Data protection FAQ

Why are you collecting data from schools?

We partner with local authorities throughout the UK to collect and process data on their behalf specifically for looked after children in their care, to help them meet their statutory responsibility as corporate parents as set out in the Children Act 1989.

What have Contact Group done to comply with GDPR?

Contact Group is part of Iris Group and benefits from its resources and expertise to help us meet our obligations to GDPR including:

• Implementing its company-wide protocols such as:

o   Group Data Protection Policy

o   Acceptable Use and Information Security Policies

o   Personal data incident reporting procedure

Our Group policies are available upon request via dataprotection@iris.co.uk

• Working closely with the Group Data Protection Officer as needed

• Our approach to product and software development ensures ‘data protection by design and by default’. Throughout our service, we are committed to maintaining high standards of information security, privacy and transparency.
  

We seek to implement the Cloud Security Principles and guidance from the National Cyber Security Centre.

To demonstrate our commitment we are Cyber Essentials Plus certified (https://www.cyberessentials.ncsc.gov.uk/).

• We actively carry out security checks on all staff on recruitment. All staff have mandatory corporate training on data protection and information security. This is rolled out on staff induction and for existing staff each training session is refreshed at least once per year

What technical and organisational security measures do you have in place to protect personal data?

All external connections to our systems are encrypted over SSL using and RSA 2048 bits DigiCert SHA2 Extended Validation certificate. All data held by Contact Group is encrypted whilst in transit. Contact Group undertakes regular internal and 3rd party security auditing of our applications and premises in order to ensure they adhere to customer expectations and current industry standards. Access to data by Contact Group staff is strictly controlled and audited.

What policies and procedures do you have in place to protect personal data?

Contact Group holds ICO registration to ensure continuing compliance with Data Protection legislation. All staff receive regular training regarding the latest best practices around data security. Contact Group has comprehensive Disaster Recovery policies and RTO’s pertaining to the integrity and availability its services.

How secure are your systems?

All external connections to our systems are encrypted over SSL using and RSA 2048 bits DigiCert SHA2 Extended Validation certificate. All data held by Contact Group is encrypted whilst in transit. It is not currently encrypted “at rest”, however it is securely stored within our UK datacentres. We are working on the technicalities to enable encryption for our databases.

At what point is data deleted?

Local Authority data for Looked After Children (for those who are no longer in contract with us) will be fully purged 90 days from the termination data of the contract unless specified otherwise, as per terms and conditions laid out within the contract.

Do you hold the ISO 27000:2013 Information Security Management standard?

We are not currently ISO27001 compliant, however Iris Group protocols and Information Security Management System aligns with it.

Do you have any security accreditations

• Cyber Essentials Plus - certificate number: 1639251624619545

• G-Cloud 11 certified

• Looked After Call is regularly checked internally for security vulnerabilities and annually by a CREST accredited 3rd party penetration testing company.

Where is data hosted/stored?

Looked After data is securely stored within UK data centres.

How do you collect data from schools?

We do not rely on any third-party to obtain personal data from schools. To minimise disruption, schools may choose from several different collection methods:

• Automatic data collection (which depending on your schools management system can be achieved by installing software or simply granting required permissions to read the required data). This is the recommended method, as it is modern, safe and secure method to transfer the information which requires no ongoing maintenance to the school.

• Secure school portal, which can be accessed at your convenience to update things such as daily attendance, termly assessment information or even PEP information as required by the authority.

• Daily phone call by their dedicated calling team. They will introduce themselves as representatives of the calling authority before requesting information.  All staff are DBS checked, and they will only collect the data for named pupils for which they are authorised, which will be entered directly into dedicated software - not written down or passed to anyone else.

How does the automated data extractor work?

Software is used to read data specifically looking for Looked After Children relating to the authorities we collect for. Instructions on how to set this up will depend on the school management used – We integrate with all leading providers: Capita SIMS, Advanced Progresso, RM Integris, Bromcom, Scholar Pack and others. We are an accredited technical partner of Capita SIMS and have similar arrangements with other providers.

The data read by processed will depend on your agreement with us – Please refer to your data processing agreement.

Our data extraction software requires minimal IT administration but if help is required a dedicated team of support staff are available to assist.

Are you GDPR compliant?

Contact Group is committed to high standards of information security, privacy and transparency. We place a high priority on protecting and managing data in accordance with accepted standards including Cyber Essentials. When providing services to schools and local authorities, Contact Group fulfils the role of data processor, and complies with GDPR regulations, whilst also working closely with our customers and partners to meet contractual obligations for our procedures, products and services.

Do you have a GDPR Statement?

Please click the here for our Group GDPR statement.

Can an individuals’ data be deleted and excluded from processing?

A request can be made to the local authority who in turn would instruct us to invoke our data deletion protocols.

How long is data retained?

Data it is retained for as long as the authority requires it – typically until the child is a care leaver. When data been deleted, it will be retained in our automated backup cycle for 30 days for business continuity reasons – the backups are encrypted and are only accessed if there is a need to restore data.

Has any independent penetration testing of their software taken place?

Looked After Call is subject to an annual 3^rd party penetration test by a CREST accredited company.

Is the application protected by single factor authentication or two-factor authentication?

Access to the Looked After Call administration and portal sites implement Single factor authentication.

Understanding the new Data Protection Laws

We would strongly recommend schools seek their own legal advice if they are unsure about the implications of the new data protection laws on their businesses.

Legal Disclaimer

The information contained on this website is for general guidance purposes only. It should not be taken for, nor is it intended as, legal advice.  While we have made every effort to ensure that the information provided on this website is correct and up to date, IRIS makes no promises as to completeness or accuracy and the information is delivered on an “as is” basis without any warranties, express or implied.  IRIS will not accept any liability for errors or omissions and will not be liable for any damage (including, without limitation, damage for loss of business or loss of profits) arising in contract, tort or otherwise from the use of or reliance on this information or from any action or decisions taken as a result of using this information.