How We Keep Your Client Information Safe
At our company, we take data protection seriously. We understand that protecting our clients’ personal data is of the utmost importance. That’s why we have a number of measures in place to ensure that our software and operational practices provide a secure environment for client information. In this page, we’ll describe how our company is dedicated to protecting our clients’ personal data.
In today’s digital age, data protection is more important than ever. With the increasing amount of personal data being stored and shared online, the risk of data breaches and unauthorised access is a constant concern. This is where data privacy and regulations like the European Union General Data Protection Regulations (GDPR), which were enacted in the UK by the Data Protection Acts, come into play.
Data privacy laws are implemented to ensure that individuals have control over their personal data and that businesses are responsible for its protection. It sets guidelines for how personal data should be collected, stored, and processed, and gives individuals the right to access and control their own information.
Data protection is important because it helps to safeguard sensitive information from falling into the wrong hands. It protects individuals from identity theft, financial fraud, and other malicious activities. Additionally, it helps to maintain trust between businesses and their customers. When customers know that their personal information is being handled securely, they are more likely to feel confident in sharing it.
Data Protection Compliance
To ensure compliance, we adhere to the General Data Protection Regulations (GDPR) and UK Data Protection laws and we are registered with the UK Information Commissioner’s Office. This means that we have implemented strict protocols and procedures for the collection, storage, and processing of personal data. We have also appointed a dedicated Data Protection Officer who oversees our compliance efforts and ensures that we meet all regulatory requirements.
We regularly conduct internal audits to assess our compliance and identify any areas for improvement. Our team undergoes ongoing training to ensure they are aware of the latest regulatory requirements and best practices in data protection.
Our Operational Practices for Protecting Your Personal Data
Because we understand that your personal data is sensitive and must be handled with care, we have implemented a range of practices to ensure the protection of your personal data in our operational systems. We have established strict protocols and procedures to safeguard your information from the moment you contact us and throughout the life of our business relationship with you.
Firstly, we ensure that all our operational systems adhere to data protection laws and that data about you is stored UK, the European Union (EU), or a country deemed “adequate” for meeting EU GDPR. Security updates for all our systems are applied as soon as they are available.
Secondly, our team is trained on data privacy best practices and is committed to following them diligently. We have implemented access controls and user authentication systems to ensure that only authorised personnel have access to data about you. We have strong, unique passwords and use Multi-Factor Authentication where available. Login accounts are not shared among team members, so we can always track an individual’s transactions.
Finally, once our business relationship with you ends, we will only retain data as required by law for accountancy and record-keeping purposes.
The Security Measures Built into Our Software Products
Our company also takes the security of your library users’ information seriously, which is why we have also implemented robust security measures into our software products. We understand that your users’ data is sensitive and needs to be protected from unauthorised access.
One of the key security measures we have in place is encryption. This means that your data is converted into a code that can only be deciphered with the correct decryption key. This ensures that even if someone were to gain unauthorised access to our systems, they would not be able to read or use your data.
Additionally, our software undergoes regular security testing and audits to identify and address any vulnerabilities. We stay up to date with the latest security protocols and best practices to ensure that our software remains secure against emerging threats. We keep your software protected with regular updates and critical security updates.
We offer Single Sign-On (SSO) which, when combined with Multi-Factor Authentication, adds an extra layer of security by requiring multiple forms of verification before access to your client information is granted. This reduces the risk of unauthorised access even if someone were to obtain your login credentials.
Furthermore, our software is designed with strict access controls, ensuring that only authorised individuals within your organization have access to any client information. You can create classifications for user data and control who has access to these different classification levels. This minimises the risk of internal breaches and data misuse.
Finally, we have robust data backup and disaster recovery measures in place. Your information is securely stored and backed up regularly, so you can have peace of mind knowing that it is protected even in the event of unforeseen circumstances.
See our section below for answers to specific questions you may have about data protection for your users’ data when you subscribe to our software.
Frequently Asked Questions about Data Protection for User Data
Who is the Data Controller?
You, as our client, are the data controller. You decide which personal data you wish to enter in your hosted SLLS.
Who is the Data Processor?
You, as the client, will enter, update and remove personal data in the system, so in this sense, you will be a Data Processor. As the supplier, we will process personal data on your behalf only to the extent that we provide system functionality for you to process that data according to your own instructions. We will be responsible for storing the data securely and responsibly on our hosted platform.
What personal data is held in our system hosted by Bailey Solutions?
As the Data Controller, you will decide what data you will hold for your data subjects. The system will hold personal data for data subjects or users that you enter into the system.
Each user account created in the system requires as a minimum:
– unique username
– password (one-way salt hashed)
– first name
– email address
In addition, the system will hold a user’s roles and permissions or user type, which decide what they can do in the system.
At your discretion, further personal information can be added including:
– date of birth
– organisation number/ID
– job title
– reading level/group
– phone number
– postal address
All of these fields are entirely optional, and entering this data is left to the client’s discretion as the Data Controller. In KnowAll Matrix, it is possible to categorise data subjects and classify the personal data fields as personal, sensitive, confidential etc. This can be combined with restrictions on who can get access to the data according to data subject categorisation and sensitivity of the data held about them.
For what purposes will personal data be held in the system?
To use the library, your library users will presumably enter a contract to use the library services for various purposes. To use the services, the user must be identified (as above) and contactable (more information below).
