B Squared GDPR Information
Frequently Asked Questions
Where your staff have access to the personal data of ours, is there a confidentiality clause in their employment contracts?
All staff our bound by a confidentiality clause in their contracts along with additional anti-bribery enhancements to contracts of employees with root access to systems. This ensures that staff are bound during and post employment with us. We also have the additional benefit of being on a ListX Secure site which requires all of our employees to sign the Official Secrets Act.
What service levels do you provide and will the capacity allow for demand from other customers or will it impact the quality of my service?
We operate at a 99.9% uptime guarantee however we have exceeded this over the last 2 years. We constantly monitor our servers and their load to see how it is increasing over time. When we deem it necessary, we introduce new servers in advance of there being a capacity problem. We also look at ways of speeding up our system by enhancing our calls and procedures.
Our excess capacity as standard reduces the risk of high user usage affecting customers quality of service. We also run additional machines in a ready state should we need to increase our capacity further at short notice.
What measures do you have in place to prevent staff from installing potentially malicious software?
We have system wide endpoint protection that protects all of our workstations and servers from viruses, malware, ransomware and any other malicious code. We run an enterprise grade firewall that allows us to monitor and prevent access to potentially dangerous sites. In addition to this, we also have email anti virus that checks all messages that come in automatically remove anything that contains suspicious attachments. Only specific employees have permission to install software on their machines. If additional software is required, this has to be installed by an administrator.
Aside from all of the security we have in place, we provide regular internal training to help our employees identify the dangers of the internet and to raise any suspicions they have with an IT professional internally immediately.
We are already well placed for the GDPR to come into effect as our business processes and company ethos complement the requirements of the GDPR. That said, because we are a small company, there are some things we need to bring into place in order to consider ourselves fully compliant. These include:
Extending our current contract with an addendum to include the deficit requirements of the GDPR in our contractSchools have now received updated contracts which they need to sign and return to us
- Updating our notification and email messages with Article 6 clauses to maintain transparency with customers how we have achieved our goal of establishing lawful processing as required under the GDPR.
To what extent are users’ system use logged and monitored and are failed log in attempts recorded and reviewed on a regular basis?
We use several methods to monitor employees internally from event log management and aggregation to endpoint detection. These are reviewed regularly as well as alerts in place to flag unusual activity.
In what countries does B Squared process your data and what safeguards are in place at these locations?
Data exists only in the U.K and does not leave the U.K at any point. We would, if it occurred, seek permissions from the individual schools before making a transfer, should the need arise. In the event that this happened, your data would only be transferred to a country that the European Commission has determined provides an adequate level of protection, or to service providers who have an agreement with us committing to the Model Contract Clauses defined by the European Commission, or certified under the Privacy Shield. Further information on Model Contract Clauses can be found in the UK Information Commissioner’s Office (ICO) guide.
Devices that are provided by the company are encrypted before they are provisioned. It is policy that our employees use their devices to securely access their workstation in our office via our SSL VPN. There are exceptions in this policy if the work being completed is not of a sensitive nature and does not contain customer details.
Any employee who access their emails on their phones does so in the knowledge that we have the ability to remote wipe their device should we become concerned.
As part of our media destruction policy, hard drives that are no longer in use are securely transported from the data centre to our secure site office where they are stored in a locked cabinet. In order to reduce costs, we do not destroy the hard disks on an ad-hoc basis, rather we wait until we have a number of hard disks awaiting destruction before we contract a hard drive shredding company to destroy these disks and provide us with a certificate of destruction.
Student data is able to be exported from the system using 2 export methods. The first method can export student’s summary end of year results in the subjects that are licenced. This is put into an XML file which can be imported into a variety of other systems dependent upon their ability to read our information.
Our other export creates a file that contains the raw data for the students. This file is constructed again in XML format however without our software to read and compile the information, it is of relatively little use existing in other systems. This type of export is primarily used to export data to other schools when a student moves on so their results can go with them and the new school already has their B Squared data (if they use B Squared Connecting Steps as well).
Evisense allows reports to be made containing all student’s data as required and individual items can be downloaded at any point for storage elsewhere. We record all activity of this type as part of our auditing commitment to help schools ascertain how their data is being accessed.
Details of our security can be found here: https://support.connectingsteps.com/article/362-how-does-b-squared-ensure-secure-storage-of-the-data-i-hold
Have you breached the Data Protection Act 1998 in the last 3 years where the breach was reported to the Information Commissioner?
No, we have not been subject to a breach to date.
Has your security infrastructure been reviewed and tested by a qualified independent organisation?
