Contact us on +353 (0)1 9060968 or info@veri.ie

Data Security

Data Protection – An Introduction


Concerns and losses of personal information and sensitive data can lead to regulatory fines and significant risk to an organisation’s reputation. By implementing good practices and conforming to the associated requirements training organisations can be compliant. There is the large amount of data held by training organisations, the number of people who need to access this as part of their job and the number of forms, reports, systems and databases where data is held. Veri ensures this data is encrypted and only accessible by those that need to use the information. Furthermore it informs both tutors and learners about their rights and responsibilities around their data and that they work with. The following explains what Veri does in terms of the data commissioners 7 rules to maintain compliance.

 

8  RULES OF DATA PROTECTION


 

Rule 1: Fair obtaining

Automated communication to Learner with User ID and Password includes

  • Making Client aware of the uses for that information
  • Making Client aware of QQI or other body disclosures of their data to third parties
  • Ask for Client’s consent for any secondary uses of their personal data, which might not be obvious to them

 

Rule 2: Clarifies Purpose specification

No longer shared spreadsheets in drop boxes and attached to emails

  • We are clear about the purpose (or purposes) for which we keep personal information
  • If we are required to register with the Data Protection Commissioner, does our register entry include a proper, comprehensive statement of our purpose [Remember, if you are using personal data for a purpose not listed on your register entry, you may be committing an offence.]
  • Veri assigned for maintaining a list of all data sets and the purpose associated with each

 

Rule 3: Use and disclosure of information

Automated communication to Tutor with User ID and Password includes rules

  • Are there defined rules about the use and disclosure of information
  • Are all staff aware of these rules
  • Are the individuals aware of the uses and disclosures of their personal data? Would they be surprised if they learned about them? Consider whether the consent of the individuals should be obtained for these uses and disclosures.
  • If we are required to register with the Data Protection Commissioner, does our register entry include a full list of persons to whom we may need to disclose personal data [Remember, if you disclose personal data to someone not listed on your register entry, you may be committing an offence.]

 

Rule 4: Security

Cloud-based hosted by Amazon one of the worlds biggest hosting companies with guaranteed 99.99% uptime,fully secure SSL cert in place and all user passwords are fully encrypted with latest security

  • Is there a list of security provisions in place for each data set
  • Veri is   responsible for the development and review of these provisions
  • Are these provisions appropriate to the sensitivity of the personal data we keep
  • Are our computers and our databases password-protected, and encrypted if appropriate
  • Are our computers, servers, and files securely locked away from unauthorised people

 

Rule 5: Adequate, relevant and not excessive

  • Do we collect all the information we need to serve our purpose effectively, and to deal with individuals in a fair and comprehensive manner
  • Have we checked to make sure that all the information we collect is relevant, and not excessive, for our specified purpose
  • If an individual asked us to justify every piece of information we hold about him or her, could we do so
  • Does a policy exist in this regard

 

Rule 6: Accurate and up-to-date

Real time data that can be archived and deleted

  • Do we check our data for accuracy
  • Do we know how much of our personal data is time-sensitive, i.e. likely to become inaccurate over time unless it is updated
  • Do we take steps to ensure our databases are kept up-to-date

 

Rule 7: Retention time

Purge Information from Veri when course completed

  • Do we regularly purge our databases of data which we no longer need, such as data relating to former customers or staff members
  • Do we have a policy on deleting personal data as soon as the purpose for which we obtained the data has been completed

 

Rule 8: The Right of Access

Veri Admin handles all of this

  • Is a named individual responsible for handling access requests
  • Are there clear procedures in place for dealing with such requests
  • Do these procedures guarantee compliance with the Act’s requirements