Data processing agreement – April 2022

The following Data Processing Agreement should be read in conjunction with the New Era Standard Terms and Conditions, available here.

Parties
The Service Provider
a. where the Customer is based in the United Kingdom: BCS Global Networks Limited; New Era Education Limited
b. where the Customer is based in Canada: BCS Global Networks Inc.; New Era Technology VCD, CA Inc
c. where the Customer is based in the US or rest of world: Video Guidance.com, Incorporated

each acting on its own behalf and/or on behalf of any of its affiliates or subsidiaries, collectively doing business as (“New Era Technology” or “New Era”)

And

Customer stated on the Sales Order Form (“The Customer ”) who are the Data Controller.

Duration
The Agreement will commence on the date stated on the Sales Order Form and will continue for the duration of the period that New Era continue to be the Service Provider unless otherwise agreed in writing between the Parties.

Nature and Purpose of the Processing
Data is processed in order to deliver the service to which the customer has subscribed, the purpose and the nature of the service are detailed in the Annex A.

Type of personal data being processed
The Types of personal data being processed are detailed in Annex A.

Categories of the Data Subjects
The category of data subjects will vary according to the service to which the customer has subscribed, as detailed in Annex A.

Definitions
Data Controller: means the natural or legal person, public authority, agency or other body which, alone or jointly with others, determines the purposes and means of the processing of personal data.

Data Processor: means a natural or legal person, public authority, agency or other body which processes personal data on behalf of the controller.

Data Protection Legislation: (i) unless and until the GDPR is no longer directly applicable in the UK, the General Data Protection Regulation ((EU) 2016/679) and any national or regional implementing privacy laws, regulations and secondary legislation, as amended or updated from time to time; (ii) any successor legislation to the GDPR or the Data Protection Act 2018.

Data Subject: an individual who is the subject of Personal Data.

Personal Data: means any information relating to an identified or identifiable natural person (‘data subject’); an identifiable natural person is one who can be identified, directly or indirectly, in particular by reference to an identifier such as a name, an identification number, location data, an online identifier or to one or more factors specific to the physical, physiological, genetic, mental, economic, cultural or social identity of that natural person”., in this Agreement, relates only to personal data, or any part of such personal data, of which The Customer is the Data Controller and in relation to which the Service Provider is providing services under this Agreement and as detailed in Appendix A.
Processing and process: means any operation or set of operations which is performed on personal data or on sets of personal data, whether or not by automated means, such as collection, recording, organisation, structuring, storage, adaptation or alteration, retrieval, consultation, use, disclosure by transmission, dissemination or otherwise making available, alignment or combination, restriction, erasure or destruction.

Purpose: the provision by the Service Provider of online services

Clauses
1. Obligations of the Service Provider
1.1 The Customer and New Era acknowledge that, for the purposes of the Data Protection Legislation, The Customer is the Data Controller and New Era is the Service Provider and the Data Processor of any Personal Data.

1.2 The Service Provider shall comply with all applicable requirements of the Data Protection Legislation subject to regional privacy laws and, in particular, shall process the Personal Data only to the extent, and in such a manner, as is necessary for the Purpose and shall not process the Personal Data for any other purpose, unless the Service Provider is required by the laws of any member of the European Union or by the laws of the European Union applicable to the Service Provider or by a regional applicable privacy law to process Personal Data (Applicable Laws). Where the Service Provider is relying on laws of a member of the European Union or European Union law as the basis for processing Personal Data, the Service Provider shall promptly notify The Customer of this before performing the processing required by the Applicable Laws unless those Applicable Laws prohibit the Service Provider from so notifying The Customer.

1.3 The Customer will control and be responsible for amending, transferring or deleting the Personal Data; the Service Provider will only amend, transfer or delete data at the written request of The Customer.

1.4 The Customer may transfer data to the Service Provider via secure integration through a third party provider, via email using secure password protected files or any other means that complies with The Customer’s obligations under the Data Protection Legislation.

