The General Data Protection Regulation (GDPR) is an
EU legal framework It sets the guidelines for collecting and processing the personal information
of an individual. In the United Kingdom it is the
Information Commissioner's Office (ICO) who will be defining the legal requirements and enforcing
The success of our company builds on the trust that our employees, customers and other stakeholders have in our ability to deliver a secure and quality service. This includes our ability to apply a high level of data protection and security in relation to personal data that our employees, customers and third parties entrust to us.
Within this statement we want to highlight to our customers the measures we have put in place to ensure compliance with the GDPR where we hold or process personal data on your behalf.
Cyber Essentials Plus - Cyber Essentials is a Government-backed, industry-supported scheme designed to help companies protect against cyber threats. Our certification is independently verified and gives you peace of mind that our defences will protect against the vast majority of common cyber attacks.
Our main production servers are located in secure, dedicated facilities based in Manchester. There is a back-up facility based in Newcastle. Communication between the two is via a secure, encrypted link. Entry to each facility is tightly controlled - with strict procedures in place to monitor and control visitor access both into and within the data centre. Extensive CCTV video camera surveillance is in place across each facility, along with security breach alarms, biometric checks and controlled physical barriers.
To comply with the GDPR, a written agreement stating that personal data is processed only on documented instructions from the controller or the requirements of EU law or the national laws of Member States should be in place. We are reviewing all our agreements with our customers on an individual basis to ensure compliance.
Schools Data Services use only secure and private UK-based servers. We do not use 'cloud' services to store data. Data is never stored overseas. Schools Data Services do not sub-contract out any services to third party organisations.
We continually seek to ensure the confidentiality, integrity and availability of the personal data we store or process. We maintain appropriate technical and organisational security measures to protect personal data against accidental or unlawful destruction or loss, alteration, unauthorised disclosure or access.
All Schools Data Services personnel with access to pupil data are vetted and are subject to a written confidentiality agreement.
Under the GDPR, we must notify any data breach to the controller without undue delay. Schools Data Services therefore has processes and procedures in place for identifying, reviewing and promptly reporting data breaches to the relevant controller. However, we would stress again taht we have comprehensive technical and organisational security measures in place to mitigate against a data breach.
For further details, please see of DfE Cloud Services Provider Statement linked in the footer of this website.