Download PDF Version

Data Protection Policy - GDPR 2018

Scope

This document lays out the procedures and principles of data protection that will be followed by all employees at Prodeo LTD.

All employees have completed the Prodeo GDPR Training Session and the Employee of Prodeo LTD – GDPR Compliance Document (Appendix A).

Key Definitions:

GDPR: General Data Protection Regulation

Controller: A controller determines the purposes and means of processing personal data.

Processor: A processor is responsible for processing personal data on behalf of a controller.

Personal Data: The GDPR applies to ‘personal data’ meaning any information relating to an identifiable person who can be directly or indirectly identified in particular by reference to an identifier.

Personal Data Breach: A breach of security leading to the accidental or unlawful destruction, loss, alteration, unauthorised disclosure of, or access to, personal data transmitted, stored or otherwise processed.

Prodeo LTD: Processor

As defined above, Prodeo LTD (Trading as SMID) acts as a processor of data on behalf of controllers (Education establishments, namely secondary schools).

As a processor of personal data we are required under the GDPR to provide information on the following key data protection areas:

Lawful basis for processing
Data Types Stored
Data Storage - Security
Data Subject Access
Data Breach procedures
Data Retention
Data Protection Officer

Lawful Basis for Processing

GDPR requires that a processor must have a valid lawful basis in order to process personal data.

There are six available lawful bases for processing:
REF: Information Commissioner
1 Consent: the individual has given clear consent for you to process their personal data for a specific purpose.

2 Contract: the processing is necessary for a contract you have with the individual, or because they have asked you to take specific steps before entering into a contract.

3 Legal obligation: the processing is necessary for you to comply with the law (not including contractual obligations).

4 Vital interests: the processing is necessary to protect someone’s life.

5 Public task: the processing is necessary for you to perform a task in the public interest or for your official functions, and the task or function has a clear basis in law.

6 Legitimate interests: the processing is necessary for your legitimate interests or the legitimate interests of a third party unless there is a good reason to protect the individual’s personal data which overrides those legitimate interests. (This cannot apply if you are a public authority processing data to perform your official tasks.)

Prodeo LTD is processing the data on behalf of an education establishment, with which we have an annual contract in order to provide access to our cloud based software. Therefore SMID meets the lawful obligation point 2 which states the processing is necessary for a contract you have with the individual. It is important that the school as a controller of the data has the necessary consent in place when obtaining certain data from students who attend the school.

Data Types Stored

Prodeo LTD requires the following personal data as a minimum to use the SMID cloud software:

Code - This can be decided by the school, commonly admission number but may be UPN or candidate number
Forename
Surname
Classes - The classes a student is currently studying
Report Grades - assigned within school or from final exams
KS2 Results

Optional Data (Required for full functionality)
Pupil Groups - A school can choose which data to include as pupil groups common examples are Free School Meals (FSM), Pupil Premium (PP) and Prior Ability Grouping.
Attitude To Learning Scores - Scores assigned within school to categorise students behaviour.
Attendance - % Attendance Scores may be added to the system to monitor attendance patterns

Data Storage and Security

Prodeo LTD trading as SMID will not supply any of your data to any third party and will only use the data you provide to support your school.

Prodeo Limited is registered with the Information Commissioner’s Office (ZA138870) in accordance with the Data Protection Act of 1998 and the code of practice issued by the regulators of England, Wales and Northern Ireland.

The personal data stored within the SMID Report & Dashboard includes Names, School Selected Pupil Groups e.g. Pupil Premium, Grades, Gender, Attendance. The data will only be used within the context of the SMID Dashboard and Report and will only be used to identify the progress made by students from any school that is a member. When accessing the SMID Dashboard you will be using a Secure Hyper Text Transfer Protocol (HTTPS) along with Secure Sockets Layer (SSL) Protection. This provides encrypted access to our servers protecting you from others accessing the data. All data is hosted using Amazon S3 Servers, which are secure and encrypted.

Security information from host website, Heroku

Data Centres
Heroku’s physical infrastructure is hosted and managed within Amazon’s secure data centres and utilize the Amazon

Web Service (AWS) technology. Amazon continually m anages risk and undergoes recurring assessments to ensure compliance with industry standards. Amazon’s data centre operations have been accredited under:

ISO 27001
SOC 1 and SOC 2/SSAE 16/ISAE 3402 (Previously SAS 70 Type II)
PCI Level 1
FISMA Moderate
Sarbanes - Oxley (SOX)

Physical Security
Heroku utilizes ISO 27001 and FISMA certified data centres managed by Amazon located in Ireland (EU- West - 1) Amazon has many years of experience in designing, constructing, and operating largescale data centres. This experience has been applied to the AWS platform and infrastructure. AWS data centres are housed in nondescript facilities, and critical facilities have extensive setback and military grade perimeter control berms as well as other natural boundary protection.