1.5 The Service Provider will ensure that it has in place appropriate technical and organisational measures, reviewed and approved by The Customer if The Customer so requires, to protect against unauthorised or unlawful processing of Personal Data and against accidental loss or destruction of, or damage to, Personal Data, appropriate to the harm that might result from the unauthorised or unlawful processing or accidental loss, destruction or damage and the nature of the data to be protected, having regard to the state of technological development and the cost of implementing any measures (those measures may include, where appropriate, pseudonymising and encrypting Personal Data, ensuring confidentiality, integrity, availability and resilience of its systems and services, ensuring that availability of and access to Personal Data can be restored in a timely manner after an incident, and regularly assessing and evaluating the effectiveness of the technical and organisational measures adopted by it . The security measure are specified in Appendix B.

1.6 If the Service Provider receives any complaint, notice or communication which relates directly or indirectly to the processing of the Personal Data or to either party’s compliance with Data Protection Legislation, or becomes aware of any breach of Data Protection Legislation, it shall as soon as reasonably practicable notify The Customer and it shall provide The Customer with all due co-operation and assistance in relation to any such complaint, notice or communication.

1.7 At The Customer’s request, the Service Provider shall provide to The Customer a copy of all Personal Data held by it in the format and on the media reasonably specified by The Customer.

1.8 The Service Provider shall only hold the Personal Data on its servers and will not transfer the Personal Data without the prior written consent of The Customer.

1.9 The Service Provider will hold the Personal Data only in secure New Era data centres or public accredited cloud-based data centres, depending on the service to which the customer has subscribed

1.10 The Service Provider will ensure Data is securely backed-up to ensure disaster recovery

1.11 The Service Provider shall promptly and within at least 72 hours inform The Customer if any Personal Data is lost or destroyed or becomes damaged, corrupted, or unusable and, if this is caused by the negligence or breach of obligations of the Service Provider, will restore such Personal Data at its own expense.

1.13 At the end of the contract The Service Provider shall delete all Data associated with The Customer within 12 months of the end date. Such Data is only held at the end of a contract in order to ensure The Customer has access to archived data to meet legitimate needs in the public interest. The Customer may request the early deletion of such data.

2. Obligations of the Customer
2.1 The Customer will comply with all applicable requirements of the Data Protection Legislation and, in particular, will ensure that it has all necessary appropriate consents and notices in place to enable lawful transfer of the Personal Data to the Service Provider for the duration of this Agreement and the Purpose.

3. Service Provider’s Employees
3.1 The Service Provider shall ensure that access to the Personal Data is limited to:
a. those employees who need access to the Personal Data to meet the Service Provider’s obligations under this Agreement; and
b. in the case of any access by any employee, such part or parts of the Personal Data as is strictly necessary for performance of that employee’s duties.

3.2 The Service Provider shall take reasonable steps to ensure the reliability of any of the Service Provider’s employees who have access to the Personal Data and shall ensure that all employees who have access to and/or process Personal Data are obliged to keep the Personal Data confidential.

4. Rights of Data Subjects and compliance by The Customer
4.1 The Service Provider shall notify The Customer within three working days if it receives a request from a Data Subject for access to that person’s Personal Data.

4.2 The Customer (as Data Controller) will handle all such requests and notify the Data Subject accordingly. The Service Provider will assist The Customer, at The Customer’s cost, in responding to any such request from a Data Subject and, generally, in ensuring compliance with its obligations under the Data Protection Legislation with respect to security, breach notifications, impact assessments and consultations with supervisory authorities or regulators.

4.3 The Service Provider shall not disclose the Personal Data to any Data Subject or to a third party other than at the written request of The Customer or as provided for in this Agreement.

5. Rights of The Customer
5.1 The Customer is entitled, on giving at least three working days’ notice to the Service Provider, to inspect or appoint representatives to inspect documents and electronic data relating to the processing of Personal Data by the Service Provider.

