top of page
Our Team

DATA PROTECTION POLICY - GDPR 2018

SCOPE

This documents lays out the procedures and principles of data protection that will be followed by all employees at Prodeo LTD.

 

All employees have completed the Prodeo GDPR Training Session and the Employee of Prodeo LTD - GDPR Compliance Document (Appendix A).

KEY DEFINITIONS

  • GDPR: General Data Protection Regulation

  • Controller: A controller determines the purposes and means of processing personal data.

  • Processor: A processor is responsible for processing personal data on behalf of a controller.

  • Personal Data: The GDPR applies to 'personal data' meaning any information relating to an identifiable person who can be directly or indirectly identified in particular by reference to an identifier. 

  • Personal Data Breach: A breach of security leading to the accidental or unlawful destruction, loss, alteration, unauthorised disclosure of or access to, personal data transmitted, stored of otherwise processed. 

PRODEO LTD: PROCESSER

As defined above, Prodeo LTD (Trading as Traciwr) acts as a processor of data on behalf of controllers (Education establishments, namely primary schools).

​

  • As a processor of personal data we are required under the GDPR to provide information on the following key protection areas:

  • Lawful basis for processing

  • Data Types Stored

  • Data Storage - Security

  • Data Subject Access

  • Data Breach procedures

  • Data Retention

  • Data Protection Officer

LAWFUL BASIS FOR PROCESSING

GDPR requires that a processor must have a valid lawful basis in order to process personal data. There are six available lawful bases for processing:

REF: Information Commissioner

1. Consent - The individual has given clear consent for you to process their personal data for a specific purpose. 

2. Contract - The processing is necessary for a contract you have with the individual or because they have asked you to take specific steps before entering into a contract. 

3. Legal obligation - The processing is necessary for you to comply with the law (not including contractual obligations). 

4. Vital interests - The processing is necessary to protect someone's life. 

5. Public task - The processing is necessary for you to perform a task in the public interest or for your official functions and the task or function has a clear basis in law. 

6. Legitimate interests - The processing is necessary for your legitimate interests or the legitimate interests of a third party unless there is a good reason to protect the individuals personal data which overrides those legitimate interests. (This cannot apply if you are a public authority processing data to perform your official tasks). 

​

Prodeo LTD is processing the data on behalf of an educational establishment, with which we have an annual contract in order to provide access to our cloud based software. Therefore Traciwr meets the lawful obligation point 2 which state the processing is necessary for a contract you have with the individual. It is important that the school as a controller of the data has the necessary consent in place when obtaining certain data from students who attend the school. 

DATE TYPES STORED

Prodeo LTD requires the following personal data as a minimum to use the Traciwr cloud software:

Code - This can be decided by the school, commonly admission number but may be UPN or candidate number.

Forename

Surname

Gender

Form Groups

Report Grades - Assigned within school or from final exams.

​

​

Optional Data (Required for full functionality)

Pupil Groups - A school can choose which data to include as pupil groups common examples are Free School Meals (FSM), and Prior Ability Grouping.

Attitude To Learning Score - Scores assigned within school to categorise students behaviour. 

Attendance - % attendance scores may be added to the system to monitor attendance patterns. 

DATA STORAGE AND SECURITY

The IT infrastructure that AWS provides to its customers is designed and managed in alignment with best security practices and a variety of IT security standards. The following is a partial list of assurance programs with which AWS complies:

  • SOC 1/ISAE 3402, SOC 2, SOC 3

  • FISMA, DIACAP, and FedRAMP

  • PCI DSS Level 1

  • ISO 9001, ISO 27001, ISO 27017, ISO 27018

DATA SUBJECT ACCESS

Under the right of subject access, an individual is entitled to request a copy of the personal data held about them. 

​

Valid Subject Access Request

For a subject access request to be valid, it should be made in writing. In order for a subject access request to be made successfully we will require proof of a persons identify and legitimacy to make the request. Should any request be made our data protection officer will contact the designated data controller at the relevant establishment to fully confirm the legitimacy of a request. We will then move forward in providing the data in an appropriate format. 

For example in the unlikely event of a parent or a pupil contacting Prodeo LTD directly with a subject access request. We would clearly inform them that we would be contacting the school data protection officer in order to verify the request and all communication would come through the school.

We do not expect the above scenario to be a common occurrence but should it arise the school data protection officer will always be our first point of contact.

​

Request Procedure / Format
Under GDPR legislation an organisation is not allowed to require an individual to complete a subject access request in a certain format. Therefore Prodeo LTD does not require an individual to complete a specific form to make the request. It is recommended that any request should be sent by email to info@traciwr.com so that we can deal with your request as quickly as possible. Should a subject access request be made to another member of staff or in a different format such as a written letter all staff are fully aware of GDPR procedures and will take any request and pass them on to the data protection office.

