Q) We have been considering the implications of using IRIS Connect in light of the GDPR changes and were wondering do we need the permission of all pupils in the classroom to be able to film a lesson?

GDPR outlines 6 lawful basis for processing data. These are: consent, contract, legal obligation, vital interest, public task and legitimate interest.

As a Data Controller the School need to decide on what legal basis they are processing the data they are collecting. A Data Controller can consider a range of legal basis for processing of data through IRIS Connect. However, Legitimate Interest or Consent are often judged to be the most appropriate. Please bear in mind that we are not in a position to provide legal advice, ultimately it will be up to the school which route to choose.  

Consent: If the school is using ‘Consent’ as its lawful basis, you would need the relevant permission from all data subjects whose data you are capturing (i.e all people being recorded). Most schools have already gained consent to record via their home-school agreements  As schools go about revisiting their home school agreements it’s important to ensure they are explicit about the use of video, for teacher professional development. For those pupils for which you do not have consent to record a school should consider either not recording specific classes, the positioning of the camera such that the pupil(s) are not recorded or using the on platform “cartoonization” feature which depersonalises the video data.

Legitimate Interest:  Another consideration for the school is using Legitimate Interest rather than Consent as its lawful basis. Its advisable to complete a Legitimate Interest Assessment regarding the recording of lessons for the purpose of professional development. There is a strong argument that better professional learning and thereby improved learning outcomes is a legitimate interest of the school. Even if you choose to use Legitimate Interest as your legal basis you may wish to consider having procedures for learners or parents to opt out, for example a notice on your website. For those pupils who are “opted out” the school may wish to consider previously mentioned measures such as not recording certain classes, camera positioning, or the on platform cartoonization feature.

For further information follow this link to the ICO website Legitimate Interest.

 

 

Q. ) How does GDPR affect organisations being able to record video?

Data Controllers need to decide on what legal basis they are processing the data they are collecting.

There are 6 legal bases a Data Controller can choose.  A Data Controller can consider either Legitimate Interest or Consent to be appropriate for processing data through IRIS Connect.

Legitimate Interest

(47) The legitimate interests of a controller, including those of a controller to which the personal data may be disclosed, or of a third party, may provide a legal basis for processing, provided that the interests or the fundamental rights and freedoms of the data subject are not overriding, taking into consideration the reasonable expectations of data subjects based on their relationship with the controller. Such legitimate interest could exist for example where there is a relevant and appropriate relationship between the data subject and the controller in situations such as where the data subject is a client or in the service of the controller. At any rate the existence of a legitimate interest would need careful assessment including whether a data subject can reasonably expect at the time and in the context of the collection of the personal data that processing for that purpose may take place. The interests and fundamental rights of the data subject could, in particular, override the interest of the data controller where personal data are processed in circumstances where data subjects do not reasonably expect further processing. Given that it is for the legislator to provide by law for the legal basis for public authorities to process personal data, that legal basis should not apply to the processing by public authorities in the performance of their tasks. The processing of personal data strictly necessary for the purposes of preventing fraud also constitutes a legitimate interest of the data controller concerned. The processing of personal data for direct marketing purposes may be regarded as carried out for a legitimate interest.

Consent

(42) Where processing is based on the data subject’s consent, the controller should be able to demonstrate that the data subject has given consent to the processing operation. In particular in the context of a written declaration on another matter, safeguards should ensure that the data subject is aware of the fact that and the extent to which consent is given. In accordance with Council Directive 93/13/EEC ( 1 ) a declaration of consent preformulated by the controller should be provided in an intelligible and easily accessible form, using clear and plain language and it should not contain unfair terms. For consent to be informed, the data subject should be aware at least of the identity of the controller and the purposes of the processing for which the personal data are intended. Consent should not be regarded as freely given if the data subject has no genuine or free choice or is unable to refuse or withdraw consent without detriment.

(43) In order to ensure that consent is freely given, consent should not provide a valid legal ground for the processing of personal data in a specific case where there is a clear imbalance between the data subject and the controller, in particular where the controller is a public authority and it is therefore unlikely that consent was freely given in all the circumstances of that specific situation. Consent is presumed not to be freely given if it does not allow separate consent to be given to different personal data processing operations despite it being appropriate in the individual case, or if the performance of a contract, including the provision of a service, is dependent on the consent despite such consent not being necessary for such performance.