5.2 The requirement under clause 5.1 to give notice will not apply if The Customer reasonably believes that the Service Provider is in breach of any of its obligations under this Agreement.

5.3 At the written direction of The Customer, the Service Provider will delete or return Personal Data and copies thereof to The Customer on termination of this Agreement unless required by Applicable Law to store the Personal Data.

6. Indemnity
6.1 The Service Provider agrees to indemnify and keep indemnified The Customer against all costs, claims, damages or expenses incurred by The Customer or for which The Customer may become liable due to any failure by the Service Provider or its employees or agents to comply with any of its obligations under this Agreement.

6.2 The Customer agrees to indemnify and keep indemnified the Service Provider against all costs, claims, damages or expenses incurred by the Service Provider or for which the Service Provider may become liable due to any failure by The Customer or its employees or agents to comply with any of its obligations under this Agreement.

7. Appointment of sub-contractors
7.1 The Service Provider may only authorise a third party (sub-contractor) to process the Personal Data:

a. subject to The Customer’s prior written consent where the Service Provider has supplied The Customer with full details of such sub-contractor;
b. provided that the sub-contractor’s contract is on terms which are substantially the same as those set out in this Agreement;
c. provided that the sub-contractor’s contract terminates automatically on termination of this Agreement for any reason; and
d. provided that, as between The Customer and the Service Provider, the Service Provider shall remain fully liable for all acts or omissions of any sub-contractor appointed by it pursuant to this clause.
e. A list of approved sub processors is included in Annex A.

8. Limits of liability
8.1 Neither party’s liability arising out of this Agreement shall exceed the amount paid to the Service Provider under this Agreement.
8.2 Nothing in this Agreement shall exclude either party’s liability for death or personal injury to the extent it results from the negligence of itself, its employees or its agents, or for fraud or for any other matter in respect of which law prescribes that liability may not be limited or excluded.

9. Assignment
Neither party may assign any of its rights or obligations under this Agreement without the prior written consent of the other party.

10. Notices
Any notice served under this Agreement shall be delivered to the appropriate party either by recorded delivery post or by facsimile transmission at its principal place of business, or to such other address as may from time to time be notified in writing by the party concerned, or by electronic mail to the email address as may from time to time be notified in writing by the party concerned. Any notice shall be deemed to be duly served:

10.1 if sent by recorded delivery post, three (3) calendar days after date of posting;
10.2 if sent by facsimile transmission, on receipt of successful facsimile transmission;
10.3 if sent by electronic mail, on the day it is sent provided that a return receipt is received

and where the party sending the notice has a contemporaneous record of such return receipt and followed up such notice by recorded delivery post in the event that the electronic mail has not been acknowledged by the other party within twenty-four hours of sending the electronic mail, (unless any such date is a Saturday, Sunday or bank holiday in which case it shall be deemed served on the next working day).

11. No waiver
No failure or delay on the part of either party to this Agreement relating to the exercise of any right, power, privilege or remedy provided under this Agreement shall operate as a waiver of such right, power, privilege or remedy or as a waiver of any proceedings or succeeding breach by the other party to this Agreement.

12. Entire agreement
This Agreement contains the full and complete understanding between the parties relating to its subject matter and supersedes all prior arrangements and understandings whether written or oral relating to such subject matter and may not be varied except by written agreement signed by both parties.

13. Jurisdiction and Governing Law
13.1 Where the New Era contracting entity is BCS Global Networks Limited or New Era Education Limited, this agreement shall be governed by and construed in accordance with the laws of England and Wales. The parties irrevocably agree that the courts of Slough, Berkshire, or the courts having proper jurisdiction, as the case may be, in England and Wales shall have the exclusive jurisdiction to settle any dispute or claim (including any non-contractual disputes or claims) that arises out of or in connection with this agreement or its subject matter.

