TASC Software Data Protection Policy

Statement and Purpose of Policy

TASC Software Solutions Ltd (“we” or “us”) needs to collect and use certain types of information about individuals we work with in order to carry out our business activities.
This personal information must be collected, handled, stored and disposed of appropriately, whether on paper, electronically, or in any other format.

This policy sets out how we comply with the UK General Data Protection Regulation (UK GDPR) and the Data Protection Act 2018, and explains how we ensure personal information is treated lawfully, fairly, and securely.

We regard the lawful and correct handling of personal information as essential to maintaining the confidence of those we deal with.

Responsibilities

This policy applies to all personal and special category data processed by TASC Software, either for our Software-as-a-Service solutions or for our internal business operations.

Data Controller

TASC software acts as a Data Processor on behalf of schools and other organisations, handling personal data, including special category data under Article 9 of the GDPR, strictly in accordance with the client’s instructions. Clients choose us as their Processor because of our secure, reliable, and efficient services that support their operations. 

While clients determine the lawful basis for processing, this does not remove our legal obligations: we remain fully responsible for complying with Article 28 of the GDPR, including implementing appropriate technical and organisational measures to protect personal data. 

Our internal compliance documentation and data protection practices operate independently of any data-protection pages or tools provided within client systems.This ensures that, regardless of the client’s own policies or systems, we consistently meet our legal obligations under GDPR.

Data Protection Officer / Responsible Person

A nominated person is responsible for ensuring compliance with UK GDPR and this policy.

Nominated person: Stuart James.

Staff Responsibilities

• Everyone handling personal information must:
• Understand their duties under this policy
• Follow good data protection practice
• Complete training where required
• Report concerns or breaches immediately

Failure to comply may lead to disciplinary action under the Disciplinary Policy.

Lawful Basis for Processing

Personal data must only be processed where a lawful basis applies. These include:

• Consent
• Contract (e.g., providing our services to customers)
• Legal obligation
• Vital interests
• Public task
• Legitimate interests

Tasc may process certain types of personal data classified as special category data under Article 9 of the GDPR, including data revealing racial or ethnic origin, political opinions, religious or philosophical beliefs, trade union membership, genetic data, biometric data for identification purposes, health data, or data concerning a person’s sex life or sexual orientation. 

When processing such data on our own behalf TASC Software are Data Controllers as we decide the purposes and the means of the processing – for example when it comes to our own website, user databases, newsletters, marketing, payment data and so on, and Data Processors when we act under the instructions of our customers – for example in B2B activities when we process the personal data of our clients’ subjects, students, parents or customers.

When acting under the instruction of our customers, acting strictly as a Data Processor, and following the client’s instructions TASC Software will implement appropriate technical and organisational measures to ensure compliance with GDPR, including Article 9 requirements.

Disclosure

We may share data with other organisations such as local authorities, regulatory bodies, emergency services or approved third-party processors.  When processing such data on our own behalf we will normally inform the individual of such sharing unless legally restricted from doing so. When acting under the instruction of our customers, the details of our data sharing with third party processors are included in the customer contracts which in part form a Data Processing Agreement as required by UK GDPR.

We may disclose personal data without consent where the law allows or requires it, including:

• Protecting vital interests
• Safeguarding
• Legal proceedings or legal obligations
• Preventing or detecting crime
• Where the individual has already made the information public

Data Protection Principles

1. Is processed fairly, lawfully and transparently
2. Is collected for specific purposes
3. Is adequate, relevant and not excessive
4. Is accurate and kept up to date
5. Is not kept for longer than necessary
6. Is processed securely
7. Is handled in a way that demonstrates accountability

We will, through appropriate management:

• Specify the purposes for which information is used
• Collect only information necessary for operational needs or legal requirements
• Ensure individuals’ rights can be exercised
• Maintain appropriate technical and organisational security measures
• Ensure data is not transferred outside the UK 

When acting under the instruction of our customers, the Customer warrants to us that:

• It has the legal right to disclose all Personal Data that it does in fact disclose to the Provider under or in connection with any Agreement.
• Will not infringe any intellectual property rights
• They will keep the data up-to-date and accurate
• Demonstrate the legal bases for storing such information

We will, through appropriate management:

• Maintain appropriate technical and organisational security measures
• Ensure data is not transferred outside the UK or other mandated boundaries without suitable safeguards or agreement.

Data Collection

When collecting data on our own behalf we ensure that data subjects:

• Understand why their data is being collected
• Know what it will be used for
• Understand the consequences of refusing to provide information where applicable
• Provide consent where needed and can withdraw it
• Have access to a Privacy Notice explaining how their information will be handled.

Data is collected fairly and only for purposes that have been explained.

