Schools Data Services Ltd
Within this statement we want to highlight to our customers the measures we have put in place to ensure compliance with the GDPR where we hold or process personal data on your behalf.
Schools Data Services Ltd takes data security very seriously. The success of our company builds on the trust that our employees, customers and other stakeholders have in our ability to deliver a secure and quality service. This includes our ability to apply a high level of data protection and security in relation to personal data that our employees, customers and third parties entrust to us.
Certifications
Cyber Essentials - Cyber Essentials is a Government-backed, industry-supported scheme designed to help companies protect against cyber threats. We are currently implementing several changes necessary to comply with the new CE requirements, including Two Factor Authentication (2FA). Certification is independently verified and gives you peace of mind that certificate holders’ defences will protect against the vast majority of common cyber attacks.
Physical Security
Our main production servers are located in the Equinix Group facility (Williams House) based in Manchester Science Park. There is a back-up facility based in Newcastle. Communication between the two is via a secure, encrypted link. Entry to each facility is tightly controlled – with strict procedures in place to monitor and control visitor access both into and within the data centre. Extensive CCTV video camera surveillance is in place across each facility, along with security breach alarms, biometric checks and controlled physical barriers.
Customer Contracts
To comply with the GDPR, a written agreement stating that personal data is processed only on documented instructions from the controller or the requirements of EU law or the national laws of Member States should be in place. We are reviewing all our agreements with our customers on an individual basis to ensure compliance. This will ensure that relevant wordings are in place to cover aspects such as:
Cross Border Transfers and Sub-Processors
Schools Data Services use only secure and private UK-based servers. We do not use ‘cloud’ services to store data. Data is never stored overseas. Schools Data Services do not sub-contract out any data services to any third party organisations. In the unlikely event this becomes necessary we would seek prior, written consent of the Data Controller before doing so.
Security and Business Continuity Measures
We continually seek to ensure the confidentiality, integrity and availability of the personal data we store or process. We maintain appropriate technical and organisational security measures to protect personal data against accidental or unlawful destruction or loss, alteration, unauthorised disclosure or access.
All Schools Data Services personnel with access to pupil data are vetted and are subject to a written confidentiality agreement.
Under the GDPR, we must notify any data breach to the controller without undue delay. Schools Data Services therefore has processes and procedures in place for identifying, reviewing and promptly reporting data breaches to the relevant controller.
We would provide the controller with:
We would stress again that we have comprehensive technical and organisational security measures in place to mitigate against a data breach.
Data Subject Rights
Under the GDPR there are significant enhancements to the rights that individuals enjoy with regards their personal data. Schools Data Services can work with customers for whom we hold or process personal data in order to determine how best to facilitate:
Contact Person
Any GDPR related questions can be addressed to Mr E Whittaker or Mr A Rose at ed@sds.ac or Andrew@sds.ac
Phone: 0161 713 0402
Email: info@sds.ac