Do you have a Data Protection Officer or another role responsible for data protection?
Yes.
Please provide a summary of the activities undertaken to ensure GDPR compliance.
Nurtureuk works to a data protection policy, and has implemented an ISO27001-accredited information security management system. Activities include minimising processing, producing risk assessments and implementing treatment plans for processing, tight access controls to all systems, a secure development policy that covers all custom development of systems, providing accurate privacy notices for processing activities, recording processing activities, and implementing plans for dealing with subject access requests.
What personal data do you process?
See our privacy policy: https://new.boxallprofile.org/privacy
For what purpose do you process this personal data?
See our privacy policy: https://new.boxallprofile.org/privacy
What are the risks to data subjects’ rights and freedoms if the personal data is destroyed, lost, altered, disclosed without authority, or accessed without authority?
We risk assess all data processing as part of our general risk assessments for data processing and information security. Our risk treatment plan for information security, part of our Information Security Management System (ISMS), includes specific treatments for all risks related to information security. The majority of our data processing is considered low risk, and we ensure extra safeguards for processing that involves higher-risk data.
In what countries is data stored?
All student data is held within the UK. Some other personal data (e.g. names and email addresses of staff) is held in EEA and outside the EEA. All transfers are risk assessed in line with ICO guidance. Full details of data processing, sub-processors and transfers in our privacy policy: https://new.boxallprofile.org/privacy
What technical and organisational security measures do you have in place to ensure a level of security appropriate to the risk.
We are ISO27001 accredited for information management and use a risk-based approach to implement security measures for our systems and for customer data.
Risk treatments include:
- Access controls for all internal and external users
- Multi-layer security for key systems
- Password policies for systems
- Encryption of all systems at rest and in transit
- Full backups and test restores
- Regular security audits
- Business continuity plans and regular tests
- Secure development practice
Do you have any security accreditations (e.g. ISO27001)? If so, please provide evidence of certification.
ISO27001: 2013 certified for information security management
Do you engage sub-processors?
All sub processes are listed in the privacy policy (https://new.boxallprofile.org/privacy) for the service.
How do you ensure that your sub-processors have appropriate technical and security measures to ensure a level of security appropriate to the risk?
All sub processes are listed in the privacy policy (https://new.boxallprofile.org/privacy) for the service. All our suppliers go through a regular supplier risk assessment and review process as part of our ISMS.
What provisions do you have in place to either delete or return the personal data once the service comes to an end?
All sub processes are listed in the privacy policy (https://new.boxallprofile.org/privacy) for the service. All transfers are risk assessed and transfers are only undertaken with appropriate controls (including contractual terms) in place.
What provisions do you have in place to either delete or return the personal data once the service comes to an end?
Data controllers can request deletion of personal data at any time, limited only by any legal or contractual requirements to retain the data. The privacy policy (https://new.boxallprofile.org/privacy) includes specific terms on data retention.
What provisions/training do you have in place to ensure that your employees process the personal data in accordance with customers instructions?
All employees and contractors are contractually required to work to the nurtureuk Data Processing Policy and in line with appropriate controls specified within the ISMS and risk assessments.
What process do you have in place to identify personal data breaches and notify customers without undue delay?
We monitor key systems for data breaches through activity logging. Suspected breaches are treated in line with our ISS incident management procedure and in line with ICO rules on notification.
Do you have a formal Disaster Recovery Plan?
We have a formal Disaster Recovery and Business Continuity Plan, which is marked as confidential under our ISMS so cannot be shared in full. The plan includes specific sections on recovery from different types of disaster, including fallback systems. As our charity is fully remote and all key systems are cloud-based, recovery plans do not usually specify a recovery location.
Do you have a Data Security Breach Management plan, if so, has it ever been put into practice?
Yes, as part of the Disaster Recovery and Business Continuity Plan. Business continuity arrangements are tested every six months.
Have you performed internal / external technical vulnerability assessments?
Yes, annual penetration testing conducted by an external agency.
Do you have formal data protection policies and procedures in place?
Most of the named policies are part of our ISMS and are marked as confidential or internal, so cannot be shared in full.
Our processing notices form part of our privacy policy (https://new.boxallprofile.org/privacy), accessible on the nurtureuk and Boxall Profile® Online websites.
What is the Password Policy?
Passwords need to be a minimum 8 characters and include upper case, lower case, numbers and special characters). Passwords are required to be updated every 90 days.