country or territory outside the European Economic Area may not take place unless that country or territory ensures an adequate level of protection for the privacy and the fundamental rights and freedoms of data subjects in relation to the processing of personal data having regard to all the circumstances surrounding the transfer and, in particular, but without prejudice to the generality of the foregoing, to (a) the nature of the data, (b) the purposes for which and the period during which the data are intended to be processed, (c) the country or territory of origin of the information contained in the data, (d) the country or territory of final destination of that information, (e) the law in force in the country or territory referred to in paragraph (d), (f) any relevant codes of conduct or other rules which are enforceable in that country or territory, (g) any security measures taken in respect of the data in that country or territory, and (h) the international obligations of that country or territory. (Ref: Data Protection Act 1988, Section 11(1)) In addition, a full list of exception to this is provided in Section 11 (4) (A) of the Data Protection Act. However, the relevant exceptions may be summarised as follows: for transfers of personal data to the US, where the US recipient has signed up to the Safe Harbor principles (which impose similar obligations on US companies to those which apply in the EU) where the data controller is based in the EU and the data recipient is based outside the EEA, that the parties enter into a data transfer agreement, in the form approved by the European Commission or that the data subjects have given their consent to the transfer (although this exception is least favoured by the data commissioner) Copyright 2011 SAMI. All rights reserved 3

5 What does this mean for the school? As controller of the personal data collected, the school must guarantee that it will not transfer personal data outside the European Economic Area (EEA) to a country which is not recognised as having an adequate level of protection for privacy, unless it can rely on one of the exceptions. Where the transfer of personal data outside the EEA is carried out by the software provider with the school s approval, it remains the responsibility of the school to ensure that an exception can be relied upon. The software provider may provide a clear guarantee that this obligation is met by the school by providing a solution that is hosted on dedicated servers located within the EEA. In contrast, some commercial solutions make use of cloud-based messaging and collaboration platforms such as Google Apps that are hosted at geographically-distributed data centres in unidentified locations. For data protection compliance, it is essential that the providers of such cloudbased solutions can either guarantee that the storage of data is limited to the EEA or prove that one of the exceptions applies. If neither of these is possible, it is ultimately the school that is in breach of data protection law. 2. Security Measures: Next, let s consider the required security measures: Appropriate security measures shall be taken against unauthorised access to, or alteration, disclosure or destruction of, the data and against their accidental loss or destruction. (Ref: Data Protection Act 1988, Section 2(1)(d)) (See also Sections 2C(1), 2C(2), and 2C(3)) What does this mean for the school? As data processor, the software provider must ensure that it takes appropriate security measures to protect personal data against unauthorised access, unauthorised alteration, disclosure, destruction and other unlawful forms of processing, in particular where processing involves transmission of data over a network. The security measures taken by the software provider should be clearly-stated and prove to provide adequate protection. At a minimum, there must be adequate encryption on the stored data, security on all network connections and stringent processes and procedure for all data access. 3. Duty of Care: Also important is the duty of care that the data controller and data processor must demonstrate: Copyright 2011 SAMI. All rights reserved 4

6 For the purposes of the law of torts and to the extent that that law does not so provide, a person, being a data controller or a data processor, shall, so far as regards the collection by him of personal data or information intended for inclusion in such data or his dealing with such data, owe a duty of care to the data subject concerned (Ref: Data Protection Act 1988, Section 7) What does this mean for the school? As data processor, the software provider must guarantee a duty of care to the owner of the personal data. In addition to the security measures above, the software supplier should ensure that transparent and stringent data protection procedures among staff members who have access the data and the production environment. 4. Disclosure to Third-parties Finally, let s consider the restrictions on third-party disclosures: Personal data processed by a data processor shall not be disclosed by him, or by an employee or agent of his, without the prior authority of the data controller on behalf of whom the data are processed. (Ref: Data Protection Act 1988, Section 21) What does this mean for the school? The software provider must obtain the school s prior authority in the event that it intends to disclose personal data to a third party. To achieve maximum data privacy, it is advisable for the software provider to eliminate the need for disclosures to any third-parties. This can clearly be achieved by using a privately-owned and privately-managed hardware and software infrastructure to host the service. In contrast, some commercial solutions make use of Cloudbased messaging and collaboration platforms such as Google Apps that are managed by a third-party and are not entirely under the control of the software provider. In order to comply with the data protection act, the supplier must should either include a reference to such disclosure in its Terms of Use and/or Privacy Statement, or otherwise ensure that it obtains prior authority from each school to disclose personal data to the third-party. With due care and open co-operation between the school and the software provider, all of the potential issues above can be tackled comprehensively and ultimately give confidence that the school s data protection obligations are being met. Copyright 2011 SAMI. All rights reserved 5

7 The Edvance Solution Software Asset Management Ireland (SAMI) is an Irish-owned company that provides a comprehensive school management system called Edvance. With successful installations in many Irish primary schools, Edvance has proven to be a robust and secure solution. With data security as an utmost priority, SAMI has invested in its own hardware and software infrastructure to provide a hosting solution that can answer all of the questions that should be asked of any system under consideration: Where is the data hosted? Edvance data is hosted within a highly-secure data centre, which is located in the College and Technology park in Dublin. Custom built for maximum security and uptime, this data centre provides a guarantee of physical security and data security. The data centre is a fully Irish owned company and is operated, with its own independent network infrastructure and data centre facilities. What security measures are provided as part of the service? The data centre is manned and monitored 24 hours a day, 365 days a year by a team of skilled and trained Network Operations Centre engineers located onsite. It is positioned in a secured park whose entrance is manned 24x7, by security personnel. In addition, equipment is monitored via CCTV camera. The hosting core network contains redundant Cisco Firewall, IDS and DDoS mitigation services. What other guarantees are provided? The hosting agreement is governed by a strict penalty-driven service level agreement (SLA) that has been agreed between Digiweb and SAMI. It guarantees 99.99% network and power uptime, while also allowing 24 / 7 / 365 access to approved SAMI staff. Who owns the hardware? SAMI owns the high-specification servers that host the Edvance solution (Xeon E5520-2x2.27GHz processor, 32GB RAM). SAMI has invested substantially in the hardware infrastructure to ensure reliability, security and allow full control over the system, while housing it in a secure, monitored environment. The infrastructure has been carefully designed for scalability so that the solution can grow effectively as our business grows. Choosing and owning our hardware allows full control over the infrastructure so that it can be tailored to satisfy the needs of Copyright 2011 SAMI. All rights reserved 6

