Edukey and GDPR compliance
Edukey Education Ltd has standardised policies and procedures to manage and protect the data that we process on behalf of our clients. We have significant experience in the education sector, working with hundreds of UK primary and secondary schools. Our policies are driven by our inherent knowledge of schools, our Cyber Essentials certification and our existing data protection compliance through our ICO registration.
We have implemented a plan to achieve GDPR compliance:
- Conducted an audit of all personal data we hold or process, including where it comes from
- We have reviewed the legal basis for all personal data processing to ensure we are compliant and to ensure that, if required, we have the appropriate consent in place
- We have reviewed and updated our policies and procedures to ensure that we comply with all the rights of individuals under GDPR including processes for secure data deletion, handling Subject Access Requests etc.
- We have data protection by design throughout our processes and we will continue with this policy
Key changes to help schools include:
- Updated GDPR-compliant Terms and Conditions & Information Sharing Agreement
We have updated our Terms and Conditions which outlines both the school’s and Edukey’s responsibilities in terms of the new legislation. Our Information Sharing Agreement has been revised to ensure it is GDPR compliant.
Data controllers and Data processors
The new laws require both Data controllers (such as Schools) and Data processors (such as Edukey Education Ltd) to update their processes and technology to meet the specified requirements.
Schools are the data controllers for staff and pupil related data. The data controller is the person or organisation who determines what data is extracted, what purpose it is used for and who is allowed to process the data. Edukey Education Ltd is the data processor of the data made available in our software products purchased by the school/s. This is data we are trusted with but do not control.
How does Edukey Education Ltd protect personal data and where is it processed?
Our platform and client data are stored on approved and compliant cloud infrastructure. Our servers are hosted by Rackspace in UK to ensure client data is retained within the European Economic Area (EEA). We use multiple protective layers within the platform to protect our services, including encryption and firewalling. We routinely carry out vulnerability and penetration testing on our platforms and promptly address any issues identified.
All transfers of client data use 256bit SSL whilst being transmitted over public and private networks. All data at rest is encrypted with AES256 block-based encryption.
Who can access personal data?
Where it is necessary to access client data, for example to investigate a support case, only approved Edukey Education Ltd support and technical staff can access it.
Edukey Education Ltd staff are vetted and are subject to contractual data access policies and confidentiality clauses. We carry out DBS checking on all staff.
How are errors in data corrected?
Staff and pupil data is obtained from the Data controller (the School). If there is an error, it is usually best to resolve it in the school system, e.g. the MIS. Account administrators can correct user data generated within our platforms.
Support and assistance is available from our support team firstname.lastname@example.org
How do I make a Subject Access Request or implement the Right to be Forgotten?
Where Subject Access Requests and/or Right to be Forgotten are applicable to client data in an Edukey Education Ltd product we provide, or will provide, means for authorised client users to carry out activities directly. For assistance please contact email@example.com
If your school would like further information on GDPR compliance in Edukey Education Ltd products then please contact our support team at firstname.lastname@example.org.