5. Data Security Policy

5.1 SSL complies with the Data Protection Act (DPA) and the General Data Protection Regulations (GDPR) and will endeavour to comply with any statutory requirements that might be introduced in the future.

5.2 SSL's Department for Education (DfE) self-certification statements, with service and support commitments can be found here.

5.3 SSL is registered with the Information Commissioners’ Office (ICO). A copy of the entry can be found on the register of data controllers here.

5.4 SSL uses Microsoft Azure. Security information for Microsoft Azure can be found here.

5.5 Physical Security

  • 5.5.1 All SSL staff are reliable and trustworthy and receive appropriate training in data protection and security.
  • 5.5.2 SSL controls physical security in relation to the information and personal data that is contained at our facilities and restricts access to locations where people could gain unauthorised physical access to compromise security.
  • 5.5.3 All proprietary or confidential information, including personal data, which is contained or stored on computers, has authentication access controls provided by the computer operating system, as well as antivirus and antispyware protection measures (specifically Symantec Endpoint Protection software). Any data that is contained and stored on manual files is locked up and secure.
  • 5.5.4 SSL controls access to information and personal data, including existing procedures for authorising and authenticating users as well as software controls for restricting access and techniques for protecting data such as encryption.
  • 5.5.5 SSL does not guarantee the integrity or security of any encrypted or unencrypted information disclosed to it or collected by it that is transferred via the Internet.
  • 5.5.6 In respect of detection and investigation of security breaches, SSL has in place relevant controls that will alert us to a breach in security. SSL will also investigate any breach of security and take appropriate action.

5.6 Personal Data Security

  • 5.6.1 Some online services and components provided by SSL, specifically SOCS, rely on personal data to function fully, such as SOCS Co-Curricular and Team Sheet Builder. In all such cases:
  • 5.6.2 Consistent with the DPA and GDPR, SSL is the data processor and schools are data controllers.
  • 5.6.3 In relation to data transfers between data centres both inside and outside the European Economic Area, SSL guarantees that adequate protection is provided. Specifically data at rest and in transit is encrypted.
  • 5.6.4 Personal data from UK schools is not transferred internationally.
  • 5.6.5 SSL will not disclose any personal data to any third party.
  • 5.6.6 Personal data is deleted immediately on contract cancellation.
  • 5.6.7 If an individual requests a copy of their data, it can be provided free of charge. In such instances, or if an individual complains in respect of processing their personal data, SSL would always notify the data controller of such requests.
  • 5.6.8 User access to SOCS is defined and managed by data controllers (the school). Therefore sensitive information, such as contact and medical data, is only accessible to authorised and trusted SOCS user account holders when they are logged in to their SOCS control panel.

5.7 Enhanced Security

  • 5.7.1 If additional child protection measures are required for public facing websites, the optional SOCS security module adds password protection to team sheets and other public facing web pages such as photo and document repositories.
  • 5.7.2 The SOCS sport Team Sheet Builder module can be used to allow the selection of pupils for teams to occur without publication on a school’s dedicated sports website. Therefore if the school’s policy is not to publish team listings in the public domain the sports departments can still benefit from the time saving features and benefits of the Team Sheet Builder module.

5.8 Permission to use another Processor. SOCS uses Microsoft Azure services under license. In principle SOCS does not intend to appoint additional processors to carry out any of the processing activities associated with any SOCS module. If this principle changes then SOCS shall not engage another processor without prior specific or general written authorisation of the School. In the case of general written authorisation, SOCS shall inform the School of any intended changes concerning the addition or replacement of other processors, thereby giving the School the opportunity to object to such changes. Should SOCS appoint another processor the arrangement will be governed by a written contract to ensure compliance with our Terms & Conditions of Business and continuing GDPR compliance.

5.9 Data Protection Impact Assessments. SOCS shall provide all reasonable assistance to the School with any Data Protection Impact Assessment (DPIA), which the School considers to be required to ensure GDPR compliance. All costs of such a DPIA would be covered by the School.

5.10 Audits and Inspections. SOCS supports audits and inspections by Schools or other 3rd parties. For reasons of business security, protection of our IPR, business continuity, practicality and cost control, we limit these to one audit or inspection a year. All costs of such audits or inspections would be covered by the School.

5.11 SSL shall indemnify and keep indemnified the School, and vice versa, against all losses, claims, damages, liabilities, costs and expenses (including reasonable legal costs) incurred by it in respect of any breach of these Terms & Conditions of Business.

5.12 Each party hereby indemnifies the other in full and on demand against all losses, liabilities, damages, costs, claims and expenses including but not limited to legal costs arising from or incurred by the indemnified party as a result of any failure by the indemnifying party to comply with clause 5.11.


<< 4. Privacy & Cookies Policy 6. Full Copyright Notice >>