Europe’s General Data Protection Regulation (GDPR), a European Union regulation that updates and complements the framework for processing personal data in the EU, comes into effect in May 2018.
As this draws near, our customers are increasingly focused on the implications of the new European data protection framework.
At OTrack, we are also preparing for the GDPR. Based on customer feedback, we know you may be curious about these preparations. We’ve decided to share a bit of our journey with you.
Like all schools in the UK, at OTrack we’re actively preparing for the GDPR.
At OTrack, trust is the foundation of our relationship with over 1500 schools in the UK and around the world. Respect for privacy and security was built into our business from the beginning. As we’ve grown, our focus on handling and protecting the data our customers entrust to us has remained a top priority.
The GDPR is consistent with how we think and operate. Our security practices already comply with the data protection act and have since we were established in 2005.
In partnership with our GDPR consultants, we have carefully scrutinised the GDPR, and we’re taking the necessary steps to identify where we need to comply and where any changes need to be made. We’re on the way to full compliance before May 2018, and are committed to helping our customers prepare for their obligations.
We have done a lot of work to ensure we are ready for the GDPR in May 2018. For more information regarding what we have done please see the ‘Our responsibilities’ in the ‘Shared responsibilities’ section below.
Over 1500 schools trust us to protect their pupil and assessments data. To earn that trust, we work hard to build secure products schools can rely on. Here are some of the ways that we secure our architecture and networks.
Our architecture distributes different levels of information across multiple services. This not only makes OTrack faster and more reliable, it also enhances security.
Strict limitation is maintained between the OTrack network and the public internet. Internet-bound traffic to and from the production network is carefully controlled by restrictive firewall rules. Access to the production environment is restricted to only authorised IP addresses and requires authentication on all endpoints.
To protect data in transit between OTrack and our servers, we use Secure Sockets Layer (SSL)/Transport Layer Security (TLS) for data transfer, creating a secure tunnel protected by SHA-256 with RSA encryption. File data in transit between a device using the OTrack application and the hosted service is encrypted via SSL. Additionally, on the web we flag all authentication cookies as secure and enable HTTPS. To prevent man-in-the-middle attacks, authentication of OTrack front-end servers is performed through public certificates held by the client.
OTrack data at rest is secured using a mix of strong encryption standards and token based exchange.
We know that when you, as an OTrack customer, expect us to be responsible stewards of your data. As part of this responsibility, we make sure that OTrack employee access to our internal systems is strictly controlled. To start, access between our corporate and production networks is strictly limited. For example, production network access is IP Address whitelisted and restricted to engineering teams requiring access as part of their duties. Firewall configuration is tightly controlled and limited to a small number of hosting administrators. Access to other resources, including data centres, server configuration utilities, production servers, and source code development utilities are granted through explicit approval by appropriate management. A record of the access request, justification, and approval are recorded by management, and access is granted by appropriate individuals.
Part of keeping our service secure is making sure that people who work at OTrack understand how to be security conscious and recognise suspicious activity. To that end, OTrack employees are required to acknowledge security policies prior to being granted systems access. Employees also take part in mandatory security and privacy training for new hires and annual follow-up training, and receive regular security awareness training via informational emails, talks, presentations, and resources available.
OTrack will notify you in the event of a data breach, as required by applicable law. We maintain incident response policies and procedures, including a breach notification process, which enables us to notify affected customers as needed.
We want you to have the tools you need to make responsible, informed decisions about your team’s security. To help you configure, use, and monitor your OTrack account in a way that meets your needs, your admin (‘School’) tools come equipped with security features for you to keep your data safe. Through our knowledge-base and our support team, we provide information to help you understand how these settings can help you responsibly configure your account.
OTrack gives you flexibility to customise your account to support your security, collaboration, and privacy needs. Owners and Admins can review and modify these settings through the Admin/School feature. For example, accounts can be configured so pupils, reports, and admin features can’t be used or viewed by people based on your needs.
Users can be easily added, removed, and reviewed from the Admin/School feature. To ensure sensitive data in your OTrack account can only be accessed by the right people, we recommend frequently reviewing this list. You can then remove access when someone leaves your school or no longer requires access due to a change in job role. Similarly, you can modify team members’ roles so that each user account has the appropriate level of access.