8 our growing customer base. How secure is data in the database? Before data is transferred to the database, it is encrypted using 256-bit encryption. This mitigates against data security risks on the network and separates data security from database-specific security measures. How secure is data that is transferred between the browser and server? The data is transferred over a secure channel that uses SSL to provide data security. How is data backed up? A full backup of data is performed nightly and stored on our backup servers, which are also located in the secure environment provided by the data centre. Who as access to the system? Access to the system is limited to SAMI staff. Strong password as used as per defined procedures and passwords are available to a limited sub-team only. Due to investment in our infrastructure as per the measures outlined above, SAMI can commit to: As a result of the above, what guarantees are provided? a. at all times comply with Irish and EU data protection laws b. use the data lawfully and only for the intended purpose c. no personal information will be collected unless provided voluntarily d. never transmit your data outside of Ireland e. never share your data with any third party unless required to by law f. never store your data on any equipment that is not owned or under the direct control of SAMI Copyright 2011 SAMI. All rights reserved 7

9 The investment in a robust architecture for Edvance and the secure measures that have been put in place allow SAMI to address the data protection obligations in the following ways: 1. Transfer of data outside the EEA: Edvance is hosted on a high-specification dedicated server that is owned by the software provider, SAMI. It is located within a data centre in Ireland and is controlled exclusively by employees of SAMI. These measures provide a guarantee that the data is held within the EEA. This relieves the school of concerns over the location of the data and helps the school to fulfil their obligations in relation to this responsibility. 2. Security Measures: Edvance data is hosted within a private database on a dedicated server that is owned by the software provider, SAMI. The data is encrypted using symmetric SHA-1 encryption and the connection from the browser to the server is protected using SSL. 3. Duty of Care: Employees of SAMI have signed a data privacy agreement, committing to stringent measures when processing third-party data. E.g. Access to school data is restricted to a well-defined team On transfer from schools to SAMI, all data is password protected Data is stored in a dedicated area that is password protected and limited to a well-defined team Data is not stored on local machines. It is not ed externally or internally outside the Edvance data team CDs used to transfer data from schools to SAMI are shredded after use Edvance provides tightly-controlled logins that limit access to particular data depending on the role group of the user: Principal Teacher Secretary Logins can be managed solely by the school principal or secretary. 4. Disclosure to Third-parties Edvance is hosted on a high-specification dedicated server that is owned by the software provider, SAMI. It is located within a data centre in Ireland and is controlled exclusively by employees of SAMI. SAMI does not use any third-parties to process data on their behalf. Copyright 2011 SAMI. All rights reserved 8

10 These measures provide a guarantee that the data is not disclosed to any third parties and is handled exclusively within an environment that is controlled by SAMI. It removes concerns over adequate data protection and relieves the school of obligations in relation to this responsibility. Summary School management systems can be used not only to ease the burden of administration but also to centralise sensitive data and to help fulfil data protection obligations. The careful selection of a school management system plays a key role in determining whether data protection obligations are met by the school, which is ultimately responsible for the data of its pupils, staff and parents/guardians. In selecting a school management system, it is essential that the school gains an understanding of the underlying technology in the product, the precise location of their data, the security measures that are being taken by staff while processing the data and to be aware of third parties involved in the storage and processing of data. At a minimum, it is recommended that the data is stored on a dedicated server at a known location within the EEA, the data is stored and accessed securely and that security procedures of the supplier are adequate. SAMI s Edvance product is a comprehensive solution that employs industry-standard security protocols for the storage and handling of school data. It has implemented stringent data protection procedures among the limited team that has access to production data. Most of all, SAMI has invested in its infrastructure by using its own dedicated servers that are housed at a secure location in Ireland. This not only helps to fulfil the obligations of the software supplier but goes the extra mile to remove obligations that would normally lie with the school itself. *The information provided in this document is relevant as per time of authorship and is subject to change. Copyright 2011 SAMI. All rights reserved 9

11 Glossary Data: Automated data: Manual data: Personal data: Sensitive personal data: Data controller: Data processor: Data subject: automated data and manual data information that (a) is being processed by means of equipment operating automatically in response to instructions given for that purpose, or (b) is recorded with the intention that it should be processed by means of such equipment information that is recorded as part of a relevant filing system or with the intention that it should form part of a relevant filing system data relating to a living individual who is or can be identified either from the data or from the data in conjunction with other information that is in, or is likely to come into, the possession of the data controller personal data as to (a) the racial or ethnic origin, the political opinions or the religious or philosophical beliefs of the data subject, (b) whether the data subject is a member of a trade union, (c) the physical or mental health or condition or sexual life of the data subject, (d) the commission or alleged commission of any offence by the data subject, or (e) any proceedings for an offence committed or alleged to have been committed by the data subject, the disposal of such proceedings or the sentence of any court in such proceedings a person who, either alone or with others, controls the contents and use of personal data a person who processes personal data on behalf of a data controller but does not include an employee of a data controller who processes such data in the course of his employment an individual who is the subject of personal data References Data Protection Commissioner Resources: SAMI Website: Edvance Website: Copyright 2011 SAMI. All rights reserved 10

