IRIS Connect has data protection, privacy and safety at its heart
We understand how important it is for you to protect and safeguard everyone in your community, which is why IRIS Connect ensures outstanding security. We have thought very carefully about our legal responsibilities and your peace of mind, building a system that’s rooted in data protection, privacy and safety.
Why are data protection, privacy and security so important?
Video is a powerful tool for accelerating teaching and learning, but it is vital that the students featured in a lesson recording are appropriately protected at all times.
A school leader who purchases a system that does not meet basic data protection requirements exposes the school to a range of significant liabilities.
What questions should I ask?
Our platform is designed to be a safe professional learning community, but not all video technology providers prioritize your safety in the same way. Not everyone abides by the relevant legal frameworks and some don’t even provide very basic security measures.
Here are a series of basic questions you can use to help establish whether a video system puts your security first.
These considerations will help you check whether a provider is aware of the legal framework that schools have to operate within, provides an agreement that meets it and can look after your data in such a way that it will not be lost or accessed by others.
Questions for cloud-based solutions
Does the provider store all data at rest within a world-class data storage environment?
- You must choose a data processor that provides sufficient guarantees about its security measures to protect the processing it will do for you
- You must take reasonable steps to check that those security measures are being put into practice
ISO 27001 (widely-adopted global security standard)
ISO 9001 (global standard for managing the quality of products and services)
G-Cloud (UK Government security standard)
FERPA (U.S. Department of Education)
FIPS 140-2 (U.S. government security standard)
DIACAP and FISMA (U.S. Federal Information Security Management)
DoD CSM Levels 1-2, 3-5 (U.S. Department of Defence)
IRAP (Australia) MTCS Tier 3 Certification (Singapore Security Management Standard)
PCI DSS Level 1 (Payment Card Industry Data Security Standard)
SOC 1/ ISAE 3402 ( Service Organization Controls reports)
SOC 2 ( Service Organization Controls reports)
SOC 3 ( Service Organization Controls reports)
CJIS (U.S. Criminal Justice Information Services)
CSA (Cloud Security Alliance) HIPAA (storage of protected health information)
FedRAMP (SM) (The Federal Risk and Authorization Management Program)
Does the provider provide a robust authentication process to protect access to personal data and / or user accounts?
Each account is linked to an email address, which needs to be verified. Further passwords cannot be reset by the Organization Administrator nor email addresses changed to gain access through the ‘forgotten password’ process. The entire IRIS Connect platform (including the login page) uses SSL (https) to protect against ‘man in the middle attacks’ and ensure that users’ account credentials and data are sent securely through the latest industry standards.
Does the provider ensure all data transmitted to and from its cloud service is securely encrypted?
SSL encryption is a security protocol that allows sensitive information to be transmitted securely.
Does the provider ensure all requests to delete data are complied with and data are disposed of responsibly and securely?
It is not only important to monitor data transfer and storage but also the deletion of data, where data are deleted from a live system, it should also be deleted from any back-ups as well.
Customer data (non-financial) will be disposed of following termination of license. Our secure data center employs industry standard procedures on the decommissioning of its storage devices at the end of their useful life. Deleted data will be stored for 3 months in case the customer needs to retrieve it. The back-ups will be stored for a further 6 months before being destroyed. There are certain occasions when information needs to be preserved beyond this limit, such as in the following circumstances:
• Legal proceedings or a regulatory or similar investigation or obligation to produce information are known to be likely, threatened or actual
• A crime is suspected or detected
• Information is relevant to a company in liquidation or receivership, where a debt is due to IRIS Connect
• In the case of possible or actual legal proceedings, investigations or crimes occurring, the type of information that needs to be retained relates to any that will help or harm IRIS Connect or the other side’s case or liability or amount involved
Does the provider ensure that its security processes and systems are regularly reviewed internally and through independent services?
This alternative perspective review will assist in identifying any practices that could cause security, storage or usability issues.
