Whilst every effort has been made to provide you with accurate information, please note we are not in a position to provide legal advice and we would recommend that you defer to your Organisations Data Protection Officer for any final decisions.

 

Q1.) We have been considering the implications of using IRIS Connect in light of the GDPR changes and were wondering do we need the permission of all pupils in the classroom to be able to film a lesson?

We have produced a resource on how to manage GDPR and IRIS Connect:

GDPR – Managing your compliance

Q2. ) How does GDPR affect organisations being able to record video?

We would recommend you discuss this with your Data Protection Officer to make sure you have the necessary policies in place.

However some things that you might want to consider before sharing data with another organisation are:

1) Make sure the data sharing covered in the relevant privacy notice. The privacy notice could include:

IRIS Connect example text: Data will be shared with other education organisations solely for the use of teacher’s professional development. Data will only be shared through a secure online platform which ensures our Organisation remains the Data Controller at all times. This data will not be able to be shared on by those who have access to it and will only be shared for the duration required for that professional development.

The Department for Education on its guidance on privacy notices, states:

“3.5 Who is data shared with:

We would expect you to list all instances of routine data sharing. This is data shared on a regular basis. Any instances of one off transfers or ad-hoc requests do not need to be listed, however; any such sharing must also have a lawful reason.

3.6 Why data is shared?

This section allows you to expand on why you routinely share information with the list of named recipients. Use this section to list the reasons for sharing and any relevant legislation that allows the sharing of the data. With regard to statutory data collections to the DfE, best practice indicates you state the relevant legislation for each data collection you participate in: each data collection or census guide contains the current legislation detailing the lawful basis for collection https://www.gov.uk/education/data-collection-and-censuses-for-schools

…To satisfy data subjects, it is also useful to include information on how data is transferred and provide links to data retention policies of the recipient where relevant / available.”

2)  Alongside a privacy notes you might consider putting in place a Data Sharing agreement or a Data Processing Agreement between the organisations (if you are sharing via the IRIS Connect web platform, the organisation you share with are likely to be Data Processors of that data, and your organisation remaining Data Controllers.)

Here is an example of a data sharing agreement

3) Whilst the use of cartoonization feature within the IRIS Connect platform might be a way around needing policies and agreements as the data can be depersonalised, as there can be personal data shared also through the audio in the video, and the associated text comments it is better to ensure there are robust privacy policies or data agreements/addendums in place.

A resource you might find useful to assist you the Data protection: a toolkit for schools produced by the Department for Education.  

The ICO website also has some useful information about data sharing:

“If you are sharing personal data with other organisations you should consider whether you need to actively inform the data subjects about this. Data can be shared in many different scenarios, including businesses selling data on a commercial basis or public authorities sharing data to improve the delivery of services.

In order to treat people fairly prior to sharing information, you must carefully consider what any recipient organisation is going to do with it and what the effect on people is likely to be. It is good practice to obtain an assurance about this, for example in the form of a contract or a written data sharing agreement.”

 

Q3.) Where is the data we upload to the IRIS Connect platform stored?

For the locations of where your data is stored see our Organisation Agreement, section 13.3

 

Q4. ) Is IRIS Connect GDPR compliant and able to demonstrate compliance?

IRIS Connect will be compliant with GDPR by May 25th. To review all our policies and certificates see our GDPR page

 

Q5. ) Do you have a process for deleting personal data when asked by the data controller?

Yes – see our policies:

Data Retention policy,  The privacy notice for the web platform, Organisation Admin Agreement

 

Q6) What data does IRIS Connect hold in relation to our organisation?

Please see the privacy notices for the web platform and website.

 

Q7.) How long does IRIS Connect store our data for?

For data where you are the Data Controller you manage how long the data is stored for. See the Data Retention policy and Organisation Admin Agreement for more information.

For data where we are the Data Controller, see the privacy notice for the IRIS Connect web platform and website.

 

Q8.) Who does IRIS Connect share our data with?

IRIS Connect does not share any data where you are the Data Controller and IRIS Connect is the Data Processor.

For any data where IRIS Connect is the Data Controller, we only share data with our partners who have been certified by IRIS Connect to exclusively represent them in specific regions. Further information on this can be found on the privacy notice for the IRIS Connect web platform and website.

 

Q9.) Does your organisation provide training to staff on data protection management?

All staff will be provided the necessary training on GDPR including data protection management prior to May 25th. Staff training will be provided on a regular basis.

 

Q10.) What technical and organisational security measures do you have in place to protect personal data?

Please see our Security Measures and Controls document for our security provisions and procedures as well as our Security and Safeguarding page.

 

Q11.) Do you have a written policy for data protection? If yes, does it provide a procedure for data breaches and notification of customers of a breach? 

Yes see our data policies on the website’s GDPR page, in particular, the Data Breach Response and Notification Procedure

 

Q12.) In the event of a data breach, what is the process? 

Please see our data policies on the website’s GDPR page, in particular, the Data Breach Response and Notification Procedure

 

Q13.) Should there be a breach, please confirm that you notify us as soon as you are aware? 

Yes see our data policies on the website’s GDPR page, in particular, the Data Breach Response and Notification Procedure

 

Q14.)In the event of a breach please confirm that you will cooperate with us to report, manage and recover data that you have also had access to or use?

Yes see our data policies on the website’s GDPR page, in particular, the Data Breach Response and Notification Procedure

 

Q15.) Are you registered with the Information Commissioner’s Office?

Yes, IRIS Connect registered as a data processor on 22nd April 2010. Our certificate can be found here.

 

Q16.) Does your organisation have differentiated access to data depending on the level of sensitivity?