Q.) Where is the data we upload to the IRIS Connect platform stored?

For the locations of where your data is stored see our Organisation Agreement, section 18.3

 

Q. ) Is IRIS Connect GDPR compliant and able to demonstrate compliance?

IRIS Connect will be compliant with GDPR by May 25th. To review all our policies and certificates see our GDPR page

 

Q. ) Do you have a process for deleting personal data when asked by the data controller?

Yes – see our policies:

Data Retention policy,  The privacy notice for the web platform, Organisation Admin Agreement

 

Q) What data does IRIS Connect hold in relation to our organisation?

Please see the privacy notices for the web platform and website.

 

Q.) How long does IRIS Connect store our data for?

For data where you are the Data Controller you manage how long the data is stored for. See the Data Retention policy and Organisation Admin Agreement for more information.

For data where we are the Data Controller, see the privacy notice for the IRIS Connect web platform and website.

 

Q.) Who does IRIS Connect share our data with?

IRIS Connect does not share any data where you are the Data Controller and IRIS Connect is the Data Processor.

For any data where IRIS Connect is the Data Controller, we only share data with our partners who have been certified by IRIS Connect to exclusively represent them in specific regions. Further information on this can be found on the privacy notice for the IRIS Connect web platform and website.

 

Q.) Does your organisation provide training to staff on data protection management?

All staff will be provided the necessary training on GDPR including data protection management prior to May 25th. Staff training will be provided on a regular basis.

 

Q.) What technical and organisational security measures do you have in place to protect personal data?

Please see our Security Measures and Controls document for our security provisions and procedures as well as our Security and Safeguarding page.

 

Q.) Do you have a written policy for data protection? If yes, does it provide a procedure for data breaches and notification of customers of a breach? 

Yes see our data policies on the website’s GDPR page, in particular, the Data Breach Response and Notification Procedure

 

Q.) In the event of a data breach, what is the process? 

Please see our data policies on the website’s GDPR page, in particular, the Data Breach Response and Notification Procedure

 

Q.) Should there be a breach, please confirm that you notify us as soon as you are aware? 

Yes see our data policies on the website’s GDPR page, in particular, the Data Breach Response and Notification Procedure

 

Q.)In the event of a breach please confirm that you will cooperate with us to report, manage and recover data that you have also had access to or use?

Yes see our data policies on the website’s GDPR page, in particular, the Data Breach Response and Notification Procedure

 

Q.) Are you registered with the Information Commissioner’s Office?

Yes, IRIS Connect registered as a data processor on 22nd April 2010. Our certificate can be found here.

 

Q.) Does your organisation have differentiated access to data depending on the level of sensitivity?

Yes, our staff have strict controls over who may access data and protocols for gaining permission from clients if access is required. The level of data access is tied to each member of staff’s role and its specific requirements.

 

Q.) Are data management procedures regularly reviewed?

Yes all policies and procedures are reviewed regularly

Q.) Who is the person responsible for data management/protection in your organisation?

IRIS Connect’s Data Protection Officer is Simeon Drage who can be contacted on dpo@irisconnect.co.uk

 

Q.) What action are you taking to comply with the GDPR?

We have been externally audited and certificated to ensure that we comply with the UK Government’s Cyber Security scheme. IRIS Connect have completed an additional external audit of all of its services and teams to ensure that it will be fully compliant with GDPR by 25 May 2018. To support our compliance on this date, IRIS Connect has reviewed all its policies and procedures which are available on our website.

 

Q.) Do you have any information management accreditation?

We have had an external audit by a Qualified Security Assessor conferred by the PCI Security Standards Council. This included a gap analysis against the international standard: ISO 27001 which we are now working towards and expect to become accredited during 2019.

 

Q.) Do you provide a processor contract that is updated to reflect the GDPR changes including?

