Useful information
Iris Looked After Call is a data processor in regards to services for our local authority customers.
Truancy Call Ltd is part of Iris Software Ltd.
Heathrow Approach,
470 London Road,
Slough,
SL3 8QY
Data Protection Registration Number: Z7911829
Company Registration Number: 4125665
Cyber Essentials certificate number: 1639251624619545
Data Protection Officer: dataprotection@iris.co.uk
Why are you collecting data from schools?
We partner with local authorities throughout the UK to collect and process data on their behalf specifically for looked after children in their care, to help them meet their statutory responsibility as corporate parents as set out in the Children Act 1989.
What has Iris Looked After Call done to comply with GDPR?
Iris Looked After Call is part of the Iris Software Group and benefits from its resources and expertise to help us meet our obligations to GDPR including:
Implementing its company-wide protocols such as:
o Group Data Protection Policy
o Acceptable Use and Information Security Policies
o Personal data incident reporting procedure
Our Group policies are available upon request via dataprotection@iris.co.uk
Working closely with the Group Data Protection Officer as needed
Our approach to product and software development ensures ‘data protection by design and by default’. Throughout our service, we are committed to maintaining high standards of information security, privacy and transparency.
We seek to implement the Cloud Security Principles and guidance from the National Cyber Security Centre.
To demonstrate our commitment we are Cyber Essentials Plus certified (https://www.cyberessentials.ncsc.gov.uk/).
We actively carry out security checks on all staff on recruitment. All staff have mandatory corporate training on data protection and information security. This is rolled out on staff induction and for existing staff each training session is refreshed at least once per year
What technical and organisational security measures do you have in place to protect personal data?
All external connections to our systems are encrypted over SSL using and RSA 2048 bits DigiCert SHA2 Extended Validation certificate. All data held by Iris Looked After Call is encrypted whilst in transit. We undertake regular internal and 3rd party security auditing of our applications and premises in order to ensure they adhere to customer expectations and current industry standards. Access to data by Iris Looked After Call staff is strictly controlled and audited.
What policies and procedures do you have in place to protect personal data?
We hold ICO registration to ensure continuing compliance with Data Protection legislation. All staff receive regular training regarding the latest best practices around data security. Iris Software Group have comprehensive Disaster Recovery policies which detail processes to restore the integrity and availability its services.
How secure are your systems?
All external connections to our systems are encrypted over SSL using and RSA 2048 bits DigiCert SHA2 Extended Validation certificate. All data held by Iris Looked After Call is encrypted whilst in transit. It is not currently encrypted “at rest”, however it is securely stored within our UK datacentres. We are working on the technicalities to enable encryption for our databases.
At what point is data deleted?
Local Authority data for Looked After Children (for those who are no longer in contract with us) will be fully purged 90 days from the termination data of the contract unless specified otherwise, as per terms and conditions laid out within the contract.
Do you hold the ISO 27000:2013 Information Security Management standard?
We are not currently ISO27001 compliant, however Iris Group protocols and Information Security Management System aligns with it.
Do you have any security accreditations
Cyber Essentials Plus - certificate number: 1639251624619545
G-Cloud 11 certified
Looked After Call is regularly checked internally for security vulnerabilities and annually by a CREST accredited 3rd party penetration testing company.
Where is data hosted/stored?
Looked After data is securely stored within UK data centres.
How do you collect data from schools?
To minimise disruption, schools may choose from several different collection methods:
Automatic data collection (which depending on your schools management system can be achieved by installing software or simply granting required permissions to read the required data). This is the recommended method, as it is modern, safe and secure method to transfer the information which requires no ongoing maintenance to the school.
Secure school portal, which can be accessed at your convenience to update things such as daily attendance, termly assessment information or even PEP information as required by the authority.
Daily phone call by their dedicated calling team. They will introduce themselves as representatives of the calling authority before requesting information. All staff are DBS checked, and they will only collect the data for named pupils for which they are authorised, which will be entered directly into dedicated software - not written down or passed to anyone else.
How does the automated data extractor work?
Software is used to read data specifically looking for Looked After Children relating to the authorities we collect for. Instructions on how to set this up will depend on the school management used – We integrate with all leading providers: Capita SIMS, Advanced Progresso, RM Integris, Bromcom, Scholar Pack and others. We are an accredited technical partner of Capita SIMS and have similar arrangements with other providers.
Our data extraction software requires minimal IT administration but if help is required a dedicated team of support staff are available to assist.
What data is being processed?
Subject matter and duration of the processing | Iris Looked After Call provides data extraction and reporting services in the form of its Looked After Call product primarily used by Local Authorities in England and Wales. Services are agreed with Local Authorities for one or multi-year contracts.
|
Nature and purpose of the processing | Iris Looked After Call uses the data extracted for children in care of the authority to help virtual headteachers and other authorised agents to monitor their progress through education.
|
Type of Personal Data and Categories of data subjects | See table below |
Student Data | Parent/Carer Data | Event Data | Assessment |
Registration Data | Full Name | Attendance Marks | Exams Results |
Unique Pupil Number | Relationship | Behaviour Incidents | Assessment Results |
Full Name | Phone Numbers | Detentions | KPIs |
Registration Group | Email Addresses | Achievements |
|
Year and House Group | Addresses | Exclusion |
|
Date of Birth | Agent Details |
|
|
FSM Entitlement | Agent Phone Numbers |
|
|
Pupil Premium | Agent Emails |
|
|
School History |
|
|
|
Personal Education Plans |
|
|
|
Special Education Needs |
|
|
|
Welfare Data |
|
|
|
Are you GDPR compliant?
Iris Looked After Call is committed to high standards of information security, privacy and transparency. We place a high priority on protecting and managing data in accordance with accepted standards including Cyber Essentials. When providing services to schools and local authorities, Iris Looked After Call fulfils the role of data processor, and complies with GDPR regulations, whilst also working closely with our customers and partners to meet contractual obligations for our procedures, products and services.
Do you have a GDPR Statement?
Please click the here for our Group GDPR statement.
Can an individuals’ data be deleted and excluded from processing?
A request can be made to the local authority who in turn would instruct us to invoke our data deletion protocols.
How long is data retained?
Data it is retained for as long as the authority requires it – typically until the child is a care leaver. When data been deleted, it will be retained in our automated backup cycle for 30 days for business continuity reasons – the backups are encrypted and are only accessed if there is a need to restore data.
Has any independent penetration testing of their software taken place?
Looked After Call is subject to an annual 3rd party penetration test by a CREST accredited company.
Is the application protected by single factor authentication or two-factor authentication?
Access to the Looked After Call administration and portal sites implement Single factor authentication.
Understanding the new Data Protection Laws
We would strongly recommend schools seek their own legal advice if they are unsure about the implications of the new data protection laws.
Legal Disclaimer
The information contained on this website is for general guidance purposes only. It should not be taken for, nor is it intended as, legal advice. While we have made every effort to ensure that the information provided on this website is correct and up to date, Iris Software Group makes no promises as to completeness or accuracy and the information is delivered on an “as is” basis without any warranties, express or implied. Iris Software Group will not accept any liability for errors or omissions and will not be liable for any damage (including, without limitation, damage for loss of business or loss of profits) arising in contract, tort or otherwise from the use of or reliance on this information or from any action or decisions taken as a result of using this information.