13.2 Where the New Era contracting entity is Video Guidance.com, Incorporated, this agreement shall be governed by and construed in accordance with the laws of the State of Minnesota, United States. The parties irrevocably agree that the courts of the city of Minneapolis, or the courts having proper jurisdiction in the State of Minnesota, as the case may be, in the United States shall have the exclusive jurisdiction to settle any dispute or claim that arises out of or in connection with this agreement or its subject matter.

13.3 Where the New Era contracting entity is BCS Global Networks Inc. or New Era Technology VCD, CA, Inc., this agreement shall be governed by and construed in accordance with the laws of the Province of Ontario, Canada. The parties irrevocably agree that the courts of the city of Toronto, Ontario, or the courts having proper jurisdiction in the Province of Ontario, as the case may be, in Canada shall have the exclusive jurisdiction to settle any dispute or claim that arises out of or in connection with this agreement or its subject matter.

Signed by The Service Provider:

Dawn Mulholland
Director
New Era Technology.

Signed by the Customer 
Customer stated on the Sales Order Form.
By signing the order form, the customer agrees to this agreement.

ANNEX A Personal Data processing purposes and details

Education Services
Subject matter of processing: Provision and service management of Education Products including DB Primary, School Ping, Websites and Able+.

Duration of Processing: The Agreement will commence on the date stated on the Sales Order Form and will continue for the duration of the period that New Era continue to be the Service Provider unless otherwise agreed in writing between the Parties.

Nature of Processing: Data is processed in order to deliver the service to which the customer has subscribed

Business Purposes: Data Processor processes Personal data on behalf of the Data Controller in order to provision and provide Education software to the Controller. According to the Service Agreement, the subject matter, nature of data processing, and categories of data subjects are defined below.

Personal Data Categories: Personal identification data is processed, including username, name, year group, class, email, telephone number, IP address only where relevant to service delivery. No sensitive personal data is required to deliver the service however, as the user may generate their own content this is not limited by the processor.

Data Subject Types: The category of data subjects will vary according to the service to which the customer has subscribed but may include the following at the customer’s determination:
DB Primary – Employees of the customer’s organisation, children attending the customer’s organisation, parents of the children attending the customers organisation.
School Ping – Employees of the customer’s organisation, parents of the children attending the customers organisation.
Websites – Employees of the customer’s organisation
Able+ – Employees of the customer’s organisation, students attending the customer’s organisation.

Authorised Persons: those employees who need access to the Personal Data to meet the Service Provider’s obligations under this Agreement; and in the case of any access by any employee, such part or parts of the Personal Data as is strictly necessary for performance of that employee’s duties.

Approved Subprocessors:

  • Groupcall Ltd (if/where MIS Integration is part of the service provision)
  • Google Analytics (DB Primary and Websites only)
  • Connectwise (CRM)

Video Collaboration Services

Subject matter of processing: Provision and service management of video and telepresence managed services. (a) virtual meeting room services with dial-in capability; (b) management of video conferences, including the scheduling of meetings requested by a requestor or meeting participants. Both scenarios support video conferences and telepresence meetings.

Duration of Processing: The Agreement will commence on the date stated on the Sales Order Form and will continue for the duration of the period that New Era continue to be the Service Provider unless otherwise agreed in writing between the Parties.

Nature of Processing: Personal data may be collected according to the Services Agreement to support the service, and the processing activity may involve collection, storage, duplication, electronic viewing, deletion and destruction of personal data.

Business Purposes: Data Processor processes Personal data on behalf of the Data Controller in order to provision and provide video conference management services to the Controller. According to the Service Agreement, the subject matter, nature of data processing, and categories of data subjects are defined below.

Personal Data Categories: The categories of data subjects may include employees of the Controller and its affiliates, including partners and contractors and, Controller’s meeting participants.

Data Subject Types:

Provisioning Data: The following provisioning data is collected to establish services for video users. This information is stored and associated with an individual’s profile.

  • Contact Name
  • Email Address
  • Phone Number
  • Geographic location
  • Dialing address

Meeting Metadata: The following information is collected only if a person uses the portal to schedule a meeting and invite other participants.