  • That you help the data controller comply with requirements regarding the data rights of the individuals (e.g. to access, delete or rectify data), secure processing, the reporting and communication of data breaches, and the conducting of impact assessments where relevant
  • That the data processor (IRIS Connect) processes data only on the documented instructions of the data controller
  • That you delete or return the personal data to the data controller at the end of your provision of services
  • That you make information available to us to demonstrate your compliance with the obligations in our contract, and allow the data controller or a 3rd party instructed by the data controller to conduct audits and inspections
  • The subject matter, duration, nature and purpose of the processing
  • The data controllers obligations and rights
  • The type of personal data being processed
  • The categories of the data subjects
  • That the people who process the data are committed to confidentiality
  • That you take measures to ensure secure processing
  • That you will not engage another processor without prior written authorisation from the Trust, and that if you do so, that processor will also be bound by the same data protection conditions as are in your contract with us

Yes we have updated our Organization Agreement which acts as a processor agreement. All organizations will be required to agree to this to continue to use our services. A copy of the agreement is here. Admin users will agree to this agreement via the IRIS Connect Web Platform.

 

Q.) Does IRIS Connect process only on documented instructions, including international transfers? Does IRIS Connect only use the data we provide or that you access from our organisations in accordance with our instructions?

Yes, this is covered in the Organization Agreement, Section 10.4.1: Customer’s Instructions.

 

Q.) Does IRIS Connect ensure those processing personal data are under a confidentiality obligation (contractual or statutory)?

Yes all IRIS Connect employees have agreed to a confidentiality obligation via their employment contract.

 

Q.) Does IRIS Connect ensure that anyone in your organisation understands the data they have access to is confidential and must not be shared with anyone without the data controller’s prior agreement?

Yes, this is covered in the Organization Agreement, Section 12.1.2:  Security Compliance by IRIS Connect Staff

 

Q.) Does IRIS Connect take all measures required under the security provisions (Article 32) which includes pseudonymisation and encrypting data as appropriate? 

Yes, for details about our security see our Security Measures and Controls document for our security provisions and procedures as well as our Security and Safeguarding page

 

Q.) Does IRIS Connect take all steps to keep data secure, whether it is paper records, emails, digital or electronic?

Yes, for details about our security see our Security Measures and Controls document for our security provisions and procedures as well as our Security and Safeguarding page

 

Q.) Does IRIS Connect only use a sub-processor (subcontractor) with the controller’s consent (specific or general, although where general consent is obtained processors must notify changes to controllers, giving them an opportunity to object)? 

Yes, this is covered in the Organization Agreement 19.4 Opportunity to Object to Subprocessor Changes. Information on our processors and data sharing can be found in the web platform privacy notice.

 

Q.) If you subcontract any part of the task, and personal information and data is required by that subcontractor, you will seek and obtain our consent before proceeding?

Yes, this is covered in the Organization Agreement 19.4 Opportunity to Object to Subprocessor Changes. Information on our processors and data sharing can be found in the web platform privacy notice.

 

Q.) Does IRIS Connect assist the controller in responding to requests from individuals (data subjects) exercising their rights? 

Yes this is covered in the Organization Agreement section 17. Data Subject Rights; Data Export

 

Q.) On occasion, we may receive a request to release information that we hold about an individual, whose data you have used or processed on our behalf. Please confirm that in those situations you will cooperate with us and provide all records about the person within a specified timeframe?

Yes this is covered in the Organization Agreement section 17. Data Subject Rights; Data Export

 

Q.) Does IRIS Connect delete or return (at the controller’s choice) all personal data at the end of the agreement (unless storage is required by EU/member state law)?

Yes, this is covered in the Organization Agreement section 7.3.5  Termination due to Non-Renewal of Subscription/Licence.

 

Q.) Does IRIS Connect make available to the controller all information necessary to demonstrate compliance; allow/contribute to audits (including inspections) and inform the controller if its instructions infringe data protection law?

Yes, all necessary information can be found on the GDPR page of our website

IRIS Connect permits audits, this is covered in the Organization Agreement section 15.2  Customer’s Audit Rights.

IRIS Connect will process data in providing it doesn’t infringe on data protection law. See Organization Agreement section 10.4.1 Customer’s Instructions.

What you're looking
for is on our US site.
click here to continue