12 ICT in Schools Survey 2011: Software Asset Management Ireland, 8/9 Hanover Street East, Dublin 2, Ireland

GUIDE TO THE ISLE OF MAN DATA PROTECTION ACT. CONTENTS PREFACE 1 1. Background 2 2. Data Protections Principles 3 3. Notification Requirements 4

GUIDE TO THE ISLE OF MAN DATA PROTECTION ACT. CONTENTS PREFACE 1 1. Background 2 2. Data Protections Principles 3 3. Notification Requirements 4 GUIDE TO THE ISLE OF MAN DATA PROTECTION ACT CONTENTS PREFACE 1 1. Background 2 2. Data Protections Principles 3 3. Notification Requirements 4 PREFACE The following provides general guidance on data protection

More information

Dublin City University

Dublin City University Dublin City University Data Protection Policy Data Protection Policy Contents Purpose... 1 Scope... 1 Data Protection Principles... 1 Disclosure of Personal Data... 2 Summary of Responsibilities... 3 Rights

More information

CORK INSTITUTE OF TECHNOLOGY

CORK INSTITUTE OF TECHNOLOGY CORK INSTITUTE OF TECHNOLOGY DATA PROTECTION POLICY APPROVED BY GOVERNING BODY ON 30 APRIL 2009 INTRODUCTION Cork Institute of Technology is committed to a policy of protecting the rights and privacy of

More information

Policy and Procedure Title: Maintaining Secure Learner Records Policy No: CCTP1001 Version: 1.0

Policy and Procedure Title: Maintaining Secure Learner Records Policy No: CCTP1001 Version: 1.0 PROVIDER NAME: POLICY AREA: College of Computing Technology (CCT) Standard 10: Information Management, Student Information System & Data Protection Policy and Procedure Title: Maintaining Secure Learner

More information

Data Protection in Ireland

Data Protection in Ireland Data Protection in Ireland 0 Contents Data Protection in Ireland Introduction Page 2 Appointment of a Data Processor Page 2 Security Measures (onus on a data controller) Page 3 8 Principles Page 3 Fair

More information

Merthyr Tydfil County Borough Council. Data Protection Policy

Merthyr Tydfil County Borough Council. Data Protection Policy Merthyr Tydfil County Borough Council Data Protection Policy 2014 Cyfarthfa High School is a Rights Respecting School, we recognise the importance of ensuring that the United Nations Convention of the

More information

Data Protection Policy

Data Protection Policy Data Protection Policy CONTENTS Introduction...2 1. Statement of Intent...2 2. Fair Processing or Privacy Statement...3 3. Data Uses and Processes...4 4. Data Quality and Integrity...4 5. Technical and

More information

Data protection policy

Data protection policy Data protection policy Introduction 1 This document is the data protection policy for the Nursing and Midwifery Council (NMC). 2 The Data Protection Act 1998 (DPA) governs the processing of personal data

More information

Data Security and Extranet

Data Security and Extranet Data Security and Extranet Derek Crabtree Schools ICT Support Manager derek.crabtree@merton.gov.uk Target Operating Model 2011 Merton Audit Organisation name: London Borough of Merton Periodic plan date:

More information

DATA PROTECTION POLICY

DATA PROTECTION POLICY Reference number Approved by Information Management and Technology Board Date approved 14 th May 2012 Version 1.1 Last revised N/A Review date May 2015 Category Information Assurance Owner Data Protection

More information

Corporate ICT & Data Management. Data Protection Policy

Corporate ICT & Data Management. Data Protection Policy 90 Corporate ICT & Data Management Data Protection Policy Classification: Unclassified Date Created: January 2012 Date Reviewed January Version: 2.0 Author: Owner: Data Protection Policy V2 1 Version Control

More information

Data Protection Policy A copy of this policy is published in the following areas: The school s intranet The school s website

Data Protection Policy A copy of this policy is published in the following areas: The school s intranet The school s website Data Protection Policy A copy of this policy is published in the following areas: The school s intranet The school s website Date created: November 2015 Date for review: July 2016 Created by: Mark Vanstone,

More information

Data Protection Good Practice Note

Data Protection Good Practice Note Data Protection Good Practice Note This explanatory document explains what charities and voluntary organisations need to do to comply with the Data Protection Act 1988 as amended by the Data Protection

More information

technical factsheet 176

technical factsheet 176 technical factsheet 176 Data Protection CONTENTS 1. Introduction 1 2. Register with the Information Commissioner s Office 1 3. Period protection rights and duties remain effective 2 4. The data protection

More information

Data Protection Act 1998. Guidance on the use of cloud computing

Data Protection Act 1998. Guidance on the use of cloud computing Data Protection Act 1998 Guidance on the use of cloud computing Contents Overview... 2 Introduction... 2 What is cloud computing?... 3 Definitions... 3 Deployment models... 4 Service models... 5 Layered

More information

AlixPartners, LLP. General Data Protection Statement

AlixPartners, LLP. General Data Protection Statement AlixPartners, LLP General Data Protection Statement GENERAL DATA PROTECTION STATEMENT 1. INTRODUCTION 1.1 AlixPartners, LLP ( AlixPartners ) is committed to fulfilling its obligations under the data protection

More information

University of Limerick Data Protection Compliance Regulations June 2015

University of Limerick Data Protection Compliance Regulations June 2015 University of Limerick Data Protection Compliance Regulations June 2015 1. Purpose of Data Protection Compliance Regulations 1.1 The purpose of these Compliance Regulations is to assist University of Limerick

More information

PERSONAL INJURIES ASSESSMENT BOARD DATA PROTECTION CODE OF PRACTICE

PERSONAL INJURIES ASSESSMENT BOARD DATA PROTECTION CODE OF PRACTICE PERSONAL INJURIES ASSESSMENT BOARD DATA PROTECTION CODE OF PRACTICE ADOPTED ON 9 th January 2008 TABLE OF CONTENTS Page No. 1 Introduction...3 2 Glossary...3 3 Types of Personal Data held by Us...3 4 Obligations

More information

The Manitowoc Company, Inc.