Physical access is strictly controlled both at the perimeter and at building ingress points by professional security staff utilizing video surveillance, state of the art intrusion detection systems, and other electronic means. Authorized staff must pass two-factor authentication no fewer than three times to access data centre floors. All visitors and contractors are required to present identification and are signed in and continually escorted by authorized staff.

Amazon only provides data centre access and information to employees who have a legitimate business need for such privileges. When an employee no longer has a business need for these privileges, his or her access is immediately revoked, even if they continue to be an employee of Amazon or Amazon Web Services. All physical and electronic access to data centres by Amazon employees is logged and audited routinely.

Data Subject Access

Under the right of subject access, an individual is entitled to request a copy of the personal data held about them.

Valid Subject Access Request
For a subject access request to be valid, it should be made in writing. In order for a subject access request to be made successfully we will require proof of a persons identify and legitimacy to make the request. Should any request be made our data protection officer will contact the designated data controller at the relevant establishment to fully confirm the legitimacy of a request. We will then move forward in providing the data in an appropriate format.

For example in the unlikely event of a parent or a pupil contacting Prodeo LTD directly with a subject access request. We would clearly inform them that we would be contacting the school data protection officer in order to verify the request and all communication would come through the school.

We do not expect the above scenario to be a common occurrence but should it arise the school data protection officer will always be our first point of contact.

Request Procedure / Format
Under GDPR legislation an organisation is not allowed to require an individual to complete a subject access request in a certain format. Therefore Prodeo LTD does not require an individual to complete a specific form to make the request. It is recommended that any request should be sent by email to support@smidreport.com so that we can deal with your request as quickly as possible. Should a subject access request be made to another member of staff or in a different format such as a written letter all staff are fully aware of GDPR procedures and will take any request and pass them on to the data protection office.

Response Format
Prodeo LTD will meet the GDPR requirements that state the information provided to the individual is in an intelligible form. Any response made by Prodeo LTD will be sure to include a glossary of terms should any technical information be included that may not be understood by the average person.

Subject Access Request Cost
Prodeo LTD will not require any charge for any request made.

Data Breach Policy

A data breach occurs when personal information is lost or subject to unauthorised access.

Definition of personal data breach
A personal data breach can be broadly defined as a security incident that has affected the confidentiality, integrity or availability of personal data. In short, there will be a personal data breach whenever any personal data is lost, destroyed, corrupted or disclosed; if someone accesses the data or passes it on without proper authorisation; or if the data is made unavailable, for example, when it has been encrypted by ransomware, or accidentally lost or destroyed.

Data Breach Response Team
The Data Breach Response Team has been set up to deal with any form of data breach which can occur.

ICO provides examples of data breaches which range from an email being sent to the incorrect individual through to stolen data from a breach of the database. Prodeo LTD takes data protection extremely seriously encrypting all data at rest, however if a breach were to occur Prodeo LTD will contact all schools with the following information:


When a data breach occurs Prodeo LTD will establish whether the breach needs to be reported to ICO. This is only the case if there is likely to be a risk to people’s rights and freedoms.

Prodeo LTD will record any breaches that occur even if they don’t need to be reported to ICO.

Data Retention

Any school that terminates their contract with SMID will have all data removed from SMID’s live database within 1 week of the end of the subscription.

Data will still exist within backups for 3 months after the end of the subscription after which it will be destroyed.

Data Protection Impact Assessment (DPIA)

The ICO recommends that you carry out a DPIA if you plan to use processors that are likely to result in 'a high risk to individuals'. If you wish to carry out a DPIA before starting or during your contract with SMID we will fully support you with this process.

Plese find further information on coducting a DPIA here (ICO Website)

Audit Support

As with the DPIA if as a controller you wish to carry out a data audit, we will support you with this process. We can provide you with detailed informaiton on the data processed by Prodeo LTD specificaly for your establishment.


Appendix A: Employee of Prodeo LTD – GDPR Compliance Documentation – May 2018

This document is to notify that all staff have received training and fully understand the GDPR on data processing within Prodeo LTD.

Training Process
All staff that are employed by Prodeo LTD must complete the Prodeo GDPR Training session. This provides staff with a detailed overview of the data protection procedures carried out whilst data processing occurs. It also provides all employees with the opportunity to raise any queries they may have regarding GDPR and its impact on Prodeo.

I fully understand and agree to abide by the following statements: