Common Questions about Data Protection
Find answers to some common questions about data protection in Staffology HR .
Processing data
| Question | Answer |
|
Who do you hold personal data about as part of the services you provide to us? e.g. employees, customers
|
Employee personal data is held regarding your employees, dependent upon the modules you have purchased
|
|
For what purposes do you use the personal data?
|
As processor, to provide the contracted services i.e. an HR and Payroll System
|
|
Which of your departments have access to the personal data?
|
Only the necessary departments at IRIS can access the cloud services’ data including Support, Development/QA and Admin. We do have a role-based access policy in place for these departments
|
|
What data processing activities do you undertake on our behalf (e.g. collection, recording, organisation, storage, use, disclosure, transmission, or dissemination of data)?
|
|
|
Where is the personal data collected from? e.g. direct from data subject, from us (customer), passed by a third party. If the latter, please state which third party(ies)
|
The data is entered directly into the system by your employees. No data is passed to a third party unless you have enabled third-party API links. You would be in control of this process
|
|
How do you collect/receive the personal data? e.g. application form, secure online portal, password protected attachment via email
|
Personal data can be entered into the system via:
|
|
What procedures do you apply to ensure personal data is accurate and kept up to date?
|
The responsibility for collecting information lies with the person processing the data in the software. Customers should ensure they have adequate standard operating procedures to ensure the accuracy of data entered into the system
|
|
Do you automatically profile individuals? If yes, do you make decisions solely based on such automated processing, including profiling?
|
No
|
|
What procedures do you apply to ensure that no more than the personal data required is collected?
|
The responsibility for collecting information lies with the person processing the data in the software. Customers should ensure they have standard operating procedures in place to ensure data minimisation
|
Processing locations and international data transfers
| Question | Answer |
|
Do you have processing locations outside of the UK? How does this affect security?
|
On occasion, IRIS may use engineers and third parties located in India for production environment support, deployment activities, access management, and security and vulnerability management. In all these instances, information is held on secured network drives held in the UK and only accessible by those authorised to process it. All relevant security requirements have been addressed and further information is available on request. A full risk assessment is carried out annually to ensure that client data is always protected.
|
|
What measures are in place for international data transfers? |
Supplementary measures for personal data processed in India:
|
Data Protection Systems
| Question | Answer |
|
Is your company compliant with the notification requirements of the Data Protection Act 2018 or equivalent legislation?
|
Yes
|
|
In the last 2 years, has your company been the subject of any data protection information notices, enforcement notices, decision notices, undertakings, or any equivalent regulatory notices/actions again? If yes, attach a copy of the document and explain what you have done to ensure that the situation does not occur again.
|
No
|
|
Does your organisation conduct regular compliance audits to ensure that data protection policy is compliant with relevant laws and regulations?
|
Yes, annual audits take place
|
Policies
| Question | Answer |
|
Is there a Data Protection Policy applicable to all staff who process data for us? If yes, please provide a copy.
|
IRIS has a Group Data Protection Policy. Staff who may have access to your data – for example in relation to Support or Professional Services are required to operate to standard operating procedures
|
|
Do you have an up-to-date internal data breach register?
|
Yes. This is managed by the IRIS Group Data Protection Officer
|
|
Do you have a Data Retention/Archive Policy?
How long do you store data in relation to the service you provide to us and what criteria are applied to determine how long data is retained? |
In the context of our function as a data processor, we are required to keep customer data for the retention period agreed in the contract, which represents the customer’s instructions to us. However, after the end of the provision of services relating to processing we must, at the choice of the customer, delete or return all the personal data to the customer and delete existing copies. It is up to the customer to ensure they instruct IRIS during any notice period of the end of the contract
|
|
Do you have an internal data breach register or central record of processing activities?
|
Yes, this is reviewed annually or if a breach occurs, a review takes place of the issue and how to prevent it from occurring again
|
Security and IT
| Question | Answer | |
|
Do you have adequate physical security procedures and measures in place to protect personal data?
|
Yes, Staffology HR is BS EN ISO/IEC 27001:2013 compliant
|
|
|
Do any staff who do not need access to any personal data have access to it? Consider both physically and via a computer network
|
No
|
|
|
Do you use encryption to protect personal data?
|
Personal data is stored in a combination of Azure Storage and Azure SQL with data encrypted at rest using 256-bit AES encryption using dedicated service-managed keys.
Refer to Azure Storage encryption for data at rest and Transparent data encryption for SQL Database, SQL Managed Instance, and Azure Synapse Analytics for more information.
|
|
|
Are all mobiles phones, laptops and tablets which contain personal data tracked in an asset register, pin or password protected, encrypted and remotely wipeable?
|
No customer data is stored on staff equipment. Our Group IT look after IRIS’s asset register. Devices issued to staff by IRIS Group IT will be included in that register
|
|
|
How is removable storage media recorded and managed to ensure security?
|
Use of removable storage is minimal; no customer data may be downloaded from production environments
|
|
|
What protections are there against unauthorised copying, processing etc?
|
There are various security measures in place to protect this asset and stop unauthorised copying, processing etc. these are:
The following are mitigated due to using Azure serverless technologies and not needing to manage the asset:
|
|
|
What protections are there against accidental loss, damage or destruction?
|
We work with the principle of least privilege – developers and administrators are not allowed to work directly with live customer data, data is geo-replicated where possible.
|
|
|
Do you have robust frequent data backup procedures?
|
Data is fully backed up leveraging the Azure backup service.
The data is backed up in rolling backups for 30 days so after this point all the data will be removed permanently.
The internal Recovery Point Objective (RPO) is 1 hour. The Recovery Time Objective (RTO) is 48 hours. System availability is 99.9%. |
|
|
What additional identification and security measures apply to any sensitive or special category data (if applicable)?
|
Not Applicable.
|
Sharing / Receiving data from third parties
| Question | Answer | |
|
Do you have a complete list of data processors used by your organisation in respect of the personal data you process or control as part of the services you provide to us? If so, please provide a copy.
|
|
|
|
How do you audit your data processors’ compliance with Data protection law?
|
We request security guarantees in line with Article 28 Of the General Data Protection Regulation (GDPR)
We have Corporate procedures in relation to this.
|
|
|
Do you have a standard data processor agreement for use with third parties?
|
Yes
|
|
|
Does the client have have any control over the use of the third parties listed?
|
Azure and AWS SES are essential to the successful use of Staffology HR and cannot be controlled on a customer by customer basis.
|
|
|
What is Amazon AWS SES and what does Amazon do with our data?
|
AWS SES is a UK pinned provider of cloud-based transactional and marketing email delivery, management and analytics services. These services will consist primarily of sending and delivering e-mail communications on behalf of customers to their recipients.
The personal data transferred concern anyone who is a sender, recipient or copy recipient of an email which the customer instructs AWS SES to deliver and manage. Data subjects may also include individuals who are mentioned within the body of emails sent by the customer using AWS SES.
The categories of personal data transferred:
• Sender, recipient and copy recipient identification information (first and last name), contact information (address, telephone number (fixed and mobile), e-mail address, fax number), employment information (job title); and
• Any other personal data that the Customer chooses to include within the body of an e-mail that it sends using AWS SES. The personal data transferred to AWS SES for processing is determined and controlled by the Customer in its sole discretion. As such, AWS SES has no control over the volume and sensitivity of personal data processed through its service by the Customer.
Amazon SES supports TLS 1.2, TLS 1.1 and TLS 1.0 for TLS connections.
By default, Amazon SES uses opportunistic TLS. This means that Amazon SES always attempts to make a secure connection to the receiving mail server. If Amazon SES can't establish a secure connection, it sends the message unencrypted.
|
|
Compliance programme
| Question | Answer | ||||||
|
Who is responsible for data protection compliance in your organisation?
|
All IRIS staff are responsible for compliance with data protection in line with IRIS policies and procedures. The Chief Information Officer (CIO) has ultimate responsibility for enforcement of policies and procedures and is supported by the governance structure described in Appendix 1 of the Group Data Protection Policy.
|
||||||
|
What processes do you have in place to ensure identification of and prompt reporting of data breaches to us and (if appropriate) the Information Commissioner's Office?
|
IRIS Software Group has an overarching critical incident process. The IRIS Personal Data Incident Reporting Procedure falls under that process to ensure any incident is promptly reported to the Group Data Protection Officer and assessed in line with the regulatory guidelines on Breach Reporting under current data protection laws.
The Staffology HR Product Manager is responsible for ensuring that all staff involved in providing the Staffology HR service have the means to escalate incidents in line with the above corporate procedures.
As your Data Processor, Staffology HR will not report personal data breaches to a regulator on your behalf. However, Staffology HR will report incidents to you without undue delay so that you can report the matter to the ICO if you believe it is necessary to do so.
|
||||||
|
Who is responsible for dealing with the response to data breaches in your organisation?
|
Group Data Protection Officer in consultation with the CIO.
|
||||||
|
To the extent not already set out above, what action have you taken to ensure compliance with data protection laws?
|
IRIS has an Information Security and Governance Group, which includes members of the Executive Committee.
The Staffology HR Management Review Group leads on Staffology HR.
Staffology HR has carried out a gap analysis and risk assessment in line with current data protection regulations.
|
||||||
|
Do all staff receive data protection training? Please provide details.
|
IRIS use meta compliance to hold all Policies and procedures in relation to data protection. The compliance software tracks, records and enforces employees to:
The group also provides onsite training to key areas to support this knowledge and understanding of the subject matter:
|
Consent and rights of individuals
| Question | Answer | |
|
On what basis is consent obtained by your organisation (if at all) to process an individual's personal data, i.e. for which categories of data do you rely upon the consent of the data subject?
|
This is only relevant to data controllers. In the context of our processor activity this would be the customer’s responsibility.
|
|
|
If consent is obtained, is the consent written? If not, how will it be demonstrated that consent has been given?
|
As above
|
|
|
Are there processes in place to allow an individual to withdraw their consent? If so, how can they do this and is it as easy as their initial giving of consent?
|
As above
|
|
|
If no consent is required or obtained, which grounds for processing will be relied on?
|
As above
|
|
|
Do you have a clear and known process to deal with Subject Access Requests?
|
As above
|
|
|
What is the process for you to respond to requests to rectify inaccurate personal data about an individual?
|
As above
|
|
|
What is the process for you to respond to a request under the right to be forgotten?
|
As above
|
|
|
Is personal data processed or accessed outside the European Economic Area (EEA)? If so, what measures are in place for such transfers e.g. binding corporate rules, adequacy decision or appropriate safeguards including data processor contracts?
|
On occasion, IRIS may use engineers and third parties located in India for production environment support, deployment activities, access management and security & vulnerability management. In all these instances, information is held on secured network drives held in the UK and only accessible by those authorised to process it. All relevant security requirements have been addressed and further information is available on request. A full risk assessment is carried out annually to ensure that client data is always protected. |
|
|
Do you have a Privacy Policy/Fair Processing Notice?
|
It is the Controller’s (customer’s) responsibility to provide data subjects with a privacy/fair processing explanation
|
|
|
How are individuals whose personal data you process made aware of the Privacy Policy/Fair Processing Notice?
|
It is the Controller’s (customer’s) responsibility to provide data subjects with this information.
|
|
Access Control
| Question | Answer | ||
|
Is there a documented procedure to revoke leaver access to data, physical access to premises and information systems?
|
Yes
|
||
|
Is there a documented procedure to recover all computer equipment, access tokens, key etc prior to an employee leaving?
|
Yes
|
||
|
Upon termination, is there a documented procedure to for the immediate revoking of physical access to premises and the logical access to computer systems?
|
Yes
|
||
|
Are privileged user accounts only used for performing specific functions that require administrator or other privileged access, and are not used day to day work?
|
Yes
|
||
|
Are your password settings configured to ensure that passwords meet a minimum length of 8 characters, are complex*, and are required to be changed at least every 90 days?
*Complex passwords must contain characters from three of the following five categories: - Uppercase characters (A through Z) - Lowercase characters (a through z - Base 10 digits (0 through 9) - Non-alphanumeric characters: ~!@#$%^&*_-+=`|\(){}[]:;"'<>,.?/ - Any Unicode character that is categorised as an alphabetic character but is not uppercase or lowercase. This can include Unicode characters from Asian languages |
Customers are in control of their password policies, which can be configured within the application. Customers can control password complexity and history.