The Manitowoc Company, Inc. The Manitowoc Company, Inc. DATA PROTECTION POLICY 11FitzPatrick & Associates 4/5/04 1 Proprietary Material Version 4.0 CONTENTS PART 1 - Policy Statement PART 2 - Processing Personal Data PART 3 - Organisational

More information

DATA PROTECTION ACT 1998 COUNCIL POLICY

DATA PROTECTION ACT 1998 COUNCIL POLICY DATA PROTECTION ACT 1998 COUNCIL POLICY Page 1 of 5 POLICY STATEMENT Blackpool Council recognises the need to fully comply with the requirements of the Data Protection Act 1998 (DPA) and the obligations

More information

Privacy Policy for Data Collected by Blue State Digital s Clients

Privacy Policy for Data Collected by Blue State Digital s Clients Privacy Policy for Data Collected by Blue State Digital s Clients Blue State Digital LLC. ("Blue State Digital", BSD or "we") provides various services to nonprofits and business entities ("Clients"),

More information

Cloud Computing Legal Considerations for Data Controllers

Cloud Computing Legal Considerations for Data Controllers Cloud Computing Legal Considerations for Data Controllers CLOUD COMPUTING LEGAL CONSIDERATIONS FOR DATA CONTROLLERS What is cloud computing and why is it relevant? Cloud computing can be described as technology

More information

WEST LOTHIAN COUNCIL DATA PROTECTION ACT 1998 POLICY

WEST LOTHIAN COUNCIL DATA PROTECTION ACT 1998 POLICY WEST LOTHIAN COUNCIL DATA PROTECTION ACT 1998 POLICY Version 3.0 DATA PROTECTION ACT 1998 POLICY CONTENTS 1. INTRODUCTION... 3 2. PROVISIONS OF THE ACT... 4 3. SCOPE... 4 4. GENERAL POLICY STATEMENT...

More information

Processor Binding Corporate Rules (BCRs), for intra-group transfers of personal data to non EEA countries

Processor Binding Corporate Rules (BCRs), for intra-group transfers of personal data to non EEA countries Processor Binding Corporate Rules (BCRs), for intra-group transfers of personal data to non EEA countries Sopra HR Software as a Data Processor Sopra HR Software, 2014 / Ref. : 20141120-101114-m 1/32 1.

More information

Office of the Data Protection Commissioner of The Bahamas. Data Protection (Privacy of Personal Information) Act, 2003. A Guide for Data Controllers

Office of the Data Protection Commissioner of The Bahamas. Data Protection (Privacy of Personal Information) Act, 2003. A Guide for Data Controllers Office of the Data Protection Commissioner of The Bahamas Data Protection (Privacy of Personal Information) Act, 2003 A Guide for Data Controllers 1 Acknowledgement Some of the information contained in

More information

The supplier shall have appropriate policies and procedures in place to ensure compliance with

The supplier shall have appropriate policies and procedures in place to ensure compliance with Supplier Instructions for Processing of Personal Data 1 PURPOSE SOS International has legal and contractual obligations on the matters of data protection and IT security. As a part of these obligations

More information

Guidelines on Data Protection. Draft. Version 3.1. Published by

Guidelines on Data Protection. Draft. Version 3.1. Published by Guidelines on Data Protection Draft Version 3.1 Published by National Information Technology Development Agency (NITDA) September 2013 Table of Contents Section One... 2 1.1 Preamble... 2 1.2 Authority...

More information

2. Scope 2.1 This policy covers all the activities and processes of the University that uses personal information in whatever format.

2. Scope 2.1 This policy covers all the activities and processes of the University that uses personal information in whatever format. University of Westminster Personal Data Protection Policy For Compliance with the Data Protection Act 1998 1. Background 1.1 The Data Protection Act 1998 (DPA) defines personal data as data and information

More information

FIRST DATA CORPORATION PROCESSOR DATA PROTECTION STANDARDS

FIRST DATA CORPORATION PROCESSOR DATA PROTECTION STANDARDS FIRST DATA CORPORATION PROCESSOR DATA PROTECTION STANDARDS As a world leader in electronic commerce and payment services, First Data Corporation and its subsidiaries ( First Data entity or entities ),

More information

Data Compliance. And. Your Obligations

Data Compliance. And. Your Obligations Information Booklet Data Compliance And Your Obligations What is Data Protection? It is the safeguarding of the privacy rights of individuals in relation to the processing of personal data. The Data Protection

More information

ATMD Bird & Bird. Singapore Personal Data Protection Policy

ATMD Bird & Bird. Singapore Personal Data Protection Policy ATMD Bird & Bird Singapore Personal Data Protection Policy Contents 1. PURPOSE 1 2. SCOPE 1 3. COMMITMENT TO COMPLY WITH DATA PROTECTION LAWS 1 4. PERSONAL DATA PROTECTION SAFEGUARDS 3 5. ATMDBB EXCEPTIONS:

