Data protection FAQ
At a glance:
Iris Looked After Call is a data processor in regards to services for our local authority customers.
Truancy Call Ltd is part of Iris Software Group.
Heathrow Approach,
470 London Road,
Slough,
SL3 8QY
Data Protection Registration Number: Z7911829
Company Registration Number: 4125665
Cyber Essentials certificate number: IASME-CE-004880
ISO 27001 certificate number: pending - certified awaiting BSI documentation
Data Protection Officer: dataprotection@iris.co.uk
Why are you collecting data from schools?
We partner with local authorities throughout the UK to collect and process data on their behalf specifically for looked after children in their care, to help them meet their statutory responsibility as corporate parents as set out in the Children Act 1989.
What has Iris Looked After Call done to comply with GDPR?
Iris Looked After Call is part of the Iris Software Group and benefits from its resources and expertise to help us meet our obligations to GDPR including:
Implementing its company-wide protocols such as:
o Group Data Protection Policy
o Acceptable Use and Information Security Policies
o Personal data incident reporting procedure
Our Group policies are available upon request via dataprotection@iris.co.uk
Working closely with the Group Data Protection Officer as needed
Our approach to product and software development ensures ‘data protection by design and by default’. Throughout our service, we are committed to maintaining high standards of information security, privacy and transparency.
We seek to implement the Cloud Security Principles and guidance from the National Cyber Security Centre.
We are Cyber Essentials certified (About Cyber Essentials ).
We actively carry out security checks on all staff on recruitment. All staff have mandatory corporate training on data protection and information security. This is rolled out on staff induction and for existing staff each training session is refreshed at least once per year
What technical and organisational security measures do you have in place to protect personal data?
All external connections to our systems are encrypted over SSL using and RSA 2048 bits DigiCert SHA2 Extended Validation certificate. All data held by Iris Looked After Call is encrypted whilst in transit. We undertake regular internal and 3rd party security auditing of our applications and premises in order to ensure they adhere to customer expectations and current industry standards. Access to data by Iris Looked After Call staff is strictly controlled and audited.
What policies and procedures do you have in place to protect personal data?
We hold ICO registration to ensure continuing compliance with Data Protection legislation. All staff receive regular training regarding the latest best practices around data security. Iris Software Group have comprehensive Disaster Recovery policies which detail processes to restore the integrity and availability its services.
How secure are your systems?
All external connections to our systems are encrypted over SSL using and RSA 2048 bits DigiCert SHA2 Extended Validation certificate. All data held by Iris Looked After Call is encrypted whilst in transit and “at rest” and securely stored within our ISO 27001 certified UK datacentres.
At what point is data deleted?
Local Authority data for Looked After Children (for those who are no longer in contract with us) will be fully purged 90 days from the termination data of the contract unless specified otherwise, as per terms and conditions laid out within the contract.
Do you hold the ISO 27000:2013 Information Security Management standard?
All Iris Looked After Call data is stored within ISO27001 certified data centres. Iris Looked After Call is certified, we are awaiting certificate from BSI.
Do you have any security accreditations
Cyber Essentials - certificate number: IASME-CE-004880
G-Cloud 12 certified
Looked After Call is regularly checked internally for security vulnerabilities and annually by a CREST accredited 3rd party penetration testing company.
Where is data hosted/stored?
Looked After data is securely stored within ISO/PCI compliant UK data centres - information available upon request.
How do you collect data from schools?
To minimise disruption, schools may choose from several different collection methods:
Automatic data collection (which depending on your schools management system can be achieved by installing software or simply granting required permissions to read the required data). This is the recommended method, as it is modern, safe and secure method to transfer the information which requires no ongoing maintenance to the school.
Secure school portal, which can be accessed at your convenience to update things such as daily attendance, termly assessment information or even PEP information as required by the authority.
Daily phone call by their dedicated calling team. They will introduce themselves as representatives of the calling authority before requesting information. All staff are DBS checked, and they will only collect the data for named pupils for which they are authorised, which will be entered directly into dedicated software - not written down or passed to anyone else.
How does the automated data extractor work?
Most modern school management systems provide a simple way for schools to share data with 3rd parties such as Iris Looked After Call - This can often be quickly and easily set up without any installation of software within the school. It is used to read data specifically for Looked After Children for authorities that have provisioned our service.
Instructions on how to set this up will depend on the school management used – We integrate with all leading providers: Capita SIMS, Advanced Progresso, RM Integris, Bromcom, Scholar Pack and others. We are an accredited technical partner of Capita SIMS and have similar arrangements with other providers. Schools remain in complete control, and can terminate the automatic data sharing at any time (which would trigger our calling team to contact daily for attendance instead).
Our data extraction software requires minimal IT administration but if help is required a dedicated team of support staff are available to assist.
What data is being processed?
Subject matter and duration of the processing | Iris Looked After Call provides data extraction and reporting services in the form of its Looked After Call product primarily used by Local Authorities in England and Wales. Services are agreed with Local Authorities for one or multi-year contracts.
|
Nature and purpose of the processing | Iris Looked After Call uses the data extracted for children in care of the authority to help virtual headteachers and other authorised agents to monitor their progress through education.
|
Type of Personal Data and Categories of data subjects | See table below |
Student Data | Parent/Carer Data | Event Data | Assessment |
Registration Data | Full Name | Attendance Marks | Exams Results |
Unique Pupil Number | Relationship | Behaviour Incidents | Assessment Results |
Full Name | Phone Numbers | Detentions | KPIs |
Registration Group | Email Addresses | Achievements |
|
Year and House Group | Addresses | Exclusion |
|
Date of Birth | Agent Details |
|
|
FSM Entitlement | Agent Phone Numbers |
|
|
Pupil Premium | Agent Emails |
|
|
School History |
|
|
|
Personal Education Plans |
|
|
|
Special Education Needs |
|
|
|
Welfare Data |
|
|
|
Are you GDPR compliant?
Iris Looked After Call is committed to high standards of information security, privacy and transparency. We place a high priority on protecting and managing data in accordance with accepted standards including Cyber Essentials. When providing services to schools and local authorities, Iris Looked After Call fulfils the role of data processor, and complies with GDPR regulations, whilst also working closely with our customers and partners to meet contractual obligations for our procedures, products and services.
Do you have a GDPR Statement?
Please click the here for our Group GDPR statement.
Can an individuals’ data be deleted and excluded from processing?
A request can be made to the local authority who in turn would instruct us to invoke our data deletion protocols.
How long is data retained?
Data it is retained for as long as the authority requires it – typically until the child is a care leaver. When data been deleted, it will be retained in our automated backup cycle for 30 days for business continuity reasons – the backups are encrypted and are only accessed if there is a need to restore data.
Has any independent penetration testing of their software taken place?
Looked After Call is subject to an annual 3rd party penetration test by a CREST accredited company.
Is the application protected by single factor authentication or two-factor authentication?
Access to the Looked After Call administration and portal sites implement option 2 factor authentication.
Understanding the new Data Protection Laws
We would strongly recommend schools seek their own legal advice if they are unsure about the implications of the new data protection laws.
Legal Disclaimer
The information contained on this website is for general guidance purposes only. It should not be taken for, nor is it intended as, legal advice. While we have made every effort to ensure that the information provided on this website is correct and up to date, Iris Software Group makes no promises as to completeness or accuracy and the information is delivered on an “as is” basis without any warranties, express or implied. Iris Software Group will not accept any liability for errors or omissions and will not be liable for any damage (including, without limitation, damage for loss of business or loss of profits) arising in contract, tort or otherwise from the use of or reliance on this information or from any action or decisions taken as a result of using this information.