We are currently in the process of completing a Cyber Essentials renewal. Details of this will be provided shortly.
Do you sub-contract to other data processors and will you ask us before, if you do use a sub-processor?
We do not use sub-processors as part of our processing service to our customers. As per Article 28 (2) of the GDPR, we confirm that we shall not use a sub processor without prior written consent from the controller.
Access permissions are checked regularly and also as part of any job role change within the company.
As we are a small company, our requirements for record keeping differ from that of larger companies, however, there are instances where we will go beyond our requirements. We provide on going support to our employees on how to protect data effectively with more formal meetings annually, which are recorded on their employee file. If an employees role changes, then the differences in that role are assessed at the time and appropriate training is given.
We do not currently hold an ISO27001 certification however we do conform to many of the requirments. We are looking at moving to an ISO27001 certification in the future.
Do you have a procedure in place to ensure we are notified without delay of a data breach concerning the personal data of our customers and/or employees?
Yes, we have a procedure which covers what happens once a breach has been detected to ensure that schools are informed of this in the necessary designated timescales as set out in the GDPR, specifically Article 33 and 34.
Do you have a documented procedure which details a plan of action in the event of a breach of data protection legislation?
Yes we have a procedure in place in case of a data breach. This information has been provided in the Governments Cloud Software Services for Schools Guide https://assets.publishing.service.gov.uk/government/uploads/system/uploads/attachment_data/file/644845/Cloud-services-software-31.pdf which links to our internal document here https://www.bsquared.co.uk/downloads/B%20Squared%20Ltd%20Self%20Certification%20-%208th%20Nov%202016.pdf
Do you have a documented procedure for dealing with members of staff who breach any of your data protection policies?
Yes, we have several documents that cover how the various parts of this are handled. This covers the full scope of handling the breach, mitigating it further, analysis of how the breach occurred and any disciplinary action that may need to be taken with employees on breach of company policy.
Do you have a documented Information Security Policy which obliges your organisation and all its employees and/or contractors to comply with Data Protection legislation?
We have an internal Information Security Policy which we review annually. This policy drives how we secure our own systems and our requirements for any 3rd party companies we may use to process the data which we are controllers for.
This document is not available to view externally however we do have alot of information regarding how we secure data that we process here https://support.connectingsteps.com/article/362-how-does-b-squared-ensure-secure-storage-of-the-data-i-hold
Do you have a documented Data Protection Policy which obliges your organisation and all its employees and/or contractors to comply with Data Protection legislation?
We have an internal Data Protection Policy that we review annually or before we make significant changes to company structure or workings. We use the Privacy by Design method for everything we do. This is something the GDPR stipulates, which we are comfortable with as we have always worked on a “path of least access” methodology for our network and software.
The Data Protection policy is developed internally by our DPO and is responsible for ensuring new staff are trained accordingly and existing staff are kept up to date with regular reviews of their role. Changes to company structure and workings are directed through the DPO in the first instance to assess the impact (if any) to the protection of data.
Our internal Data Protection Policy is not available externally as it contains sensitive data.
Describe what physical security measures you have in place for unauthorised access to any of your work space (i.e key fob/ID card)?
We are lucky to be located on a ListX Secure Site in Farnborough which means we enjoy enhanced security protocols with access to our physical offices. The site is fenced and guarded 24 hours a day. Building access is restricted by swipe cards with minimal access. Our internal sensitive document and server stores are locked by key with registered key holders only having access. In order for someone to be employed with us, they have to go through the a Security Vetting which is controlled by the UK Government. If they fail the vetting, then they are not allowed on site and not able to be employed by us. Visitors are allowed on site but must be escorted and can only be arranged in advance of the visit by at least 24 hours.
Describe how our data is permanently deleted once it is no longer required in order for you to fulfil your contractual obligations.
Once the Data Retention Policy indicates that a schools data is no longer able to be stored on our servers, we start by deleting from our databases the sensitive records. This action then renders any remaining non sensitive data into an orphaned state which becomes unusable. We have a cleanup tasks that then systematically deletes this data.
2 hours later, these records are then removed from our second data centre automatically. The data still exists in back ups at this point however they are overwritten a week later and at that point no longer exist on our servers.
After a data breach, are your policies and procedures reviewed to determine if any modifications need to be made?
If a breach is detected, as part of our requirements under Article 33 of the GDPR, we must determine how the breach occurred in the first instance and how we intend to mitigate this risk in the future. This analysis is then used to update any existing documentation and documented procedures to bring them up to date.
Search our Knowledgebase…