Yes, our staff have strict controls over who may access data and protocols for gaining permission from clients if access is required. The level of data access is tied to each member of staff’s role and its specific requirements.

 

Q17.) Are data management procedures regularly reviewed?

Yes all policies and procedures are reviewed regularly

Q18.) Who is the person responsible for data management/protection in your organisation?

IRIS Connect’s Data Protection Officer is Simeon Drage who can be contacted on dpo@irisconnect.co.uk

 

Q19.) What action are you taking to comply with the GDPR?

We have been externally audited and certificated to ensure that we comply with the UK Government’s Cyber Security scheme. IRIS Connect have completed an additional external audit of all of its services and teams to ensure that it will be fully compliant with GDPR by 25 May 2018. To support our compliance on this date, IRIS Connect has reviewed all its policies and procedures which are available on our website.

 

Q20.) Do you have any information management accreditation?

We have had an external audit by a Qualified Security Assessor conferred by the PCI Security Standards Council. This included a gap analysis against the international standard: ISO 27001 which we are now working towards and expect to become accredited during 2019.

 

Q21.) Do you provide a processor contract that is updated to reflect the GDPR changes including?

  • That you help the data controller comply with requirements regarding the data rights of the individuals (e.g. to access, delete or rectify data), secure processing, the reporting and communication of data breaches, and the conducting of impact assessments where relevant
  • That the data processor (IRIS Connect) processes data only on the documented instructions of the data controller
  • That you delete or return the personal data to the data controller at the end of your provision of services
  • That you make information available to us to demonstrate your compliance with the obligations in our contract, and allow the data controller or a 3rd party instructed by the data controller to conduct audits and inspections
  • The subject matter, duration, nature and purpose of the processing
  • The data controllers obligations and rights
  • The type of personal data being processed
  • The categories of the data subjects
  • That the people who process the data are committed to confidentiality
  • That you take measures to ensure secure processing
  • That you will not engage another processor without prior written authorisation from the Trust, and that if you do so, that processor will also be bound by the same data protection conditions as are in your contract with us

Yes we have updated our Organization Agreement which acts as a processor agreement. All organizations will be required to agree to this to continue to use our services. A copy of the agreement is here. Admin users will agree to this agreement via the IRIS Connect Web Platform.

 

Q22.) Does IRIS Connect process only on documented instructions, including international transfers? 

Yes, this is covered in the Organization Agreement, Section 5.7.1: Customer’s Instructions.

 

Q23.) Does IRIS Connect only use the data we provide or that you access from our organisations in accordance with our instructions?

Yes, this is covered in the Organization Agreement, Section 5.7.1: Customer’s Instructions.

 

Q24.) Does IRIS Connect ensure those processing personal data are under a confidentiality obligation (contractual or statutory)?

Yes all IRIS Connect employees have agreed to a confidentiality obligation via their employment contract.

 

Q25.) Does IRIS Connect ensure that anyone in your organisation understands the data they have access to is confidential and must not be shared with anyone without the data controller’s prior agreement?

Yes, this is covered in the Organization Agreement, Section 7.2:  Security Compliance by IRIS Connect Staff

 

Q26.) Does IRIS Connect take all measures required under the security provisions (Article 32) which includes pseudonymisation and encrypting data as appropriate? 

Yes, for details about our security see our Security Measures and Controls document for our security provisions and procedures as well as our Security and Safeguarding page

 

Q27.) Does IRIS Connect take all steps to keep data secure, whether it is paper records, emails, digital or electronic?

Yes, for details about our security see our Security Measures and Controls document for our security provisions and procedures as well as our Security and Safeguarding page

 

Q28.) Does IRIS Connect only use a sub-processor (subcontractor) with the controller’s consent (specific or general, although where general consent is obtained processors must notify changes to controllers, giving them an opportunity to object)? 

Yes, this is covered in the Organization Agreement 14.4 Opportunity to Object to Subprocessor Changes. Information on our processors and data sharing can be found in the web platform privacy notice.

 

Q29.) If you subcontract any part of the task, and personal information and data is required by that subcontractor, you will seek and obtain our consent before proceeding?

Yes, this is covered in the Organization Agreement 19.4 Opportunity to Object to Subprocessor Changes. Information on our processors and data sharing can be found in the web platform privacy notice.

 

Q30.) Does IRIS Connect assist the controller in responding to requests from individuals (data subjects) exercising their rights? 

Yes this is covered in the Organization Agreement section 12. Data Subject Rights; Data Export

 

Q31.) On occasion, we may receive a request to release information that we hold about an individual, whose data you have used or processed on our behalf. Please confirm that in those situations you will cooperate with us and provide all records about the person within a specified timeframe?

Yes this is covered in the Organization Agreement section 12. Data Subject Rights; Data Export

 

Q32.) Does IRIS Connect delete or return (at the controller’s choice) all personal data at the end of the agreement (unless storage is required by EU/member state law)?

Yes, this is covered in the Organization Agreement section 17.6.5  Termination due to Non-Renewal of Subscription/Licence.

 

Q33.) Does IRIS Connect make available to the controller all information necessary to demonstrate compliance; allow/contribute to audits (including inspections) and inform the controller if its instructions infringe data protection law?

Yes, all necessary information can be found on the GDPR page of our website

IRIS Connect permits audits, this is covered in the Organization Agreement section 10.3  Customer’s Audit Rights.

IRIS Connect will process data in providing it doesn’t infringe on data protection law. See Organization Agreement section 5.7.1 Customer’s Instructions.

What you're looking
for is on our US site.
click here to continue