Menu

Security and Safeguarding

Home Support Security and Safeguarding

Security like no other

We understand how important it is for you to protect and safeguard everyone in your community, which is why IRIS Connect ensures outstanding security. We have thought very carefully about our legal responsibilities and your peace of mind, building a system that’s rooted in data protection, privacy and safety.

IRIS Connect is the only video professional learning platform with a protocol agreed between the ASCL and NASUWT. 

Why are data protection, privacy and security so important?

Video is a powerful tool for accelerating teaching and learning, but it is vital that the students featured in a lesson recording are appropriately protected at all times.

A school leader who purchases a system that does not meet basic data protection requirements exposes the school to a range of significant liabilities, not least the failure of an Ofsted inspection on the grounds of safeguarding.

 

What questions should I ask?

Our platform is designed to be a safe professional learning community, but not all video technology providers prioritise your safety in the same way. Not everyone abides by the relevant legal frameworks and some don’t even provide very basic security measures.

Here are a series of basic questions you can use to help establish whether a video system puts your security first.

These considerations will help you check whether a provider is aware of the legal framework that schools have to operate within, provides an agreement that meets it and can look after your data in such a way that it will not be lost or accessed by others.

Questions relating to agreements and data protection

Does the provider offer an agreement that complies with the Data Protection Act (DPA)?

The DPA outlines how an individual’s personal information is used by businesses, the government and organisations. Information must be used fairly and lawfully and kept safe and secure.

The DPA outlines 8 principles that organisations must comply with. IRIS Connect has built its system around these principles and the Information Commissioner’s Office’s (ICO) ‘privacy by design’ approach that promotes privacy and data protection compliance from the start. We are always putting our user’s rights at the heart of what we do.

Is the provider registered with the Information Commissioner's Office as a data processor?

The DPA requires every organisation that processes personal information to register with the ICO.

IRIS Connect registered as a data processor on 22nd April 2010 . 

Does the provider ensure that all data is stored within the EEA (European Economic Area)?

Keeping data within the customer’s geographic region will ensure it complies to the requirements for that customer’s organisation and is covered by the necessary legal protection.

As a global company with customers in 6 continents, IRIS Connect respects geographical regulations for data protection, such as the EU Data Protection Directive. We ensure secure processing and store all client data within their geographical region.

All data for EU customers is stored within the EU.

Questions relating to privacy

Does the provider ensure the individual user keeps control of videos and has the right to delete at any time?

From a data protection perspective, this is key to addressing informational privacy best practice. This includes ‘the ability of a person to control, edit, manage and delete information about themselves and to decide how and to what extent such information is communicated to others’, as outlined in the ICO Privacy Impact Assessment Code of Practice.

By ensuring the user keeps control of their data, the system also keeps its focus as a developmental tool with the user’s interests at its core rather than as an assessment tool.

We ensure all the organisations in our community appoint an Organisation Administrator who is responsible for agreeing to and enforcing the IRIS Connect EULA.

The IRIS Connect EULA also makes clear that our system is to be used only within a supportive developmental framework. It states that IRIS Connect act solely as the data processor, the school acts as the data controller and the end user the data owner. This agreement also gives individual users the right to delete videos and ensures that individual videos will not be recorded or shared with any other IRIS Connect user without their explicit permission.


Does the provider guarantee videos will not be recorded or shared with any other users without explicit permission?

The ICO encourages organisations to ensure that privacy and data protection is a key consideration in the early stages of any project and then throughout its lifecycle. Taking a ‘privacy by design’ approach is an essential tool for minimising privacy and data sharing risks and building trust.

By adopting a system where only the user makes decisions about what data to share and to whom, the system is inline with a user driven personal development model not assessment.

The IRIS Connect system is based on individual user accounts and permissioning, where each user has their own personal username and password for their account in our platform. The observed user has to agree to a recording taking place before the system allows another user to connect to the camera. The same protections exist once a video has been encrypted and uploaded. This means users are only able to see data that has been explicitly shared with them. Users are limited to sharing videos with other users at their organisation, but collaboration with other organisations can be enabled at the permission of the Organisation Administrator.