  • Meeting Title
  • Meeting participant names
  • Call log details
    • Display name of participants
    • Inbound URIs and/or IP addresses of participants
    • Call duration

Conference Media: The following media may be processed during any videoconferencing session:

  • Audio streams
  • Video streams
  • Content sharing
  • Online presence

Meeting Chat Messages: The following information may be collected if a person uses the chat tool to relay instant messages to others or groups attending the meeting.

  • Participant Name
  • Chat Message
  • Timestamp of Message
  • File transferred (when applicable)

Reporting Data: The following information is stored in a database to facilitate generating a report for the purpose of support and audit, and to provide utilisation metrics in regards to the service.

  • Meeting Title
  • Meeting participant names
  • Call log details
    • Display name of participants
    • Inbound URIs and/or IP addresses of participants
    • Call duration

Recording When Applicable: The following information is only applicable if a user records a video meeting; this must be initiated by the users, and at the time of recording initiation, all participants in the meeting are notified that the session is being recorded.

  • Name
  • Email Address
  • Call Log Details (Display name, URI, duration, stream title, stream viewer IP, IP address);
  • Virtual Meeting Room Dialing Information
  • Virtual Meeting Room Pin Code (if applicable)
  • Customer meta data (Meeting title, meeting participant names, index tag)
  • Audio Media
  • Video Media
  • Content Sharing Media

Support Data: The following data could be associated with incident management (ticketing), if a user opens a ticket with the support desk and requests help to redress a conference issue.

  • Contact Name
  • Email Address
  • Phone Number
  • Geographic location
  • Call/Meeting Data
    • Device logs
      Call log details if applicable for troubleshooting, which usually includes H323 and SIP call negotiation and maintenance events from the local and remote terminals.
    • Device specific details such as applications, operating system, hardware components, performance metrics, and firmware, application names for applications that are able to be shared from the end users device, global contact/address lists associated to the device.

Billing: The following data, if applicable, could be associated with billing, either directly or in association with a partner that is required to provide usage data with invoicing.

  • Usage data (utilisation metrics)
  • VMR Subscription Inventory (quantity of rooms provisioned, often associated with individual users)
  • Device Subscription Inventory (census of managed devices)

Call Monitoring: The following data may be associated with activate call monitoring, either by a conference operator or an automated system, or both.

  •  Real time automated monitoring
  • Call/Meeting data such as H323 or SIP call statistics, from negotiation to maintenance to teardown.
  • Live monitoring by a call operator—by request only—who may hear and see all content of a meeting.

Authorised Persons: those employees who need access to the Personal Data to meet the Service Provider’s obligations under this Agreement; and in the case of any access by any employee, such part or parts of the Personal Data as is strictly necessary for performance of that employee’s duties.

Sub-Processors: Data Controller has granted its authorization to the following approved sub-processors who may process data according to the terms and conditions of the Services Agreement and the Data Processing Addendum:

  • MailChimp – Service Announcements
  • Salesforce – CRM
  • Connectwise – CRM
  • Vvopta – Used for monitoring of video infrastructure and endpoints and calls.
  • CallStream – Used to supply PSTN services to video calls.
  • VC – Used for conference recordings.
  • Oracle NetSuite – The processing of PII in association with invoicing for services used.

ANNEX B Security measures

Data Processor has established a mature information security management system (ISMS), certified to the ISO27001:2013 framework and independently audited. Certification information is available on request.