Note that this applies only to users logging in against simple username/password combinations in Staffology HR – customers may choose to instead/also authenticate their users against an external provider such as ADFS or Azure AD. In this instance, password policies are the responsibility of the customer’s external provider.
|
||
|
What technical measures are implemented in relation to passwords being stored in the database
|
Passwords in the Staffology HR database are salted and hashed, with a unique salt per user.
|
||
|
Can Azure authentication but used in scenarios where users share terminals?
|
Azure authentication (and any other external providers) can be used for shared devices, however users must sign out of Azure before leaving their machine for others to access.
|
||
Operations Security
| Question | Answer | |
|
Is there a formally documented change management procedure in place that requires that all changes to applications, systems, databases and all network components are documented and require management approval?
|
Yes. Changes are documented.
|
|
|
Is there a process in place to ensure that only secure and approved hardware and software is procured for use in providing services within your organisation?
|
IRIS does not maintain physical servers or other infrastructure for Staffology HR. All infrastructure is hosted by Microsoft Azure, and as such, Staffology HR inherits the physical and environmental controls implemented by Microsoft. Details may be found on the Microsoft website.
Access to IRIS resources and equipment is subject to Group IT Policies.
|
|
|
Are all systems required to have active anti-malware installed and running?
|
Yes
|
|
|
Are anti-malware signature updates deployed across the production environment, including servers, email servers and end users’ devices, within 24 hours of updates being made available?
|
The production environment anti-malware is a managed service provided by VMware Carbon Black Endpoint. Updates are deployed when available.
|
|
|
Is there an internal vulnerability scanning process this is performed on at least a quarterly basis?
|
Microsoft Defender for Cloud continuously scans critical resources for vulnerabilities and produces a monthly report.
Routine environment vulnerability scanning for Staffology HR is performed on an annual basis or when significant platform/software changes are made.
|
|
|
Are findings from vulnerability scans tracked, and are rescans performed until no findings are identified?
|
Yes
|
|
|
Is there patch management process in place to ensure that all systems are kept up to date with the latest patch levels?
|
Patching is a managed service provided by Azure Automation Update Management. | |
|
Is there a process to ensure that critical security patches for hardware and software are implemented within 30 days of patch release?
|
Yes. Patching is performed monthly. Critical updates are installed in non-production environments as soon as they are released and then installed in production environments 7 days later.
|
|
|
Does the organisation regularly conduct penetration tests on the network and IT systems and services?
|
Yes
|
|
|
Are penetration tests of critical applications or networks with Internet connectivity performed at least every 12 months and after significant changes?
|
Yes
|
|
|
Is customer data physically and logically separated from data of other clients?
|
Customer data is stored in separate databases.
|
|
| Do you use a Real Time Security Monitoring (RTSM) service? | YES - using carbon black edr | |
| Is the RTSM service outsourced? | YES - Esentire | |
| What parameters and services are monitored by the RTSM service? | Full server end point end point detection and response | |
Communications Security
| Question | Answer | |
|
Is there a process or a system in place to ensure that all systems and networks used to deliver services to Client configured in a consistent and secure manner, with approved security settings applied?
|
Yes, systems use hardened images and configurations. Configuration management is used to ensure consistency
|
|
|
Are the computer systems and networks that will be used to provide services to Client configured to prevent single points of failure, in order to provide business as usual services in the event of a systems failure?
|
All critical resources are zone redundant within the Microsoft data centre, ensuring continued service in the unlikely event of a local failure.
|
|
|
Are the computer systems and networks that will be used to provide services to Client monitored in real time, or have alerting that is responded to in a timely manner?
|
Yes
|
|
|
Are network intruder detection systems (NIDS) or network intruder prevention systems (NIPS) installed and configured to monitor all external perimeter network connections?
|
Yes, through a combination of a perimeter Web Application Firewall protection and traffic logging. |
|
|
Is there technology in place to encrypt, point to point, all customer data that travels over public networks, including email, instant messaging and voice over IP (VoIP), using an industry standard encryption algorithm?
|
Data encryption in transit uses certificates. Data is also encrypted at rest
|
|
|
If wireless networks are used, are technical controls in place to protect connections to it using WPA2/PSK at a minimum?