​

Response Format

Prodeo LTD will meet the GDPR requirements that state the information provided to the individuals is in an intelligible form. Any response made by Prodeo LTD will be sure to include a glossary of terms should any technical information be included that may not be understood by the average person. 

​

Subject Access Request Cost

Prodeo LTD will not require any charge for any request made.

DATA BREACH POLICY

A data breach occurs when personal information is lost or subject to unauthorised access.

​

Definition of Personal Data Breach

A personal data breach can be broadly defined as a security incident that has affected the confidentiality, integrity or availability of personal data. In short, there will be a personal data breach whenever any personal data is lost, destroyed, corrupted or disclosed; if someone accesses the data or passes it on without proper authorisation; or if the data is made unavailable, for example, when it has been encrypted by ransomware or accidentally lost or destroyed. 

 

Data Breach Response Team 

The Data Breach Response Team has been set up with any form of data breach which can occur. 

​

ICO provides examples of data breaches which range from an email being sent to the incorrect individual through to stolen data from a breach of the database. Prodeo LTD takes data protection extremely seriously encrypting all data at rest, however if a breach were to occur Prodeo LTD will contact all schools with the following information:

  • The name and contact details of your data protection officer (if your organisation has one) or other contact point where more information can be obtained.

  • A description of the likely consequences of the personal data breach.

  • A description of the measures taken or proposed to be taken to deal with the personal data breach and including, where appropriate, of the measures taken to mitigate any possible adverse effects. 

 

When a data breach occurs Prodeo LTD will establish whether the breach needs to be reported to ICO. This is only the case if there is likely to be a risk to peoples rights and freedoms. 

Prodeo LTD will record any breaches that occur even if they don't need to be reported to ICO. 

DATA RETENTION

Any school that terminates their contract with Traciwr will have all data removed from Traciwr's live database within 1 week of the end of the subscription. 

​

Data will still exist within backups for 3 months after the end of the subscription after which it will be destroyed. 

​

Data can be removed immediately from our database if a school instructs us to carry out this process in a written request. However, the data will remain in our backups for 3 months after which it will be destroyed.

​

INDEMNITY​

Data Processor shall indemnify and keep indemnified and defend at its expense Data Controller against all costs, claims, damages or expenses incurred by the Data Controller or for which the Data Controller may become liable due to any failure by the Data Processor or its employees or agents to comply with the obligations under this Data Processor Agreement.

DATA PROTECTION IMPACT ASSESSMENT (DPIA)

The ICO recommends that you carry out a DPIA if you plan to use processors that are likely to result in 'a high risk to individuals'. If you wish to carry out a DPIA before starting or during your contract with Traciwr we will fully support you with this process. 

​

Please find further information on conducting a DPIA here: ICO Website

AUDIT SUPPORT

As with the DPIA if as a controller you wish to carry out a data audit, we will support you with this process. We can provide you with detailed information on the data processed by Prodeo LTD specifically for your establishment. 

GROUPCALL - XPORTER
Schools that wish to directly sync data from their MIS can use Groupcall Xporter to transfer the data. Full GDPR information regarding Groupcall can be found here

APPENDIX A: EMPLOYEE OF PRODEO LTD - GDPR COMPLIANCE DOCUMENTATION - MAY 2018

This document is to notify that all staff have received training and fully understand the GDPR on data processing within Prodeo LTD.

 

Training Process

All staff that are employed by Prodeo LTD must complete the GDPR Training Session. This provides staff with a detailed overview of the data protection procedures carried out whilst data processing occurs. It also provides all employees with the opportunity to raise any queries they may have regarding GDPR and its impact on Prodeo. 

I fully understand and agree to abide by the following statements:

  • ​Prodeo LTD processes personal data on the Traciwr online platform.

  • All data is stored in an encrypted format on Amazon AWS (European based) platform. 

  • Any data processing that is carried out to support schools must be removed from any local machines after it has been completed.

  • No personal data relevant to Traciwr will be stored on a local machine beyond the time it is being processed. 

  • Data will not be sent to schools by email as this is not a secure method of transferring personal information.

  • If a school sends data by email, this must be transferred to Amazon AWS to the encrypted folders and then removed from the email account. 

  • All passwords that allow access to the super admin section of the Traciwr platform must be secure. This requires them to be more than 8 characters, include at least one number, one capital letter and one special character. 

  • Data should only be processed on work machines, NO personal laptops/any devices should be used to carry out data processing. 

  • A school that terminates their contract with Traciwr will have all their data removed from the live database within 1 week. The data will continue to remain in backups for 3 months at which point will be removed. 

  • I have completed the Prodeo GDPR Training Session and have had any necessary questions answered about GDPR and the impact is has on the role. 

  • I understand that at any point if I am unsure on any aspect of GDPR I will contact the Data Protection Officer. 

bottom of page