This Annex B describes the minimum security measures within the ISMS.
Standard Security Measures
1. Organisational measures
a. Security / Compliance Officer
i. A person responsible for the overall compliance with these minimum security requirements shall be designated as the Security Officer. This person shall be suitably trained and experienced in managing information security and provided with appropriate resources to effectively ensure compliance.
ii. The contact details of the Security Officer shall be provided to the Controller
b. Security Documentation
i. Disaster Recovery Plan
1. To include measures to:
a. minimize interruptions to the normal functioning of the system;
b. limit the extent of any damage and disasters;
c. enable a smooth transition of Personal Data from one system to another;
d. if necessary, provide for alternative means of operating a system;
e. educate, exercise and familiarize personnel with emergency procedures;
f. provide for fast and smooth system recovery, and
g. minimize the economic effects of any disaster event.
ii. Contingency Plan
1. To address the following possible dangers to the system and appropriate criteria to determine when the Plan should be triggered:
a. the critical functions and systems,
b. the strategy for protecting the system and priorities in the event the Plan is activated;
c. an inventory of relevant staff members to be called upon during an emergency, as well as telephone numbers of other relevant parties;
d. realistic time management plans to enable the recovery of the system;
e. clearly allocated staff duties;
f. possible use of alarms and special devices (e.g., air filters, noise filters); in the event of a fire, special equipment should be available (e.g., fire extinguisher, water pumps, etc.); devices or methods for determining temperature, humidity and other environmental factors (e.g., air conditioning, thermometers, etc.);
g. special security software to detect breaches of security;
iii. The document shall be available to staff who have access to Personal Data and the Information Systems, and must cover the following aspects as a minimum:
1. The scope, with a detailed specification of protected resources;
2. The measures, standards, procedures, code of conduct rules and norms to guarantee security, including for the control, inspection and supervision of the Information Systems;
3. The functions and obligations of staff;
4. The structure of files containing Personal Data and a description of the Information Systems on which they are Processed;
5. The purposes for which the Information Systems may be used;
6. The procedures for reporting, managing and responding to incidents;
7. The procedures for making back-up copies and recovering data including the person who undertook the process, the data restored and, as appropriate, which data had to be input manually in the recovery process.
iv. The security document and any related records and documentation shall be retained for a minimum period of 5 years from the end of the Processing.

2. Functions and Obligations of Staff
a. Only those employees who have demonstrated honesty, integrity and discretion should be Authorised Users or have access to premises where Information Systems or media containing Personal Data are located. Staff should be bound by a duty of confidentiality in respect of any access to Personal Data.
b. The necessary measures shall be adopted to train and make staff familiar with these minimum security requirements, any relevant policies and applicable laws concerning the performance of their functions and duties in respect of the Processing of Personal Data and the consequences of any breach of these requirements.
c. The functions and obligations of staff having access to Personal Data and the Information Systems shall be clearly defined and documented.
d. Authorised Users shall be instructed to the effect that electronic equipment should not be left unattended and made accessible during Processing sessions.
e. Physical access to areas where any Personal Data are stored shall be restricted to Authorised Users.
f. The disciplinary measures for a breach of the security plan shall be clearly defined and documented and communicated to staff.