More information

HERTSMERE BOROUGH COUNCIL

HERTSMERE BOROUGH COUNCIL HERTSMERE BOROUGH COUNCIL DATA PROTECTION POLICY October 2007 1 1. Introduction Hertsmere Borough Council ( the Council ) is fully committed to compliance with the requirements of the Data Protection Act

More information

Data Protection Policy

Data Protection Policy 1 Data Protection Policy Version 1: June 2014 1 2 Contents 1. Introduction 3 2. Policy Statement 3 3. Purpose of the Data Protection Act 1998 3 4. The principles of the Data Protection Act 1998 4 5 The

More information

UNIVERSITY OF ABERDEEN POLICY ON DATA PROTECTION

UNIVERSITY OF ABERDEEN POLICY ON DATA PROTECTION UNIVERSITY OF ABERDEEN POLICY ON DATA PROTECTION The Data Protection Act 1998 (DPA) was passed in order to implement the EU Data Protection Directive (95/46/EC) and applies to all data relating to, and

More information

Cloud Software Services for Schools

Cloud Software Services for Schools Cloud Software Services for Schools Supplier self-certification statements with service and support commitments Supplier name Address Contact name Contact email Contact telephone Parent Teacher Online

More information

DATA PROTECTION ACT 2002 The Basics

DATA PROTECTION ACT 2002 The Basics DATA PROTECTION ACT 2002 The Basics Purpose of the Act Balance the rights of an individual with an organisation s legitimate need to process personal data Promote openness and transparency Establish and

More information

Data Protection for the Guidance Counsellor. Issues To Plan For

Data Protection for the Guidance Counsellor. Issues To Plan For Data Protection for the Guidance Counsellor Issues To Plan For Author: Hugh Jones Data Protection Specialist Longstone Management Ltd. Published by the National Centre for Guidance in Education (NCGE)

More information

ROEHAMPTON UNIVERSITY DATA PROTECTION POLICY

ROEHAMPTON UNIVERSITY DATA PROTECTION POLICY ROEHAMPTON UNIVERSITY DATA PROTECTION POLICY Originated by: Data Protection Working Group: November 2008 Impact Assessment: (to be confirmed) Recommended by Senate: 28 January 2009 Approved by Council:

More information

Code of Conduct. Corporate Data Protection. We make ICT strategies work

Code of Conduct. Corporate Data Protection. We make ICT strategies work Corporate Data Protection Code of Conduct for the Protection of the Individual s Right to Privacy in the Handling of Personal Data within the Deutsche Telekom Group 2010 / 04 We make ICT strategies work

More information

Human Resources and Data Protection

Human Resources and Data Protection Human Resources and Data Protection Contents 1. Policy Statement... 1 2. Scope... 2 3. What is personal data?... 2 4. Processing data... 3 5. The eight principles of the Data Protection Act... 4 6. Council

More information

OBJECTS AND REASONS. (a) the regulation of the collection, keeping, processing, use or dissemination of personal data;

OBJECTS AND REASONS. (a) the regulation of the collection, keeping, processing, use or dissemination of personal data; OBJECTS AND REASONS This Bill would provide for (a) the regulation of the collection, keeping, processing, use or dissemination of personal data; (b) the protection of the privacy of individuals in relation

More information

Little Marlow Parish Council Registration Number for ICO Z3112320

Little Marlow Parish Council Registration Number for ICO Z3112320 Data Protection Policy Little Marlow Parish Council Registration Number for ICO Z3112320 Adopted 2012 Reviewed 23 rd February 2016 Introduction The Parish Council is fully committed to compliance with

More information

Data Protection Policy

Data Protection Policy Data Protection Policy 1. Introduction to the Data Protection Policy Everyone who works for Chorley Council uses personal data in the course of their duties. Chorley Council must gather and process personal

More information

This Applicant Privacy Notice Continental Europe is dated: July 2012 WILLIS.COM: PRIVACY NOTICE

This Applicant Privacy Notice Continental Europe is dated: July 2012 WILLIS.COM: PRIVACY NOTICE Applicant Privacy Notice for Positions in Willis Companies Located in the European Union and European Economic Area Excluding the United Kingdom ( Applicant Privacy Notice Continental Europe ) This Applicant

More information

BRITISH COUNCIL DATA PROTECTION CODE FOR PARTNERS AND SUPPLIERS

BRITISH COUNCIL DATA PROTECTION CODE FOR PARTNERS AND SUPPLIERS BRITISH COUNCIL DATA PROTECTION CODE FOR PARTNERS AND SUPPLIERS Mat Wright www.britishcouncil.org CONTENTS Purpose of the code 1 Scope of the code 1 The British Council s data protection commitment and

More information

Office 365 Data Processing Agreement with Model Clauses

Office 365 Data Processing Agreement with Model Clauses Enrollment for Education Solutions Office 365 Data Processing Agreement (with EU Standard Contractual Clauses) Amendment ID Enrollment for Education Solutions number Microsoft to complete 7392924 GOLDS03081

More information

Information Governance Policy

Information Governance Policy Information Governance Policy 1 Introduction Healthwatch Rutland (HWR) needs to collect and use certain types of information about the Data Subjects who come into contact with it in order to carry on its

More information

Data Protection Policy

Data Protection Policy Data Protection Policy Responsible Officer Author Date effective from July 2009 Ben Bennett, Business Planning & Resources Director Julian Lewis, Governance Manager Date last amended December 2012 Review

More information

Data Protection Policy

Data Protection Policy Data Protection Policy September 2015 Contents 1. Scope 2. Purpose 3. Data protection roles 4. Staff training and guidance 5. About the Data Protection Act 1998 6. Policy 7. The Information Commissioner's

More information

Policy Document Control Page

Policy Document Control Page Policy Document Control Page Title Title: Data Protection Policy Version: 3 Reference Number: CO59 Keywords: Data, access, principles, protection, Act. Data Subject, Information Supersedes Supersedes:

More information

PRIVACY POLICY. Any form of reproduction in whole or in part of the content of this document is prohibited.

