Compliance

IDP Connect GDPR Overview

IDP Connect values personal information and aims to provide products and services that are not intrusive; delivered securely and accurately.

Data is at the heart of what we do. Creating long-lasting relationships with our clients and product users, based on transparency and trust is our prime objective.

The new General Data Protection Regulation (GDPR) became enforceable from 25 May 2018. We have aligned many of our policies and procedures to address the new requirements of this legislation. All personal data in our organisation is managed in line with GDPR and the Data Protection Act 2018. We have also adopted industry best practice of Personal Information Management and Information Security Management Systems, as recommended within BSI 10012 and ISO 27001 standard.

What have we done so far?

We are following the ICO guidance for GDPR compliance, data audits and readiness assessments. As a result, we have enhanced a number of policies and procedures. We have reviewed our sign-up forms and, where necessary, introduced consent. We have consulted privacy specialists and solicitors to review the specific areas to ensure compliance and increase client confidence in our business. We have updated our Privacy Policy, sign-up forms and our Privacy Notice to meet the GDPR requirements.

Our business is set on the principle of ethical working and we continually promote data privacy and transparent working. We are, and will continue to be, dedicated to addressing this and maintain our high standards.

IDP Connect GDPR Duties and Obligations

Lawful Grounds; Companies can process personal data only if they satisfy one of the six legal grounds. Most of IDP Connect processing activities are done under the ‘legitimate business interest’ grounds. This cover helping students find right courses/providers, making enquiries and requesting prospectuses. Any processing that falls outside this purpose will require consent.

Data Sharing; In most of the scenarios, companies can only share data when the data subjects have given an explicit consent. IDP Connect will only share data from students that have actively requested information or prospectuses from a learning provider (client). This data should be used by the clients only to fulfil this purpose only. We are updating our Data Processing Agreements to include the minimum GDPR terms and give clear instructions for acceptable use of personal data.

Subject Rights; Data subjects have the right to information, access their data, be forgotten, object or restrict processing and data portability. We at IDP Connect are fulfilling our duties by providing a new Privacy Notice and having processes in place such as Subject Access Requests to instruct our staff, suppliers, and partners how to meet these requests.

Security; Keeping the personal data safe is of paramount importance. We at IDP Connect have operational and technical measures in place to keep this data safe. We train our staff on privacy and security as part of the induction training and annually via refresher training.
Accountability; Companies must be able to demonstrate their compliance with the GDPR principles relating to personal data. We are following the regulation and ICO guidance in terms of demonstrating this accountability via keeping records of processing activities and carrying out due diligence checks.

GDPR Privacy Statement

IDP Connect (The Organisation) values personal information and aims to provide products and services that are not intrusive and delivered securely and accurately.

Data is at the heart of what we do and creating long-lasting relationships based on transparency and trust is our prime objective.

In response to the General Data Protection Regulation (GDPR), we, as an organisation, are committed to comply with this legislation and beyond.

Privacy Statement

As company, we are committed to:

Put people first: Value our employees, product and system users, understand their needs and provide products and services that will offer mutual benefits
Respect privacy: Let individuals be in control of their data processing
Be honest and fair: Be honest, fair and transparent throughout our business
Be diligent with data: Treat personal data with the highest care and respect
Take responsibility: Act responsibly at all times

To support this statement, we have

Procedures in place to monitor and regularly review the effectiveness of data handling and security controls to ensure compliance with the data protection laws and the internal policies
Trained and will continue training our staff on privacy and information security;
Put in place operational and technical measurements to ensure information security (Confidentiality, Integrity and Access of/to data);
Expanded the good practice of ISO27001 across the company

The Organisation will monitor objectives relating to its privacy performance and implement improvements when and where appropriate. These objectives are subject to review at project and management review meetings.

The Privacy Statement will be reviewed twice a year in order to ensure its continuing suitability. This Statement is available to the interested parties on request.

Signed Natasha McAllister, Privacy and Information Security Manager, IDP Connect

Date: January 2019

IDP Connect Data Protection Policy

IDP Connect changes lives by helping people enrol on the right courses throughout the world. Whilst delivering our mission, we aim to be fair and transparent in our work. We believe in privacy by design and by default and apply a high level of care when handling personal and confidential information.

Therefore, it is our policy to:

Assure confidentiality of corporate and customer information;
Protect personal and sensitive information against unauthorised access;
Maintain information security at an acceptable level;
Maintain the integrity of the information;

Meet the relevant legislative requirements including General Data Protection Regulations (GDPR) and the Privacy and Electronic Communication Regulations;
Educate and train our staff on Data Protection and the right to Privacy;
Investigate and report all Data Protection breaches.

To support our policy, we have agreed to the following:

Manual records of personal and confidential data, shall be secured in lockable cabinets
All company documents shall be produced on company templates and information classification shall be used to determine the confidential data
Computers shall be password protected and screen savers shall be activated when desks are left unattended
Access privileges shall be authorised by the appropriate team manager
Access to personal data shall be set to the minimum level in order to fulfil a required job function
Personal data shall not be exported or saved without prior Head of Department approval
Personal data shall not be taken out of the office premises without prior Head of Department approval
Personal data should not be shared without the person’s consent
The amount of personal data stored shall be limited
Incidents, data breaches shall be reported to the EdMedia Security Group
Significant changes to IT systems, suppliers or processes shall include a review to ensure data is not to be compromised by the changes
All personal data held, is accurate and that inaccurate, irrelevant and excessive information shall be either, deleted or, rendered anonymous as soon as reasonably practical
Set a retention policy across the group and personal data shall only be kept for as long as necessary
Respond to the subject access rights within the time frames set by the Data Protection Regulation
Keep a log of all data subject requests
Maintain a record of all incidents concerning Privacy, Confidentiality and Data Protection
Put data sharing and data processing agreements in place with its customers, service providers and suppliers