3. Technical Measures
a. Authorisation
i. Only those employees who have a legitimate operational need to access the Information Systems or carry out any Processing of Personal Data shall be authorised to do so (“Authorised Users”).
b. Identification
i. Every Authorised User must be issued with a personal and unique identification code for that purpose (“User ID”).
ii. A User ID may not be assigned to another person, even at a subsequent time.
iii. An up-to-date record shall be kept of Authorised Users, and the authorised access available to each, and identification and authentication procedures shall be established for all access to Information Systems or for carrying out any Processing of Personal Data.
c. Authentication
i. Authorised Users shall be allowed to Process Personal Data if they are provided with authentication credentials such as to successfully complete an authentication procedure relating either to a specific Processing operation or to a set of Processing operations.
ii. Authentication must be based on a secret password associated with User ID, and which password shall only be known to the Authorised User; alternatively, authentication shall consist in an authentication device that shall be used and held exclusively by the person in charge of the Processing and may be associated with either an ID code or a password, or else in a biometric feature that relates to the person in charge of the Processing and may be associated with either an ID code or a password.
iii. One or more authentication credentials shall be assigned to, or associated with, an Authorised User.
iv. There must be a procedure that guarantees password confidentiality and integrity. Passwords must be stored in a way that makes them unintelligible while they remain valid. There must be a procedure for assigning, distributing and storing passwords.
v. Passwords shall consist of at least eight characters, or, if this is not technically permitted by the relevant Information Systems, a password shall consist of the maximum permitted number of characters. Passwords shall not contain any item that can be easily related to the Authorised User in charge of the Processing and must be changed at regular intervals, which intervals must be set out in the security document. Passwords shall be modified by the Authorised User to a secret value known only to the Authorised User when it is first used as well as at least every six months thereafter.
vi. The instructions provided to Authorised Users shall lay down the obligation, as a condition of accessing the Information Systems, to take such precautions as may be necessary to ensure that the confidential component(s) in the credentials are kept secret and that the devices used and held exclusively by Authorised Users are kept with due care.
vii. Authentication credentials shall be de-activated if they have not been used for at least six months, except for those that have been authorised exclusively for technical management and support purposes.
viii. Authentication credentials shall be also de-activated if the Authorised User is disqualified or de-authorised from accessing the Information Systems or Processing Personal Data.
ix. Where data and electronic equipment may only be accessed by using the confidential component(s) of the authentication credential, appropriate instructions shall be given in advance, in writing, to clearly specify the mechanisms by which the controller can ensure that data or electronic equipment are available in case the person in charge of the Processing is either absent or unavailable for a long time and it is indispensable to carry out certain activities without further delay exclusively for purposes related to system operationality and security. In this case, copies of the credentials shall be kept in such a way as to ensure their confidentiality by specifying, in writing, the entities in charge of keeping such credentials. Such entities shall have to inform the person in charge of the Processing, without delay, as to the activities carried out.
d. Access Controls
i. Only Authorised Users shall have access to Personal Data, including when stored on any electronic or portable media or when transmitted. Authorised Users shall have authorised access only to those data and resources necessary for them to perform their duties.
ii. A system for granting Authorised Users access to designated data and resources shall be used.
iii. Authorisation profiles for each individual Authorised User or for homogeneous sets of Authorised Users shall be established and configured prior to the start of any Processing in such a way as to only enable access to data and resources that are necessary for Authorised Users to perform their duties.
iv. It shall be regularly verified, at least at yearly intervals, that the prerequisites for retaining the relevant authorisation profiles still apply. This may also include the list of Authorised Persons drawn up by homogeneous categories of task and corresponding authorisation profile.
v. Measures shall be put in place to prevent a user gaining unauthorised access to, or use of, the Information Systems . In particular, firewalls and intrusion detection systems reflecting the state of the art and industry best practice should be installed to protect the Information Systems from unauthorized access. Measures shall be put in place to identify when the Information Systems have been accessed or Personal Data has been Processed without authorization, or where there have been unsuccessful attempts at the same.
vi. Operating system or database access controls must be correctly configured to ensure authorised access.
vii. Only those staff authorised in the security document shall be authorised to grant, alter or cancel authorised access by users to the Information Systems
e. Management of Media
i. Information Systems and physical media storing Personal Data must be housed in a secure physical environment. Measures must be taken to prevent unauthorized physical access to premises housing Information Systems.
ii. Organisational and technical instructions shall be issued with regard to keeping and using the removable media on which the data are stored in order to prevent unauthorised access and Processing.
iii. Media containing Personal Data must permit the kind of information they contain to be identified, Inventoried (including the time of data entry; the Authorised User who entered the data and the person from whom the data was received; and the Personal Data entered) and stored at a physical location with physical access restricted to staff that are authorised in the security document to have such access.
iv. When media are to be disposed of or reused, the necessary measures shall be taken to prevent any subsequent retrieval of the Personal Data and other information stored on them, or to otherwise make the information intelligible or be re-constructed by any technical means, before they are withdrawn from the inventory. All reusable media used for the storage of Personal Data must be overwritten three times with randomised data prior to disposal or re-use.
v. The removal of media containing Personal Data from the designated premises must be specifically authorised by the controller.
vi. Media containing Personal Data must be erased or rendered unreadable if it is no longer used or prior to disposal.
f. Distribution of Media and Transmission
i. Media containing Personal Data must only be available to Authorised Users.
ii. Printing/copying Processes must be physically controlled by Authorised Users, to ensure that no prints or copies containing Personal Data remain left in the printers or copying machines.
iii. Media containing Personal Data or printed copies of Personal Data must contain the classification mark “Confidential”.
iv. Encryption (128-bit or stronger) or another equivalent form of protection must be used to protect Personal Data that is electronically transmitted over a public network or stored on a portable device, or where there is a requirement to store or Process Personal Data in a physically insecure environment.
v. Paper documents containing Personal Data must be transferred in a sealed container / envelope that indicates clearly that the document must be delivered by hand to an Authorised User.
vi. When media containing Personal Data are to leave the designated premises as a result of maintenance operations, the necessary measures shall be taken to prevent any unauthorised retrieval of the Personal Data and other information stored on them.
vii. A system for recording incoming and outgoing media must be set up which permits direct or indirect identification of the kind of media, the date and time, the sender/recipient, the number of media, the kind of information contained, how they are sent and the person responsible for receiving /sending them, who must be duly authorised.
viii. Where Personal Data is transmitted or transferred over an electronic communications network, measures shall be put in place to control the flow of data and record the timing of the transmission or transfer, the Personal Data transmitted or transferred, the destination of any Personal Data transmitted or transferred , and details of the Authorised User conducting the transmission or transfer.
g. Preservation, Back-up copies and Recovery
i. Tools must be in place to prevent the unintended deterioration or destruction of Personal Data.
ii. Procedures must be defined and laid down for making back-up copies and for recovering data. These procedures must guarantee that Personal Data files can be reconstructed in the state they were in at the time they were lost or destroyed.
iii. Back-up copies must be made at least once a week, unless no data have been updated during that period.
h. Anti-Virus and Intrusion Detection
i. Anti-virus software and intrusion detection systems should be installed on the Information Systems to protect against attacks or other unauthorised acts in respect of Information Systems. Antivirus software and intrusion detection systems should be updated regularly in accordance with the state of the art and industry best practice for the Information Systems concerned (and at least every six months).
i. Software Updates
i. The software, firmware and hardware used in the Information Systems shall be reviewed regularly in order to detect vulnerabilities and flaws in the Information Systems and resolve such vulnerabilities and flaws. This review shall be carried out at least annually.

