How Bright I's Protects School Data
Data Protection Legislation: the General Data Protection Regulation ((EU) 2016/679) and any national implementing laws, regulations, secondary legislation and other Acts of Parliament relating to data protection, as amended or updated from time to time, in the UK.
1. DATA PROTECTION
1.1 Bright I's will comply with all applicable requirements of the Data Protection Legislation.
1.2 Bright I's acknowledges that for the purposes of the Data Protection Legislation, the School is the data controller and as the Supplier Bright I's is the data processor (where Data Controller and Data Processor have the meanings as defined in the Data Protection Legislation) the provisions set out in this clause 1.2 and clauses 1.3 to 1.5 will apply. The specification or description of Services provided in Bright I's Service Level Agreement sets out the subject matter, nature and purpose of processing by the Supplier, the duration of the processing and the types of personal data (Personal Data, as defined in the Data Protection Legislation) and categories of data subject (Data Subject, as defined in the Data Protection Legislation).
1.3 Without prejudice to the generality of clause 1.1, the Supplier shall, in relation to any Personal Data processed in connection with the performance by the Supplier of its obligations under this policy:
(a) process that Personal Data only on the written instructions of the School unless the Supplier is required by the laws of any member of the European Union or by the laws of the European Union applicable to the Supplier to process Personal Data (Applicable Laws). Where the Supplier is relying on laws of a member of the European Union or European Union law as the basis for processing Personal Data, the Supplier shall promptly notify the School of this before performing the processing required by the Applicable Laws unless those Applicable Laws prohibit the Supplier from so notifying the School;
(b) ensure that it has in place appropriate technical and organisational measures, to protect against unauthorised or unlawful processing of Personal Data and against accidental loss or destruction of, or damage to, Personal Data, appropriate to the harm that might result from the unauthorised or unlawful processing or accidental loss, destruction or damage and the nature of the data to be protected, having regard to the state of technological development and the cost of implementing any measures (those measures may include, where appropriate, pseudonymising and encrypting Personal Data, ensuring confidentiality, integrity, availability and resilience of its systems and services, ensuring that availability of and access to Personal Data can be restored in a timely manner after an incident, and regularly assessing and evaluating the effectiveness of the technical and organisational measures adopted by it);
(c) ensure that all personnel who have access to and/or process Personal Data are obliged to keep the Personal Data confidential; and
(d) not transfer any Personal Data outside of the European Economic Area unless the prior written consent of the School has been obtained and the following conditions are fulfilled:
(i) the School or the Supplier must provide appropriate safeguards in relation to the transfer;
(ii) the Data Subject has enforceable rights and effective legal remedies;
(iii) the Supplier complies with its obligations under the Data Protection Legislation by providing an adequate level of protection to any Personal Data that is transferred; and
(iv) the Supplier complies with reasonable instructions notified to it in advance by the School with respect to the processing of the Personal Data;
(e) assist the School in responding to any request from a Data Subject and in ensuring compliance with its obligations under the Data Protection Legislation with respect to security, breach notifications, impact assessments and consultations with supervisory authorities or regulators;
(f) notify the School immediately on becoming aware of a Personal Data breach. Such notification shall be to the School’s data protection officer as required to be appointed under the Data Protection Legislation and whose contact details will appear on the School’s website;
(g) at the written direction of the School, delete or return Personal Data and copies thereof to the School on termination of the Agreement unless required by Applicable Law to store the Personal Data; and
(h) maintain complete and accurate records and information to demonstrate its compliance with this clause 1.3 and allow for audits by the School or the School's designated auditor.
(i) ensure information is available to the School upon request in order to demonstrate compliance with Data Protection Legislation and allow the School or a third party instructed by the School to conduct audits and inspections.
1.4 Agree with the School to consent to the Supplier appointing any third party processor of Personal Data under the Service Level Agreement in writing.
1.5 The provisions of this policy shall apply during the continuance of this Agreement and indefinitely after its expiry or termination.
Schedule 1 Processing, Personal Data and Data Subjects
This policy describes certain details of the Processing of Personal Data as required by the Data Protection Legislation.
1 THE SUBJECT-MATTER
1.1 The subject-matter and duration of the Processing of Personal Data in accordance with this DPA shall consist of:
1.1.1 Providing services in the form of targeted teaching in small groups across agreed year groups to boost attainment and reading comprehension skills for those pupils who are above the expected standards at the school.
1.1.2 The contract duration is specified in the form of a Service Level Agreement. All personal data must be returned to the controller at no extra cost to the controller upon the termination of the contract, except where the applicable law may override this instruction.
2 THE NATURE AND PURPOSE OF THE PROCESSING
2.1 The nature and purpose of the Processing of Personal Data in accordance with this DPA shall consist of:
2.1.1 Aiding the attainment and reading progress of pupils
2.1.2 Data processed via electronic communication (emails) and paper copies for recording of progress and evidencing of impact. The data is disseminated in physical copies to key staff members with data access privilege as requested or as agreed in terms of service. Electronic data is stored on encrypted cloud storage (Tresorit- an EU based secure cloud storage facility for the duration of the teaching time contracted and the storage of paper copies when not carried on the processor’s person is stored in a coded secure cabinet offsite and retained in paper format for six weeks following which records are scanned and stored on Tresorit’s cloud for the duration of the teaching time contracted (11 months) and then returned as per Schedule 1, s1.1.2.
2.1.3 The processor will be able to provide access to personal data to the controller at any time during the contracted period. After the contracted period and the return of personal data to the controller, personal data will be removed and details anonymised to protect the confidentiality of data subjects.
3 THE TYPES OF PERSONAL DATA TO BE PROCESSED
3.1 The types of Personal Data that shall be processed in accordance with this DPA will be:
Dates of Birth
Pupil progress reports
Pupil attainment records
3.2 The types of Special Categories of Personal Data that shall be processed in accordance with this DPA will be:
Pupil Premium Status and Medical information to promote health and safety
4 CATEGORIES OF DATA SUBJECTS TO WHOM PERSONAL DATA RELATES
4.1 The categories of individuals whose Personal Data is processed in accordance with this DPA will be:
Staff members names and contact details
5 SECURITY MEASURES
5.1 The Data Processor will not engage another processor without prior written authorisation from the Data Controller.
5.2 The Data Processor shall implement and maintain adequate security measures to standards no less than those imposed on the Data Controller under the Data Protection Legislation whilst it continues to Process the Data on behalf of the Data Controller, [such measures shall include (but not be limited to):
5.2.4 Disaster recovery
5.2.5 Incident notification
5.2.6 Ensuring adequate security measures around paper copies of personal data including locking personal data away when it is not in use.
5.2.7 Conduct or be involved in Data Protection Impact Assessments where necessary.
6 RECIPIENTS OF PERSONAL DATA
6.1 The Data Processor shall not sub-contract any elements of the Services without prior agreement, in writing, of the Data Controller.
6.2 The Data Processor will take this opportunity to inform the School of any sub-contractual arrangements.
Third Party Details and Retention Schedule
Third Party Processor: Tresorit
Cloud storage will be held on a password protected laptop and mobile device.
The privacy notice of Tresorit is https://tresorit.com/legal/privacy-policy
Any other relevant information: The data centres used by Tresorit are audited for ISO27001:2005, SSAE 16 and several other certifications. These data centres are located in Ireland and the Netherlands.
Transfers outside EEA do not take place on Tresorit as it is EU based see https://tresorit.com/security/encryption
Retention period: Total contracted time with Bright I's following which all personal data is removed with the exception of client details necessary for legal or financial reporting which stays on record for up to 6 years.