PRIVACY POLICY. Any form of reproduction in whole or in part of the content of this document is prohibited. Deck S.r.l. Via Cesareo Console 3 80132 Napoli (NA) P. iva: 04846431213 Cf: 04846431213 Rea 717835 Reg. Imp. di Napoli Cap. Soc. 15.000 PRIVACY POLICY Protecting and defending your privacy is important

More information

Policy and Procedure for approving, monitoring and reviewing personal data processing agreements

Policy and Procedure for approving, monitoring and reviewing personal data processing agreements Policy and Procedure for approving, monitoring and reviewing personal data processing agreements 1 Personal data processing by external suppliers, contractors, agents and partners Policy and Procedure

More information

Rick Parsons Information Governance Officer County Hall 01865 323593 rick.parsons@oxfordshire.gov.uk

Rick Parsons Information Governance Officer County Hall 01865 323593 rick.parsons@oxfordshire.gov.uk Rick Parsons Information Governance Officer County Hall 01865 323593 rick.parsons@oxfordshire.gov.uk 1 THE DATA PROTECTION ACT 1998 2 Requirements of the Act Roles & Responsibilities Best Practice 3 The

More information

DATA PROTECTION POLICY

DATA PROTECTION POLICY DATA PROTECTION POLICY Approval date: June 2014 Approved by: Board Responsible Manager: Executive Director of Resources Next Review June 2016 Data Protection Policy 1. Introduction Data Protection Policy

More information

THE TRANSFER OF PERSONAL DATA ABROAD

THE TRANSFER OF PERSONAL DATA ABROAD THE TRANSFER OF PERSONAL DATA ABROAD MARCH 2014 THIS NOTE CONSIDERS THE SITUATION OF AN IRISH ORGANISATION OR BUSINESS SEEKING TO TRANSFER PERSONAL DATA ABROAD FOR STORAGE OR PROCESSING, IN LIGHT OF THE

More information

Scottish Rowing Data Protection Policy

Scottish Rowing Data Protection Policy Revision Approved by the Board August 2010 1. Introduction As individuals, we want to know that personal information about ourselves is handled properly, and we and others have specific rights in this

More information

EMMANUEL COLLEGE THE APPLICATION OF THE DATA PROTECTION ACT 1998. Contents

EMMANUEL COLLEGE THE APPLICATION OF THE DATA PROTECTION ACT 1998. Contents EMMANUEL COLLEGE THE APPLICATION OF THE DATA PROTECTION ACT 1998 Contents 1. Introduction Page 2 2. The Data Protection Act 1998 Page 2 3. Review of data used in College departments Page 3 4. Security

More information

Index. Definitions. What is Data Protection? Rights of Individuals. The 8 Principles of Data Protection

Index. Definitions. What is Data Protection? Rights of Individuals. The 8 Principles of Data Protection Data Protection Awareness Based on DIT s Data Protection Policy, the Data Protection Acts, 1988 & 2003 and guidance from the Office of the Data Protection Commissioner Index Definitions What is Data Protection?

More information

The Anti-Corruption Compliance Platform

The Anti-Corruption Compliance Platform The Anti-Corruption Compliance Platform DATA COLLECTION RISK IDENTIFICATION SCREENING INTEGRITY DUE DILIGENCE CERTIFICATIONS GIFTS, TRAVEL AND ENTERTAINMENT TRACKING SECURITY AND DATA PROTECTION The ComplianceDesktop

More information

Cloud Software Services for Schools

Cloud Software Services for Schools Cloud Software Services for Schools Supplier self-certification statements with service and support commitments Please insert supplier details below Supplier name Address Contact name Contact email Contact

More information

Binding Corporate Rules ( BCR ) Summary of Third Party Rights

Binding Corporate Rules ( BCR ) Summary of Third Party Rights Binding Corporate Rules ( BCR ) Summary of Third Party Rights This document contains in its Sections 3 9 all provision of the Binding Corporate Rules (BCR) for Siemens Group Companies and Other Adopting

More information

www.neelb.org.uk Web Site Download Carol Johnston

www.neelb.org.uk Web Site Download Carol Johnston What I need to know about data protection and information security when purchasing a service that requires access to my information by a third party. www.neelb.org.uk Web Site Download Carol Johnston Corporate

More information

DATA PROTECTION POLICY

DATA PROTECTION POLICY DATA PROTECTION POLICY The information and guidelines within this Policy are important and apply to all members, Fellows and staff of the College 1. INTRODUCTION Like all educational establishments, the

More information

Human Resources Policy documents. Data Protection Policy

Human Resources Policy documents. Data Protection Policy Policy documents Aims of the Policy apetito is committed to meeting its obligations under data protection law. As a business, apetito handles a range of Personal Data relating to its customers, staff and

More information

Cloud Software Services for Schools. Supplier self-certification statements with service and support commitments. SafeGuard Software Limited

Cloud Software Services for Schools. Supplier self-certification statements with service and support commitments. SafeGuard Software Limited Cloud Software Services for Schools Supplier self-certification statements with service and support commitments Supplier name Address Contact name Contact email Contact telephone SafeGuard Software Limited

More information

Hampstead Parochial CofE Primary School Data Protection Policy Spring 2015

Hampstead Parochial CofE Primary School Data Protection Policy Spring 2015 Hampstead Parochial CofE Primary School Data Protection Policy Spring 2015 1. Introduction and Scope 1.1 The Data Protection Act 1998 is the law that protects personal privacy and applies to any school