4. Record Keeping
a. Access Record
i. A history of Authorised Users’ access to or disclosure of Personal Data shall be recorded on a secure audit trail.
b. Physical Access Record
i. Only those staff duly authorised in the security document may have physical access to the premises where Information Systems and media storing Personal Data are stored. A record of staff who access such premises shall be maintained, including name, date and time of access.
c. Record of Incidents
i. There shall be a procedure for reporting, responding to and managing security incidents such as data security breaches or attempts at unauthorised access. This shall include as a minimum:
ii. A procedure for reporting such incidents/ breaches to appropriate management within the processor;
iii. A clearly designated team for managing and co-ordinating the response to an incident led by the Security / Compliance Officer;
iv. A documented and tested process for managing the response to an incident including the requirement to keep appropriate issues and action logs to include the time at which the incident occurred, the person reporting the incident, to whom it was reported and the effects thereof;
v. The requirement on the processor to notify the controller immediately if it appears that Personal Data was involved in the incident or breach or may be impacted or affected in some way; and
vi. The processor security/ incident management team should where appropriate work together with the controller’s security representatives until the incident or breach has been satisfactorily resolved.

About us

New Era Technology's managed services, cloud, collaboration, data networking, security solutions help more than 12,000 worldwide customers adapt to a rapidly changing digital world, increase productivity and enhance learning experiences.

 

Stay in touch

Email us to get interesting news and updates delivered to your inbox.