AMI Education Solutions GDPR Summary Statement - April 2018
The Information Commissioner’s Office (ICO) have published a series of guides for educational establishments to give advice on GDPR. The guides can be found at the following URL - https://ico.org.uk/for-organisations/education/
To help schools comply with GPDR we are providing the following information and advice.
We act as a data processor when we remotely connect to the school to assist with maintenance routines, imports etc.
AMI Education Solutions software products hold Personal Data sourced from the school MIS (or created manually by the school), the data is used to verify the identity of an individual at the point of service delivery via computer terminals, EPOS terminals, Coin & Note revaluation units, registration devices, printers, lockers and other similar devices within the customer’s premises and subsequently allow them to use the services provided by that software product.
The categories of data subject to whom the Personal Data relates to are Pupils, Students, Employees and any authorised visitors that require access to related services.
The types of Personal Data to be processed includes: - Surname, Legal Surname, Forename, Legal Forename, Registration Group, Year, Tutor, Date of Birth, Gender, Free Meal Eligibility, UPN, Admission Number, MISID, Photograph and Biometric template*
Optionally processed data includes: - Address, Postcode, Telephone, Email, Dietary preferences, Parental Consent, Dietary needs* Transactional data Purchases, credits, refunds and attendance data. These are related to personal records using a system generated identifier.
Biometric Data *
The Biometric database is encrypted using AES256 - an industry standard and highly secure technology. All communications between applications and the database are also encrypted using AES256. Each school has its own secret unique group of AES256 encryption keys, which means that the database and any backup of its contents can only be accessed on licensed hardware, and the encrypted data is only available to the registered licensee.
AES256 is the same encryption technology that is used in Microsoft’s BitLocker disk drive encryption, and is certified by the National Security Agency of America to be used to protect Top Secret information
* These are defined as “sensitive data”
How do AMI Education Solutions products ensure that personal data is securely held? Access to data is controlled by user/group permissions. These can be configured to allow/deny users access to view/edit individual fields. It is the data controller’s responsibility to determine what access individual users should be allowed. The data controller must ensure that the software database tables are held securely within the school. This includes ensuring the server on which it is being stored should have up to date antivirus software, it should be in a physically secure location and folder permissions should be restricted to authorised users.
It is the data controller’s responsibility to ensure that data is not retained for “longer than necessary”. Our software data is typically archived on an annual basis. This data is available to be reported on until the school decides it is no longer required.
If schools use third party internet payments interfaced to our software, then relevant data will be shared with the payment provider. While AMI Education Solutions are talking to the providers to ensure they are compliant the decision to share data is the responsibility of the data controller.
GDPR gives the right to individuals to access their personal data and supplementary information held about them. Currently this information is not held in a single report. AMI Education Solutions intend to make a tool available which allows all data to be supplied in a single report to help satisfy these requests should they arise. This tool will be issued as a scheduled upgrade but can be made available on request.