Does the provider ensure that adequate data recovery and back-up systems are in place?
Collecting and storing your data in a system involves financial, time and process investment and often this stored data is irreplaceable. This investment needs to be protected and if a recovery is required, the service provider must ensure they are able to restore this without alteration from a back-up.
Does the provider confirm that it has sufficient capacity to ensure a resilient, reliable and accessible service?
IRIS Connect have provided 99.9% service uptime in the last 18 months during core operating hours (6am-4pm Pacific Time). IRIS Connect provides free full support to all customers, enabling us to quickly resolve any issues logged. This is provided Monday – Friday between 6am-4pm Pacific Time. The support team are available via live chat, email and phone.
Questions for local network-based solutions
Is data stored securely and backed-up in case of a disk failure?
Further, the data needs to have a reliable, regular back-up; ideally to an off-site location in the event of a fire / flood etc.
For full user control and data security, videos are never stored on individual devices or local servers. Instead, they are encrypted, immediately uploaded to our platform and automatically deleted from the device they were recorded on. The platform is designed to ensure that data remains in the secure, password protected environment, including adding Editing and Groups for cross-organizational sharing and not enabling the downloading of sensitive data to local devices.
Is the security of hardware regularly reviewed internally and through independent services?
Further, the data needs to have a reliable, regular back-up ideally to an off-site location in the event of a disk failure, fire, flood etc.
Are passwords stored in a secure database and in an encrypted format?
The use of passwords as a secure authentication step to safeguard data stored on the system will be compromised if the passwords are not stored in an encrypted format. This presents a security risk. When passwords are stored in an encrypted format, they will be useless if someone manages to gain access to them.
Has hardware passed rigorous safety testing and does it have a CE mark with supporting documentation?
CE marking is a mandatory conformity marking for certain products sold within the European Economic Area (EEA) since 1985. The manufacturer has to take certain obligatory steps before the product can bear CE marking, including a conformity assessment, setting-up a technical file and signing a declaration stipulated by the leading legislation for the product. The documentation has to be made available to authorities upon request.
These videos often include students as they interact with the teacher and their peers in the classroom. Teachers are completely in control of these videos – only they can decide which educators can see them. IRIS Connect will not share these videos with third parties.
Am I able to request to see any data held of my child?
Who will be able to see these recordings?
In what circumstances would my child be recorded?
Could these recordings be uploaded to other websites?
When using IRIS Connect, you have complete control over who sees any of the videos that you create, sharing them with only individuals or groups that you choose. You also have the ability to delete or remove sharing privileges as you wish.
Can I download my reflection?
This means your community isn’t being appropriately safeguarded as the video is no longer private or secure and doesn’t adhere to relevant data protection laws.
We’ve built features into our platform that mean you should have no need to download your videos, including editing, sharing across organizations using Groups and anonymization.
If you feel you have a very exceptional reason for needing to download a video then please get in touch.
- Notified of Breach (Discovered or informed)
- Containment/Recovery
- Inform relevant Senior Management
- Ascertain breach status
- Ascertain if Law Enforcement should be notified
- Recover or limit/damage from the breach
- Investigation
- Investigate : type of data, its sensitivity, what protections are in place (e.g. encryption), what has happened to the data, whether the data could be put to any illegal or inappropriate use, how many people are affected, what type of people have been affected (the public, suppliers etc) and whether there are wider consequences to the breach.
- Investigation should be completed urgently and wherever possible within 24 hours of the breach being discovered/reported. A further review of the causes of the breach and recommendations for future improvements can be done once the matter has been resolved.
- Notification
- Assess and notify which relevant parties should be notified of the breach.
- Review & Evaluation
- Conduct a full review of the causes and effectiveness of the response to the breach complied and reported to the board of Directors.
- Implementation
- Implement appropriate recommendations from the Evaluation report.
Get started – it’s FREE!
✓ Try IRIS Connect Film Club
✓ Record, reflect on & analyze your practice
✓ Use coaching & collaboration tools