Users have complete control over who has access to their data by deciding to share reflections either with individual users or into a group library. A fundamental principle of the system is that users will never ‘lose sight or control’ of their video. They will always be able to see the video and any associated data. Users retain the right to delete a video or remove sharing privileges at any time.

Questions for cloud-based solutions

Does the provider store all data at rest within a world-class data storage environment?

The DPA contains special provisions where schools use a data processor:

1. You must choose a data processor that provides sufficient guarantees about its security measures to protect the processing it will do for you
2. You must take reasonable steps to check that those security measures are being put into practice

IRIS Connects stores all data within a world-class environment trusted by numerous government and public sector organisations to store highly sensitive data. The environment utilises state-of-the art network security, electronic surveillance, physical security and multi-factor access control system to protect client data. The data centres are staffed 24×7 by trained security teams. This environment has qualified for the following assurance programs:

ISO 27001 (widely-adopted global security standard)
ISO 9001 (global standard for managing the quality of products and services)
G-Cloud (UK Government security standard)
FERPA (U.S. Department of Education)
FIPS 140-2 (U.S. government security standard)
DIACAP and FISMA (U.S. Federal Information Security Management)
DoD CSM Levels 1-2, 3-5 (U.S. Department of Defence)
IRAP (Australia) MTCS Tier 3 Certification (Singapore Security Management Standard)
PCI DSS Level 1 (Payment Card Industry Data Security Standard)
SOC 1/ ISAE 3402 ( Service Organization Controls reports)
SOC 2 ( Service Organization Controls reports)
SOC 3 ( Service Organization Controls reports)
CJIS (U.S. Criminal Justice Information Services)
CSA (Cloud Security Alliance) HIPAA (storage of protected health information)
FedRAMP (SM) (The Federal Risk and Authorization Management Program)

Does the provider provide a robust authentication process to protect access to personal data and / or user accounts?

The ICO states: ‘Information security is probably the most important area for schools to concentrate on. The loss of or unauthorised access to personal information is likely to cause most harm to pupils, parents or staff and is most likely to result in us taking action. Individuals have a right to take action for compensation if loss of personal data causes them damage. The Information Commissioner now has the power to impose a monetary penalty for serious contraventions of the data protection principles.’ Not taking security seriously causes a reputational risk and could cost you money.

The IRIS Connect system is based on individual user accounts and permissioning, where each user has their own personal username and password for their account in our platform.

Each account is linked to an email address, which needs to be verified. Further passwords cannot be reset by the Organisation Administrator nor email addresses changed to gain access through the ‘forgotten password’ process.

The entire IRIS Connect platform (including the login page) uses SSL (https) to protect against ‘man in the middle attacks’ and ensure that user’s account credentials and data are sent securely through the latest industry standards.

Does the provider ensure all data transmitted to and from its cloud service is securely encrypted?


SSL encryption is a security protocol that allows sensitive information to be transmitted securely. The ICO states: ‘it is good practice to encrypt data whilst it is being transferred from one device to another (e.g. across the internet or over a wireless connection) to provide effective protection against interception of the communication by a third party whilst the data is in transfer.’

IRIS Connect ensures any data in transit is encrypted using the leading industry practice ( TLS 1.2 ).

Does the provider ensure all requests to delete data are complied with and data is disposed of responsibly and securely?


Inline with principle 5 (data retention) and principle 7 (security) of the DPA, ‘it is not only important to monitor data transfer and storage but also the deletion of data, where data is deleted from a live system, it should also be deleted from any back-ups as well.’

Customer data (financial) will be retained in line with local legal frameworks.

Customer data (non-financial) will be disposed of following termination of licence. Our secure data centre employs industry standard procedures on the decommissioning of its storage devices at the end of their useful life.

Deleted data will be stored for 3 months in case the customer needs to retrieve it. The back-ups will be stored for a further 6 months before being destroyed.

There are certain occasions when information needs to be preserved beyond this limit, such as in the following circumstances:
• Legal proceedings or a regulatory or similar investigation or obligation to produce information are known to be likely, threatened or actual
• A crime is suspected or detected
• Information is relevant to a company in liquidation or receivership, where a debt is due to IRIS Connect
• In the case of possible or actual legal proceedings, investigations or crimes occurring, the type of information that needs to be retained relates to any that will help or harm IRIS Connect or the other side’s case or liability or amount involved 

Does the provider ensure that its security processes and systems are regularly reviewed internally and through independent services?