When collecting Customer Data via third-party data integrators which allow us to access relevant data securely, or when collecting Customer Data directly from Customers, we ensure that:

• Purpose Limitation: Data collected is only processed upon instructions from the Customer
• Data Sharing: We process data under strict agreements and do not use it for purposes beyond those communicated.
• Data Security: We ensure that the data collection processes are secure and handled in line with our data protection policies.
• Retention: Data is retained only as long as necessary for the stated purposes or as required by law.
• Rights of Individuals: Individuals may exercise their data rights (e.g., access, correction, withdrawal of consent) in line with Customer policies.

Data Storage

Information relating to individuals will:

• Be stored securely
• Be accessible only to authorised staff
• Be retained only for as long as necessary
• Be disposed of securely when no longer required

We ensure that data is permanently erased from equipment before reuse, disposal or transfer.

Data Handling Procedures

TASC shall ensure that all personal and customer data is handled securely throughout its lifecycle. The following rules apply to all staff:

Collection and Access

• Data shall only be accessed where required for a legitimate business or support purpose.
• Staff must not collect or retain personal data beyond what is necessary.
• Only authorised personnel may access customer data, and all access must be logged where technically possible.

Storage

• Personal and customer data must only be stored on approved systems such as the TASC platform, secure cloud storage, or encrypted company devices.
• Local copies must be avoided unless strictly necessary and deleted immediately after use.
• Data must not be stored on personal devices, unencrypted drives, or unauthorised cloud services.

Transfer

• Data transfers must use secure, encrypted channels (e.g., SFTP, VPN, encrypted email) and follow client instructions.
• Customer data must not be transferred to third parties unless contractually authorised.
• Staff must verify recipient identity before sharing any personal data.

Use

• Data shall only be processed for the purpose communicated to the Customer.
• Staff must minimise the amount of data used for testing or troubleshooting, preferring anonymised or pseudonymised data where possible.
• Data must not be copied, shared, or downloaded unless essential for the task.

Retention

• Temporary copies of customer data must be deleted immediately once no longer required.
• Retention periods for internal personal data must comply with TASC’s data protection and retention rules.

Deletion and Disposal

• Data must be permanently deleted using secure methods (e.g., cipher.exe /w, secure erase) in line with the Data Handling Checklist.
• Disposal of equipment or drives must ensure complete erasure before reuse or transfer.

Remote Working

• All data handling when working remotely must follow this policy and be conducted only through approved devices and secure connections.

Accountability

• Staff must report any accidental disclosure, loss, or misuse of data immediately to the Data Protection Officer.
• Breaches will be handled according to the Data Protection Breach Policy.

Data Access and Accuracy

When processing data on our own behalf, Individuals have the right to:

• Request access to their personal data
• Request rectification of incorrect data
• Request erasure in certain circumstances
• Restrict or object to processing
• Request data portability

We will keep data accurate and up to date and respond to all requests within one month.

When processing data under the instruction of our Customers, they are expected to give access to, or copies of personal data to their subjects, and rectify, erase or restrict processing as they see fit or as required by the Customer’s own policies.

Data Breach Reporting

All data breaches, suspected breaches, or near-misses must be reported immediately as detailed in our Data Protection Breach Policy.

International Transfers

Personal information will not be transferred outside the UK or other agreed data boundary unless:

• The destination country has an adequacy decision, or
• An approved safeguard (e.g. IDTA or SCCs) is in place; and
• When processing data under the instruction of our Customers, only with Customer authorisation.

Monitoring, Training and Compliance

We will ensure that:

• Everyone processing personal information is trained appropriately
• Processing activities are regularly reviewed and audited
• Privacy by design and default principles are followed
• Data Protection Impact Assessments (DPIAs) are completed where required

All staff are aware that breaches of this policy may result in disciplinary action.

Glossary of Terms

Customer  – means the person or entity identified as such in the Hosted Services Order Form

Customer Data – means all data, works and materials: uploaded to or stored on the Platform by the Customer; transmitted by the Platform at the instigation of the Customer; supplied by the Customer to the Provider for uploading to, transmission by or storage on the Platform; or generated by the Platform as a result of the use of the Hosted Services by the Customer;

Data Controller – The organisation that determines the purpose and means of processing.

Data Processor – A third party that processes data on behalf of the Controller.

Data Subject – The individual whose personal data is being processed.

DPIA – Data Protection Impact Assessment, required for high-risk processing.

Hosted Services – means those services which will be made available by TASC Software to the Customer as a service via the internet in accordance with these Terms and Conditions;

ICO – The Information Commissioner’s Office, the UK regulator for data protection.

Personal Data – Any information relating to an identified or identifiable person.

Platform – means a platform managed by TASC Software and used by the TASC Software to provide the Hosted Services, including the application and database software for the Hosted Services, the system and server software used to provide the Hosted Services, and the computer hardware on which that application, database, system and server software is installed;

Processing – Any operation performed on personal data (collecting, storing, using, deleting, sharing).

Special Category Data – Sensitive data such as health, ethnicity, political views, religion or biometric data.