||Which personal and special category data are contained within the system?
||Gemma Books holds the following personal data:|
- Basic school details such as school name, address, telephone numbers, contact persons, job titles, optional username and passwords for use with the Gemma Books web system
||Does any personal data flow from the system onto anywhere else?
||We do not share user contact details with any 3rd party unless we are obligated to do so by the school or as a legal requirement
||What is the system’s data retention policy?
- If the school no longer wishes to use our web system and would like all system data relating to them to be promptly removed then this will be done on request.
- Details of Gemma Books web system users and their system usage are retained for up to 5 years for audit purposes after which these are destroyed.
||How would you get the information for a subject access request out of the system?
||Subject access requests can be sent in writing to firstname.lastname@example.org
||How does the system ensure the security of the personal data held?
- The entire Gemma Books web system is stored in a secure dedicated hosting environment, which is located in a secure UK-based facility (Fasthosts, ISO 27001)
- The entire Gemma Books web system operates under SSL (Secure Socket Layers) and strong AES encryption techniques used for dormant data, such as data backups.
- Server access controls are only used by members of the senior development team
- Security tests are continually carried out by our senior development team and benchmarked against external bodies such as Qualys SSL Labs.
- Numerous safeguards are in place to assist schools with their access of the system, eg unique usernames, strong hashed passwords, limited number of login attempts per user, different levels of access control, ability to disable logins irrespective of the validity of the entered details, etc
- All relevant staff have completed non-disclosure forms.
||Is this system supplier confident that they will be GDPR compliant by May 2018?
||Yes – to the best of our knowledge we believe that we are fully compliant with our GDPR requirements.