Utlising independent services ensures that a wider analysis of the system is taking place, which can be important in introducing updated processes and highlighting weaknesses that might not be forthcoming from an internal review.

This alternative perspective review will assist in identifying any practices that could cause security, storage or usability issues.

IRIS Connect have partnered with ‘Well-Typed’ who are independent development consultants who regularly provide input and advice into the latest industry standards and best practice processes that are then incorporated into our new feature and security developments and infrastructure maintenance to provide the best experience for our users.

Does the provider ensure that adequate data recovery and back-up systems are in place?


Collecting and storing your data in a system involves financial, time and process investment and often this stored data is irreplaceable. This investment needs to be protected and if a recovery is required, the service provider must ensure they are able to restore this without alteration from a back-up.

By using Amazon S3 infrastructure IRIS Connect are able to ensure that all data stored in the web platform is backed up on an hourly basis.

Does the provider confirm that it has sufficient capacity to ensure a resilient, reliable and accessible service?

The service provider needs to demonstrate and provide evidence that their services are reliable, supported and will be able to meet your service needs.

IRIS Connect utilises market leading services (Amazon S3) for data processing and storage. We regularly and automatically utilise their scaling infrastructure to deal with increases in service traffic.

IRIS Connect have provided 99.9% service uptime in the last 18 months during core operating hours (6am-4pm Pacific Time).

IRIS Connect provides free full support to all customers, enabling us to quickly resolve any issues logged. This is provided Monday – Friday between 6am-4pm Pacific Time.

The support team are available via live chat, email and phone.

Questions for local network-based solutions

Is data stored securely and backed-up in case of a disk failure?

Sensitive data needs to be secured both physically and digitally to safeguard against theft, which would place the data outside of the data subject’s control and contravene safeguarding guidelines of the DPA.

Further the data needs to have a reliable, regular back-up; ideally to an off-site location in the event of a fire / flood etc.

IRIS Connect is a fully cloud-based solution with no devices permanently storing files.

For full user control and data security, videos are never stored on individual devices or local servers. Instead, they are encrypted, immediately uploaded to our platform and automatically deleted from the device they were recorded on.

The platform is designed to ensure that data remains in the secure, password protected environment, including adding Editing and Groups for cross-organisational sharing and not enabling the downloading of sensitive data to local devices.

Is the security of hardware regularly reviewed internally and through independent services?

As above, sensitive data needs to be secured both physically and digitally to safeguard against theft, which would place the data outside of the data subject’s control and contravene safeguarding guidelines of the DPA.

Further the data needs to have a reliable, regular back-up ideally to an off-site location in the event of a disk failure, fire, flood etc.

IRIS Connect is a fully cloud-based solution with no local devices permanently storing data.

Are passwords stored in a secure database and in an encrypted format?


The use of passwords as a secure authentication step to safeguard data stored on the system will be compromised if the passwords are not stored in an encrypted format. This presents a security risk. When passwords are stored in an encrypted format, they will be useless if someone manages to gain access to them.

IRIS Connect’s Discovery Kit stores passwords which are held in an encrypted format with the app of the iPads.

Has hardware passed rigorous safety testing and does it have a CE mark with supporting documentation?


CE marking is a mandatory conformity marking for certain products sold within the European Economic Area (EEA) since 1985. The manufacturer has to take certain obligatory steps before the product can bear CE marking, including a conformity assessment, setting-up a technical file and signing a declaration stipulated by the leading legislation for the product. The documentation has to be made available to authorities upon request.

All devices supplied by IRIS Connect are CE marked and have gone through independent testing to ensure they are inline with EEA product safety legislation.

IRIS Connect allows teachers to upload classroom video to our secure platform where they can share it with other educators at their school and other approved education organizations, so they can collaborate and learn from each other.

These videos often include students as they interact with the teacher and their peers in the classroom. Teachers are completely in control of these videos – only they can decide which educators can see them. IRIS Connect will not share these videos with third parties.

