TASC GDPR compliance

Updated 13th May 2020

Our compliance

TASC Software Solutions Ltd has standardised policies and procedures to manage and protect the data that we process on behalf of our clients. We have significant experience in the education sector, working with hundreds of UK schools. Our policies are driven by our inherent knowledge of schools, our Cyber Essentials certification and our existing data protection compliance.

We have implemented a plan to achieve GDPR compliance:

  • All our staff have undergone GDPR awareness sessions
  • We have conducted an audit of all personal data we hold or process, including where it comes from
  • We have reviewed the legal basis for all personal data processing to ensure we are compliant and to ensure that, if required, we have the appropriate consent in place
  • We have reviewed and updated our policies and procedures to ensure that we comply with all the rights of individuals under GDPR, including processes for secure data deletion, handling Subject Access Requests etc
  • We have considered data protection throughout our processes and we will continue with this policy
  • We have updated our Terms and Conditions for each of our products which outlines both the school’s and TASC Software’s responsibilities in terms of the new legislation. Our Information Sharing Agreement has also been revised to ensure it is GDPR compliant

Data controllers and Data processors

The new laws require both Data controllers (such as Schools) and Data processors (such as TASC Software Solutions Ltd) to update their processes and technology to meet the specified requirements.

Schools are the data controllers for staff and pupil related data. The data controller is the person or organisation who determines what data is extracted, what purpose it is used for and who is allowed to process the data. TASC Software Solutions Ltd is the data processor of the data made available in our software products purchased by the school/s. This is data we are trusted with but do not control.

Our platform and client data are stored on approved and compliant cloud infrastructure. Our servers are hosted by Amazon Web Services in the UK, to ensure client data is retained within the UK..

We expect that you will have hardened your servers and infrastructure to the levels specified in your own pertinent policies. As an example it is to be expected that Certificates will be used to encrypt any data leaving your network, and that only modern protocols are used. Tools such as https://www.ssllabs.com and https://www.owasp.org can help with testing aspects of your environment if you have any concerns.

To help you with compliance our software offers your Data Controller a dedicated screen where each data area used by the software is listed and your Data Controller can specify the legal basis for which that data is being processed.

 

Customer relationship management

We need to collect and use certain types of information about the Individuals or Service Users who come into contact with TASC Software in order to carry on our work. This data is limited and used for purposes including but not limited to accessing our online helpdesk, to inform you of updates to support cases, changes to software that might affect you, and to notify you of software updates. This includes Personal data, and we are the Data Controller in this respect. Please refer to our full Data Protection Policy available at https://www.tascsoftware.co.uk/resources/ for details about the circumstances where we may share this data.

Any data you hold at the end of a contract remains yours, to be retained according to your own various retention and deletion policies.

 

Technical support

In the event that we jointly agree to receive databases from you for the purposes of technical support investigation, we have responsibilities under the GDPR regulations as Data Processors for this data. Please refer to the Data Sharing Agreement which forms part of the terms agreed to upon installing or updating the software for details of the procedures and measures taken whilst the data remains in our care.

 

Stuart James
Managing Director