|
No wi-fi networks exist on the production systems
|
|
|
Are controls in place to segregate guest wireless networks from the corporate network?
|
Yes
|
|
System Acquisition, Development & Security
| Question | Answer | |
|
Are controls in place to prohibit the use of customer live data within the development and testing environments?
|
Yes
|
|
|
Does the system development lifecycle (SDLC) include information security requirements to support development of secure systems?
|
Yes – security is considered during Architecture Review Board (ARB) stage for major projects; all code changes are subject to automated analysis against the OWASP top 10 and SANS top 25 lists. In addition, the codebase is scanned at least once a week by an automated vulnerability scan tool. Any issues found during any of these stages are fixed straight away, before release. The SDLC emphasises shifting security testing left so that the master branch remains secure, stable and releasable
|
|
|
Are Penetration tests conducted? How often are they conducted?
|
Yes – at least annually
|
|
|
Does the change management process require the security team to authentication, authorisation, and access control mechanisms?
|
Yes
|
|
Business Continuity Management
| Question | Answer |
|
Do you have a Business Continuity Plan?
|
Yes
|
|
Does the plan include Business and technical Recovery, so that services can be resumed to clients, within acceptable timescales?
|
Yes - In the event of an information security incident then Staffology HRfollows the IRIS Group incident management policy.
Personal data incidents are investigated by the Staffology HR team and in accordance with the IRIS group Incident Reporting and investigation procedure.
In the event of any critical incident that threatens or may reasonably be construed as threatening the information security of a Client or the continuity to the Staffology HR service to any set of Clients, such critical incident must be immediately reported to the Critical Incident Manager and or the Information Asset Owner.
Disaster recovery, hardware fail-over and information security continuity is managed by Microsoft Azure.
Infrastructure configurations are stored and managed as ‘images’ and all code and application configuration is stored and managed within version control software.
|
|
How often is the BCP tested?
|
We test our Business Continuity planning yearly.
|
|
Are you certified to any recognised Business Continuity Standard for the full range of products and services you provide to Client?
|
ISO Compliant
|
|
Do you have a clearly defined Incident Response Structure which ensure incidents are identified, escalated and effectively managed?
|
Yes
|
Scalability
| Question | Answer |
|
Please provide an overview of your platform in terms of the tech stack, key architectural components and the dependant third party services
|
The tech stack at the time of writing uses Windows Server 2016 with IIS and SQL Server 2016 as the base layer, although software versions are subject to change for patch management and operational requirements. Software is mostly written in ASP.NET, and at the time of writing is running against version 4.7.2 of the runtime. The application is split between the distributed, multi-tenant web tier, with data housed in multi-tenant databases distributed across our SQL clusters. Back-office or asynchronous services are provided by dedicated services running on headless servers. All components are installed on servers within our Azure network, and no external communication is required. |
|
How does your platform scale to accommodate spikes in traffic? (specify the level that can be accommodated)
|
The system is built to handle peak traffic. Some scaling is in place for busy periods
|
|
Please provide an overview of the monitoring solution that you have in place for the platform?
|
Various monitoring systems are in place, from infrastructure monitoring, APM, logs and alerting systems
|
|
Has the platform been load tested? If so, at what levels?
|
No
|
|
Are there any known bottlenecks (with respect to platform performance and stability) in the platform?
|
No
|
|
What dependencies does the platform have on licensed third-party components?
|
At the time of writing – Aspose.Words, Aspose.Cells, PDF Metamorphosis, FusionCharts and exchangerate.host (currency conversion) |
|
What process is in place to ensure that all dependant third party components are upgraded when and as required particularly with respect to security patches?
|
Third party components are integrated using the .NET package manager, NuGet. New versions are apparent here, and development teams review every release for new versions
|
|
What level of availability has been achieved by the platform in the last 6 months?
|
Latest availability stats can be provided on request, typically availability if 99.9% or above over a given period.
|
|
Are there any specific areas of the platform that have not achieved the overall level of availability within the last 6 months?
|
No
|
|
What internal alerting and escalation process is in place within the organisation to ensure that action is taken when part of, or the entire system becomes unavailable?
|
The alerting and monitoring processes are managed by the Operations team. This is followed up by an incident management process.
|