Am I able to request to see any data held of my child?

If you wish to view any recording that might include your child please ask your teacher and they will follow the appropriate policies and law for your region.

Who will be able to see these recordings?

IRIS Connect provides a secure, online platform for professional learning to a closed community of education professionals. Recordings can only be shared by your child’s teacher to users and groups that the school has approved.

In what circumstances would my child be recorded?

Teachers use IRIS Connect to record their classroom teaching so that they can be continually improving their instruction and meeting the learning needs of your student. Your student may be recorded in the classroom as they are learning.

Do I need to give permission / can I refuse for my child to be recorded?

Schools typically request permission from parents to video record their student during the registration process. Please consult your school to learn more about your local policies.

Besides educators, who else can see these videos? Will IRIS Connect share these videos with third parties?

Only educators with authorized accounts can access videos on the IRIS Connect platform. IRIS Connect never shares classroom videos with any third party in normal use. There are certain occasions, such as when a crime is suspected, in which IRIS Connect would comply with the law to release data if requested with appropriate authority.

Could these recordings be uploaded to other websites?

IRIS Connect does not enable the downloading of video content from the platform. When a video is downloaded, control of it could be lost with copies being made or it being uploaded to public access website. IRIS Connect has developed its platform to make it the safest and most secure environment for teachers to participate in video-based CPD. In controlled circumstances and with appropriate authorisation, downloading of a video is permitted, for example when evidencing teaching for a professional certification.

Our platform is designed with your security and privacy at its heart. You’ll be given your own password protected account on our cloud-based server, where any videos that you record will automatically be uploaded to. This ensures video security, avoids storage problems and allows you to access your videos at any time and from anywhere.

When using IRIS Connect, you have complete control over who sees any of the videos that you create, sharing them with only individuals or groups that you choose. You also have the ability to delete or remove sharing privileges as you wish.

Can I download my reflection?

IRIS Connect does not enable the downloading of video content because when a video is downloaded, control could be lost and it could end up in anyone’s hands.

This means your community isn’t being appropriately safeguarded as the video is no longer private or secure and doesn’t adhere to relevant data protection laws.

We’ve built features into our platform that mean you should have no need to download your videos, including editing, sharing across organisations using Groups and anonymisation.

If you feel you have a very exceptional reason for needing to download a video then please get in touch.

Can I share my reflection with someone outside of my organisation?

With our Groups tool, you can create and join Groups to share practice around a particular focus both within and beyond your school.

But, to keep security a main priority, all Groups that include users from other organisations need to be approved by your Organisation Administrator.

I would like to share a reflection but want to anonymise the individuals - is this possible?

The IRIS Connect platform provides an anonymisation tool to further protect data. This feature enables easy anonymisation of any reflection, which you can apply before sharing with colleagues.


1. a) Notified of Breach (Discovered or informed)
2. b) Containment/Recovery
3. i) Inform relevant Senior Management
4.ii) Ascertain breach status

iii) Ascertain if Law Enforcement should be notified

1.iv) Recover or limit/damage from the breach
2. c) Investigation
3. i) Investigate : type of data, its sensitivity, what protections are in place (e.g. encryption), what has happened to the data, whether the data could be put to any illegal or inappropriate use, how many people are affected, what type of people have been affected (the public, suppliers etc) and whether there are wider consequences to the breach.
4.ii) Investigation should be completed urgently and wherever possible within 24 hours of the breach being discovered/reported. A further review of the causes of the breach and recommendations for future improvements can be done once the matter has been resolved.
5. d) Notification
6. i) Assess and notify which relevant parties should be notified of the breach.
7. e) Review & Evaluation
8. i) Conduct a full review of the causes and effectiveness of the response to the breach complied and reported to the board of Directors.
9. f) Implementation
i) Implement appropriate recommendations from the Evaluation report.



 

Platform-Image-4







NASUWT/ASCL agreement about IRIS Connect


ascl_nasuwt_agreement


Read the agreement


Buyer’s Guide to Video Professional Learning


buying video professional development


Download




Further information about security and safeguarding policies:



If you have any questions about data protection, privacy or security, then please get in touch.


Contact UsOur Platform