More information

Cloud Software Services for Schools

Cloud Software Services for Schools Request for information on the document re: cloud and secure storage posted on the DfE website, response provided by DfE and Schools Commercial team: The focus of the project is on data security/safety

More information

Data Protection and Information Security Policy and Procedure

Data Protection and Information Security Policy and Procedure Data Protection and Information Security Policy and Procedure Document Detail Category: Data Protection Authorised By: Full Governing Body Author: School Business Manager Version: 1 Status: Approved May

More information

Cloud Software Services for Schools. Supplier self-certification statements with service and support commitments

Cloud Software Services for Schools. Supplier self-certification statements with service and support commitments Cloud Software Services for Schools Supplier self-certification statements with service and support commitments Supplier name Address Contact name Contact email Meritec Limited Meritec House, Acorn Business

More information

ADVANCED CABLE COMMUNICATIONS WEBSITE PRIVACY POLICY COLLECTION AND USE OF INFORMATION FROM USERS

ADVANCED CABLE COMMUNICATIONS WEBSITE PRIVACY POLICY COLLECTION AND USE OF INFORMATION FROM USERS ADVANCED CABLE COMMUNICATIONS WEBSITE PRIVACY POLICY Advanced Cable Communications ( Company ) strives to offer visitors to its website (the Site ) the many advantages of Internet technology and to provide

More information

Privacy and Electronic Communications Regulations

Privacy and Electronic Communications Regulations ICO lo Notification of PECR security breaches Privacy and Electronic Communications Regulations Contents Introduction... 2 Overview... 2 Relevant security breaches... 3 What is a service provider?... 3

More information

Data Protection Policy

Data Protection Policy Data Protection Policy 1. Introduction and purpose 1.1 Children s Hearings Scotland (CHS) is required to maintain certain personal data about individuals for the purposes of satisfying our statutory, operational

More information

Data Processing Agreement for Oracle Cloud Services

Data Processing Agreement for Oracle Cloud Services Data Processing Agreement for Oracle Cloud Services Version December 1, 2013 1. Scope and order of precedence This is an agreement concerning the Processing of Personal Data as part of Oracle s Cloud Services

More information

Police Financial Services Limited Copyright exists in this document Privacy Policy 1

Police Financial Services Limited Copyright exists in this document Privacy Policy 1 Privacy January 2015 Policy Police Financial Services Limited ABN 33 087 651 661 ('we', 'us', 'our', BankVic ) is bound by the Australian Privacy Principles under the Privacy Act 1988 (Cth) (Privacy Act).

More information

Appendix 11 - Swiss Data Protection Act

Appendix 11 - Swiss Data Protection Act GLEIF- LOU Restricted Appendix 11 - Swiss Data Protection Act GLEIF Revision Version: 1.0 2015-09-23 Master Copy page 2 of 11 Applicable Provisions of the Swiss Data Protection Act (DPA) including the

More information

DATA PROTECTION AUDIT GUIDANCE

DATA PROTECTION AUDIT GUIDANCE DATA PROTECTION AUDIT GUIDANCE CONTENTS Section I: Section II: Audit of Processing of Personal Data Audit Procedure Appendices: A B C D E Audit Form List of Purposes List of data subjects List of data

More information

Paperless World Limited

Paperless World Limited Paperless World Limited Security Policy Statement Contents Section 1: Paperless World Limited Security Policy Statement... 2 Section 2: The Data Protection Act 1998... 2 Section 3: Definitions... 2 Personal

More information

Data Protection Avoiding Information Commissioner Fines. Caroline Egan 5 June 2014

Data Protection Avoiding Information Commissioner Fines. Caroline Egan 5 June 2014 Data Protection Avoiding Information Commissioner Fines Caroline Egan 5 June 2014 Why is data protection a hot topic in pensions? Pension schemes hold large amounts of personal data Individuals more aware

More information

Data Protection. Processing and Transfer of Personal Data in Kvaerner. Binding Corporate Rules Public Document

Data Protection. Processing and Transfer of Personal Data in Kvaerner. Binding Corporate Rules Public Document Data Protection Processing and Transfer of Personal Data in Kvaerner Binding Corporate Rules Public Document 1 of 19 1 / 19 Table of contents 1 Introduction... 4 1.1 Scope... 4 1.2 Definitions... 4 1.2.1

More information

TERMS & CONDITIONS of SERVICE for MSKnote. Refers to MSKnote Limited. Refers to you or your organisation

TERMS & CONDITIONS of SERVICE for MSKnote. Refers to MSKnote Limited. Refers to you or your organisation TERMS & CONDITIONS of SERVICE for MSKnote Definitions: "Us or Our or We or Company" You or Your or Client Refers to MSKnote Limited Refers to you or your organisation Information about us: We are MSKnote

More information

Data Protection Guidance

Data Protection Guidance 53 September 2010 Management Circular No. 53 Glasgow City Council Education Services Wheatley House 25 Cochrane Street Merchant City GLASGOW G1 1HL To Heads of all Educational Establishments Data Protection

More information

Data controllers and data processors: what the difference is and what the governance implications are

Data controllers and data processors: what the difference is and what the governance implications are ICO lo : what the difference is and what the governance implications are Data Protection Act Contents Introduction... 3 Overview... 3 Section 1 - What is the difference between a data controller and a

More information

Data Protection Act. Privacy & Security in the Information Age. April 26, 2013. Ministry of Communications, Ghana

