We have embraced the new EU GDPR legislation and how it reinforces existing data protection law. Find out more below.
1. How long do we hold data for?
When supplying Software-as-a-Service (SaaS) to the education sector, Pupil Asset acts upon instruction as the Data Processor. When using the Pupil Asset MIS, Tracker, Website and other SaaS, the customer is the responsible Data Controller. The Data Controller should determine the appropriate length of time to store and maintain personal data about staff, students and contacts, based upon factors including statutory and legislative guidance, safeguarding, legitimate interest, etc. This goes hand-in-hand with the premise that personal identifiable data must not be kept longer than necessary for the purpose for which it was processed.
Should a customer terminate their SaaS contract with Pupil Asset, then current system data and associated backups will be retained by Pupil Asset for a maximum of 6 months, with the specific purpose to support migration or retrieval of the data by the customer. Data residing on backups is encrypted to industry standards and cannot be accessed by members of the Pupil Asset team. This data is also held for a maximum of 6 months.
2. Who is responsible/what is the process for removing data?
The Data Controller is responsible for determining how long personal data should be held for and this will depend upon the data association and original purpose for processing e.g. staff, students, contacts.
The Data Controller is responsible for the archiving and removal of personal data from any Pupil Asset SaaS. Our platform provides all of the relevant tools to facilitate your data archive and disposal processes.
Should a customer terminate their SaaS contract with Pupil Asset, then current system data and associated backups will be retained by Pupil Asset for a maximum of 6 months, with the specific purpose to support migration or retrieval of the data by the customer. Data residing on backups is encrypted to industry standards and cannot be accessed by members of the Pupil Asset team. This data is also held for a maximum of 6 months.
3. How do we allow individuals to access and/or manage data held about them?
We are introducing a number of features to help schools using Pupil Asset to meet their GDPR responsibilities including:
* Pupil Asset customers can submit a Subject Access Request for their own data to cpo@pupilasset.com or via our Support Desk. The process for this is outlined at https://www.pupilasset.com/gdpr.
4. What data objects do we hold for students, staff and contacts?
Please see the our GDPR Data Privacy document available to view and download at https://www.pupilasset.com/gdpr.
5. Who within Pupil Asset has access to customer data and what is the purpose of this access?
Members of the Pupil Asset support team have named access to customer data and this is specifically to provide an incident and problem management function. All access is subject to automatic transactional tamper-proof audit, which is only accessible based upon role and permissions.
6. What levels of data security do we employ?
The Pupil Asset SaaS is secured to industry standards. Data in-transit and data at-rest are encrypted to AES-256 level. Our cloud data centres are located within the European Economic Area (EEA) - physically within the UK. Our UK located cloud hosting providers are ISO/IEC 27001:2013 certified.
7. Generally: What do Pupil Asset do to follow GDPR?
The Pupil Asset MIS and Tracker are both Crown Commercial Services (G-Cloud Procurement Framework) approved. Part of the requirements to be approved include data privacy compliance. Furthermore, we have demonstrated data privacy compliance to the DfE in order that we are recognised on their Cloud (educational apps) Software Services and the Data Protection Act supplier list available to view at https://www.gov.uk/government/uploads/system/uploads/attachment_data/file/644845/Cloud-services-software-31.pdf
We are in the process of commercial certification for GDPRiS at https://www.gdpr.school and https://gdpr.co.uk.
We adhere to the ISO/IEC 27001:2013 for Information Security Management System and our UK located cloud hosting providers are ISO/IEC 27001:2013 certified.