IDP Connect GDPR Overview
IDP Connect values personal information and aims to provide products and services that are not intrusive; delivered securely and accurately.
Data is at the heart of what we do. Creating long-lasting relationships with our clients and product users, based on transparency and trust is our prime objective.
The new General Data Protection Regulation (GDPR) became enforceable from 25 May 2018. We have aligned many of our policies and procedures to address the new requirements of this legislation. All personal data in our organisation is managed in line with GDPR and the Data Protection Act 2018. We have also adopted industry best practice of Personal Information Management and Information Security Management Systems, as recommended within BSI 10012 and ISO 27001 standard.
What have we done so far?
Our business is set on the principle of ethical working and we continually promote data privacy and transparent working. We are, and will continue to be, dedicated to addressing this and maintain our high standards.
IDP Connect GDPR Duties and Obligations
- Lawful Grounds; Companies can process personal data only if they satisfy one of the six legal grounds. Most of IDP Connect processing activities are done under the 'legitimate business interest' grounds. This cover helping students find right courses/providers, making enquiries and requesting prospectuses. Any processing that falls outside this purpose will require consent.
- Data Sharing; In most of the scenarios, companies can only share data when the data subjects have given an explicit consent. IDP Connect will only share data from students that have actively requested information or prospectuses from a learning provider (client). This data should be used by the clients only to fulfil this purpose only. We are updating our Data Processing Agreements to include the minimum GDPR terms and give clear instructions for acceptable use of personal data.
- Subject Rights; Data subjects have the right to information, access their data, be forgotten, object or restrict processing and data portability. We at IDP Connect are fulfilling our duties by providing a new Privacy Notice and having processes in place such as Subject Access Requests to instruct our staff, suppliers, and partners how to meet these requests.
- Security; Keeping the personal data safe is of paramount importance. We at IDP Connect have operational and technical measures in place to keep this data safe. We train our staff on privacy and security as part of the induction training and annually via refresher training.
- Accountability; Companies must be able to demonstrate their compliance with the GDPR principles relating to personal data. We are following the regulation and ICO guidance in terms of demonstrating this accountability via keeping records of processing activities and carrying out due diligence checks.
GDPR Privacy Statement
IDP Connect (The Organisation) values personal information and aims to provide products and services that are not intrusive and delivered securely and accurately.
Data is at the heart of what we do and creating long-lasting relationships based on transparency and trust is our prime objective.
In response to the General Data Protection Regulation (GDPR), we, as an organisation, are committed to comply with this legislation and beyond.
As company, we are committed to:
- Put people first: Value our employees, product and system users, understand their needs and provide products and services that will offer mutual benefits
- Respect privacy: Let individuals be in control of their data processing
- Be honest and fair: Be honest, fair and transparent throughout our business
- Be diligent with data: Treat personal data with the highest care and respect
- Take responsibility: Act responsibly at all times
To support this statement, we have
- Procedures in place to monitor and regularly review the effectiveness of data handling and security controls to ensure compliance with the data protection laws and the internal policies
- Trained and will continue training our staff on privacy and information security;
- Put in place operational and technical measurements to ensure information security (Confidentiality, Integrity and Access of/to data);
- Expanded the good practice of ISO27001 across the company
The Organisation will monitor objectives relating to its privacy performance and implement improvements when and where appropriate. These objectives are subject to review at project and management review meetings.
The Privacy Statement will be reviewed twice a year in order to ensure its continuing suitability. This Statement is available to the interested parties on request.
Natasha McAllister, Privacy and Information Security Manager, IDP Connect
IDP Connect Data Protection Policy
IDP Connect changes lives by helping people enrol on the right courses throughout the world. Whilst delivering our mission, we aim to be fair and transparent in our work. We believe in privacy by design and by default and apply a high level of care when handling personal and confidential information.
Therefore, it is our policy to:
- Assure confidentiality of corporate and customer information;
- Protect personal and sensitive information against unauthorised access;
- Maintain information security at an acceptable level;
- Maintain the integrity of the information;
- Meet the relevant legislative requirements including General Data Protection Regulations (GDPR) and the Privacy and Electronic Communication Regulations;
- Educate and train our staff on Data Protection and the right to Privacy;
- Investigate and report all Data Protection breaches.
To support our policy, we have agreed to the following:
- Manual records of personal and confidential data, shall be secured in lockable cabinets
- All company documents shall be produced on company templates and information classification shall be used to determine the confidential data
- Computers shall be password protected and screen savers shall be activated when desks are left unattended
- Access privileges shall be authorised by the appropriate team manager
- Access to personal data shall be set to the minimum level in order to fulfil a required job function
- Personal data shall not be exported or saved without prior Head of Department approval
- Personal data should not be shared without the person?s consent
- The amount of personal data stored shall be limited
- Incidents, data breaches shall be reported to the EdMedia Security Group
- Significant changes to IT systems, suppliers or processes shall include a review to ensure data is not to be compromised by the changes
- All personal data held, is accurate and that inaccurate, irrelevant and excessive information shall be either, deleted or, rendered anonymous as soon as reasonably practical
- Set a retention policy across the group and personal data shall only be kept for as long as necessary
- Respond to the subject access rights within the time frames set by the Data Protection Regulation
- Keep a log of all data subject requests
- Maintain a record of all incidents concerning Privacy, Confidentiality and Data Protection
- Put data sharing and data processing agreements in place with its customers, service providers and suppliers