Data Protection Act. Privacy & Security in the Information Age. April 26, 2013. Ministry of Communications, Ghana Data Protection Act Privacy & Security in the Information Age April 26, 2013 Agenda Privacy in The Information Age The right to privacy Why We Need Legislation Purpose of the Act The Data Protection Act

More information

Data Protection Acts 1988 and 2003: Informal Consolidation

Data Protection Acts 1988 and 2003: Informal Consolidation Page 1 of 55 Data Protection Acts 1988 and 2003: Informal Consolidation IMPORTANT NOTICE This document is an informal consolidation of the Data Protection Acts 1988 and 2003, prepared by the Office of

More information

Cloud Software Services for Schools

Cloud Software Services for Schools Cloud Software Services for Schools Supplier self-certification statements with service and support commitments Please insert supplier details below Supplier name Address Contact name Contact email Contact

More information

on the transfer of personal data from the European Union

on the transfer of personal data from the European Union on the transfer of personal data from the European Union BCRsseptembre 2008.doc 1 TABLE OF CONTENTS I. PRELIMINARY REMARKS 3 II. DEFINITIONS 3 III. DELEGATED DATA PROTECTION MANAGER 4 IV. MICHELIN GROUP

More information

CLOUD COMPUTING FOR ehealth DATA PROTECTION ISSUES

CLOUD COMPUTING FOR ehealth DATA PROTECTION ISSUES CLOUD COMPUTING FOR ehealth DATA PROTECTION ISSUES GLOBAL FORUM 2009 ICT & The Future of the Internet - Monday, October 19 th 2009 paolo.balboni@bakernet.com Introduction & Structure ENISA Working Group

More information

Privacy Policy for Data Collected by Blue State Digital

Privacy Policy for Data Collected by Blue State Digital Privacy Policy for Data Collected by Blue State Digital Overview Blue State Digital LLC. ( Blue State Digital, BSD or we ) provides various services to non- profit entities and other related businesses

More information

Cloud Software Services for Schools

Cloud Software Services for Schools Cloud Software Services for Schools Supplier self-certification statements with service and support commitments Please insert supplier details below Supplier name Address Isuz Ltd. trading as Schoolcomms

More information

Proposal of regulation Com 2012 11/4 Directive 95/46/EC Conclusion

Proposal of regulation Com 2012 11/4 Directive 95/46/EC Conclusion Page 1 sur 155 Proposal of regulation Com 2012 11/4 Directive 95/46/EC Conclusion Legal nature of the instrument Règlement Directive Directly applicable act in internal law 91 articles 34 articles Art.

More information

Decision 084/2006 Mr Ian Cameron and Aberdeenshire Council

Decision 084/2006 Mr Ian Cameron and Aberdeenshire Council Huntly Nordic Ski and Outdoor Centre Reference No: 200600082 Decision Date: 30 March 2009 Kevin Dunion Scottish Information Commissioner Kinburn Castle Doubledykes Road St Andrews KY16 9DS Tel: 01334 464610

More information

So the security measures you put in place should seek to ensure that:

So the security measures you put in place should seek to ensure that: Guidelines This guideline offers an overview of what the Data Protection Act requires in terms of information security and aims to help you decide how to manage the security of the personal data you hold.

More information

DATA AND PAYMENT SECURITY PART 1

DATA AND PAYMENT SECURITY PART 1 STAR has teamed up with Prevention of Fraud in Travel (PROFiT) and the Fraud Intelligence Network (FIN) to offer our members the best advice about fraud prevention. We recognise the increasing threat of

More information

ECSA EuroCloud Star Audit Data Privacy Audit Guide

ECSA EuroCloud Star Audit Data Privacy Audit Guide ECSA EuroCloud Star Audit Data Privacy Audit Guide Page 1 of 15 Table of contents Introduction... 3 ECSA Data Privacy Rules... 4 Governing Law... 6 Sub processing... 6 A. TOMs: Cloud Service... 7 TOMs:

More information

INFORMATION WE MAY COLLECT FROM YOU

INFORMATION WE MAY COLLECT FROM YOU Privacy Policy ABOUT Prolific Academic Ltd. ("We") are committed to protecting and respecting your privacy. This policy (together with our terms of use and any other documents referred to on it) sets out

More information

Data Protection Policy June 2014

Data Protection Policy June 2014 Data Protection Policy June 2014 Approving authority: Consultation via: Court Audit and Risk Committee, University Executive, Secretary's Board, Information Governance and Security Group Approval date:

More information

Data Protection Act 1998 The Data Protection Policy for the Borough Council of King's Lynn & West Norfolk

Data Protection Act 1998 The Data Protection Policy for the Borough Council of King's Lynn & West Norfolk Data Protection Act 1998 The for the Borough Council of King's Lynn & West Norfolk 1 Contents Introduction 3 1. Statement of Intent 4 2. Fair Obtaining I Processing 5 3. Data Uses and Processes 6 4. Data

More information

BRING YOUR OWN DEVICE

BRING YOUR OWN DEVICE BRING YOUR OWN DEVICE Legal Analysis & Practical TIPs for an effective BYOD corporate Policy CONTENTS 1. What is BYOD? 2. Benefits and risks of BYOD in Europe 3. BYOD and existing Policies 4. Legal issues

More information

PRIVACY REGULATIONS regarding the Web Health History ("W.H.H.") Service called LifepassportPRO provided by Meshpass SA

PRIVACY REGULATIONS regarding the Web Health History (W.H.H.) Service called LifepassportPRO provided by Meshpass SA PRIVACY REGULATIONS regarding the Web Health History ("W.H.H.") Service called LifepassportPRO provided by Meshpass SA Updated: 20 Jun 2015 (substitutes previous versions) This Privacy Policy describes

More information