IRIS School Data Extractor - Data Protection & GDPR

1. Introduction to Data Protection A brief introduction to the company’s background, experience and an overview to the IRIS DataExtractor system.

2. Data Access Policy Outlines IRIS DataExtractor policy on data handling and access with regards to company employees and schools’ users.

3. Key System Specifications. Information on the design of the system architecture and the data used from the school’s database.

4. Data Upload Process. The process the school will undertake to transfer the data from their MIS into the IRIS DataExporter system. Also, further information on all Management Information Systems and consent for data transfer.

5. Security and Data Protection in the IRIS DataExtractor system. Details on how the IRIS DataExtractor system keeps data safe.

6. Data Destruction Policy. What happens to a school’s data if they choose to end their partnership with IRIS DataExtractor? Data it is retained for as long as the authority requires it – typically until the child is a care leaver. When data is deleted, it will be retained in our automated backup cycle for 30 days for business continuity reasons – the backups are encrypted and are only accessed if there is a need to restore data.

7. Software Renewal Policy and Security Auditing The company’s software renewal policy, outlining the timescales and process involved in the software renewal including auditing of security processes.

8. Subject Access Request and Data Breach Policy

1. Introduction

• IRIS DataExtractor is currently used by over 2572 schools in over 22 Local Authorities and comply fully with all the corresponding Local Authority Security Standards.

• IRIS DataExtractor has been developed by us in partnership with school staff and leading education professionals. We are an organisation with a strong background in the development and application of software and communications technology to provide solutions in a wide variety of sectors.

• IRIS School DataExtractor is used to export data from the organisation Management Information System (MIS), which is imported to IRIS products and services.

• IRIS DataExtractor is a software solution used in conjunction with a sites MIS and Attendance systems. The system facilitates the extraction of data from either an on-premises installation or directly from a cloudbased MIS, storing this centrally allow other IRIS products to ingest this on the sites behalf.

• IRIS DataExtractor is an official technical partner of ESS, the operators of the predominant school administration system SIMS. Our relationship with ESS ensures that the IRIS DataExtractor is, and will remain, fully compatible with Sims. See below table for confirmation of relationships with other MIS

• IRIS DataExtractor is externally hosted and accessed via an internet connection. IRIS DataExtractor is operated from a secure server operating under a Secure Sockets Layer (SSL) that helps to protect data by using Transport Layer Security to encrypt data. The system also incorporates a rigorous security protocol that restricts access to the logged in area. The system can only be accessed by authorised personnel, via a Username and Password.

• IRIS DataExtractor is registered under the DPA 2018 (Registration Number: (Z7911829) and is fully compliant with the GDPR. Strict adherence to the General Data Protection (GDPR) contained therein is integral to our business operations. Data Protection is intrinsic to all our operations and, as such, we ensure that all our procedures are robust and comprehensive. Every possible effort is exerted to maintain data integrity.

• IRIS DataExtractor (as the data processor) will only act on the customers documented instruction regarding handling personal data. For more details, please see the contract terms and user agreement.

• IRIS Data Extractors named Data Protection Officer is Vincenzo Ardilio – Data Protection Officer The following guide will answer more specific data protection queries but if you have any more questions, please contact the Helpdesk team at helpdesk-tcg@iris.co.uk

2. Data Access Policy

Due to changes in legislation from September 2012 at the DBS (Disclosure and Barring Service), some of IRIS DataExtractor business activities no longer meet the revised criteria for regulated activity with regard to access to school data and contact with children & young people. However, roles that involve regular visits to schools still qualify for a DBS check and are carried out where applicable. IRIS Schools data Extractor is solely managed by IRIS employees with no direct access to the data by 3rd parties or customers. Customers can submit requests about information stored by them.

• Iris DataExtractor Employees. To maintain a consistent approach, employees are given limited access rights (for the IRIS Data Extractor system, and our own recording system) based upon their operational requirements. Three levels of access rights are used

1. Basic level for General Support

2. Intermediate level for Development and 3rd line support

3. Administrator level which has full access to the back-end Infrastructure

• All access levels are fully logged and monitored regularly - allowing a clear audit trial, and exact usage information.

• Each is issued with their own back-office system User ID and appropriate password.

• Employees use these identities and passwords in keeping with secure practices (passwords are not compromised by sharing)

• Similarly, each uses a secure login and password for the IRIS DataExtractor internal systems and network.

• Employees are educated on matters of security and integrity, and the confidentiality of information.

• Relevant user IDs and passwords are disabled on leaving the company’s employment.

• Employees access levels are reviewed on a regularly basis.

• All paper-based sensitive information is disposed of by shredding.

• Laptops and mobile devices used by members of staff that work outside of the office environment (in schools) are all encrypted. Laptop hard drives are fully encrypted using Bitlocker which uses AES encryption. Smartphones and tablet devices are all password protected and use built in encryption where available.

3. Key System Specifications

The system maintains a database containing the following data: The system extracts the following data

• Student Data including photos

• Staff Data including photos

• Meal Data

• Attendance Data

• Timetables

Permission is managed by the school. Permission is given by the school for DE to access the above data.

4. Data Upload Process

Data is uploaded from the school’s Management Information System either automatically each night or on an adhoc bases should the site raise an issue. IRIS Data Extractor has a school server-side piece of software for certain MIS’ that securely uploads data from the relevant MIS. For any MIS which is cloud based then the IRIS Data Extractor connects directly. Once data is extracted it is securely transferred into our cloud infrastructure and stored ready for consumers to ingest.

5. Security and Data Protection

• The IRIS Data Extractor system incorporates a rigorous security protocol allowing access to authorised personnel only via a Username, Password and VPN Access.

• Authorised users are also subject to access restrictions determined by their personal level of security clearance.

6. Data Holding and Destruction Policy

• IRIS Data Extractor is committed to the protection of data held whilst customers are accessing the system.

• If a customer cancels their agreement, their school setup is deleted from the IRIS DataExtractor system, meaning that all personal pupil and staff data is removed. The school is asked to remove all related software from their school systems.

7. Software Renewal Policy and Security Auditing

• As we utilize different software applications in our rolled-out products, when new versions of software are released, for security and stability reasons, we carry out research to determine if any of the changes affect components/functions that we use.

• If we highlight any changes that are security based and could comprise our software build, we aim to have the software updated as soon as possible.

• If we highlight any changes that are feature based, that do not affect the day to day running of the system, and we look to roll these updates out at the next development cycle.

• Updates to hardware/operating systems are carried out by our operations team as and when required.

• Security Auditing. As Data Protection is of paramount importance to IRIS Data Extractor operations, annual Security Audits and pen testing of all our systems and processes are carried out regularly by our experienced engineers.

8. Subject Access Request and Data Breach Policy

• We are fully committed to support schools with any rights of access requests they have. This may come from a parent, student, or member of staff at the school. We will respond to requests without undue delay and within one month of receipt.

• We can export and share data, with written consent, in common formats like Excel and Word.

• Data Breaches. All of our employees have completed training around data protection and how to identify a data breach along with the responsibility to report any breach to our data protection officer.

• If the data breach involves any school’s data, we will inform the signatory (or suitably senior official at the school) of the data breach within 8 hours.

• If the breach is reportable under GDPR, it will be reported by our data protection officer (via our data protection management tool) to the ICO within 72 hours.

Open