Depending on the modules you purchase, transactions about the subject’s use of the library services may include:
– Record of items borrowed
– Record of items renewed
– Record of items returned
– Requests for the library to buy items
– Authorisation of purchases
– Requests to receive items to read on a circulation list
– Bookmarked items
– Saved searches
Who deals with requests from data subjects about the personal and transaction data stored in the system?
You do as the primary Data Processor. Only if the request requires technical assistance would Bailey Solutions get involved.
How is data about subjects deleted?
You can delete users from the system. This is a complete cascading deletion, including the user’s transactions. You can alternatively mark a user as inactive and you will still be able to get access to information about them. We have functions in the software to anonymise/redact users. This retains the inactive users and their transactions, whilst removing any data which can identify the subject, i.e. no personal data will remain.
What is the data retention period for personal data in the system?
The system has no retention period. You will be responsible for reviewing data subjects. Also, see the answer to the next question.
How can I review subjects who are inactive for a prescribed length of time?
Our software provides functionality to help you review your inactive subjects for the number of months specified by you in your system settings. On delivery of the system, by default, the review period will be set at 24 months but may change as UK legislative requirements dictate. As the Data Controller, it will be your responsibility to make sure this review period is set to the correct number of months. Once you identify users who should be redacted or removed there are bulk editing tools to help you do this job quickly.
Who can get access to the personal data recorded in the system?
Only the system’s user accounts with sufficient permissions, assigned to them by you, can get access to private data about subjects/users with personal data in the system. These are typically system administrators or power users. At your request, Bailey Solutions technical support staff may get access to this information purely to provide technical assistance with the software. This will be achieved by adding a Bailey Solutions user account to your system which you can delete at any time.
Who manages the user’s passwords in the system?
When you create new users, the system will require you to create a new password for the user. Passwords are encrypted with a one-way salt hash. Thus no one can see passwords in the system.
Passwords can be changed by the user using the Change Password or Forgot Password functionality in the system. Passwords may also be reset by admin/power users with sufficient permissions.
Who creates and manages the personal data in the system?
Initially, when setting up the system during the implementation phase you may ask us to add personal data to the system from files that you send us. This data will only be stored on Bailey Solutions servers for a few hours while the import is processed.
Access to the data is restricted to the data conversion programmer.
After the implementation phase, you enter, amend and delete users in your system.
You can create users as follows:
Manually using the Add User function
Imported from a file created by you and imported by you using the Import Users function
Currently, ordinary users cannot add, amend or delete their own personal data but can check the personal data held about them.
Sometimes, at the client’s request, we import data into the system on a recurring basis.
Can any third parties access the data?
No. Node4 supply and manage the servers for our hosted platform. Node4 has its own robust privacy policies and contractual obligations with us to prevent misuse of data and their staff have no reason or logins to manage client databases. For more information about Node4, please visit their website.
Where is our personal data stored?
The databases for our hosted customers are stored on servers held by a third-party company, Node4. These servers are housed in one of three highly secure ISO 27001-accredited data centres, all located in the UK. Detailed information on these is available on Node4’s website. Our EU clients’ data is stored on a separate Microsoft Azure server, based in the European Union. Countries outside of Europe can decide whether data is stored in the UK or EU data centre.
Can Bailey Solutions quickly restore personal data in the event of a loss or outage?
All of our hosted customers’ databases are backed up nightly by Node4. At all times, a backup will be available from any day in the past week. Beyond that, 5 weeks’ worth of weekly (Friday) backups and seven monthly backups (from the last day of each month) are held.
Does Bailey Solutions encrypt personal data in transit?
All our clients’ data is encrypted in transit.
Does Bailey Solutions encrypt personal data at rest?
Clients’ data is encrypted at rest.
Is backup data encrypted?
All backups of your data are encrypted both in transit and at rest.
What happens to personal data in our system after we end our contract with Bailey Solutions?
On termination of the contract, a copy of the data will be returned to you and you will need to delete personal data if required. The data will be returned in SQL database format. Bailey Solutions will delete all your data, including personal data after the copy of the database has been supplied to you.
Are Bailey Solutions employees trained in data security, customer confidentiality and data protection, and how often do they receive further training?
Staff contracts contain clauses on data protection and client confidentiality. Further training is carried out at least annually or as required. Staff are also required to formally sign off that they have read data protection policy documents, accessed with our HR software. They must re-read and re-sign when these policies are updated.
Would Bailey Solutions inform us and/or the Information Commissioner’s Office (ICO) in the event of a data leak or breach?
Yes, in the event of a breach, Bailey Solutions will inform both the customer within 24 hours and the ICO within 72 hours. Bailey Solutions will take all reasonable measures to prevent further leaks.
Has Bailey Solutions been involved in a breach or leak of personal data in the last 12 years?
If you have further questions about data protection and security, please do not hesitate to contact us. And we are always happy to complete your IT Security Assessments before you purchase.
Responding to Potential Security Breaches: Our Incident Response Plan
Bailey Solutions has been hosting client data since 2012 and during that time we have not had a security breach. However, we are not complacent and we understand that despite our best efforts, there is always a small chance that an incident may occur. That’s why we have a comprehensive Incident Response Plan in place to ensure that we can respond swiftly and effectively to any security breaches.
Our Incident Response Plan is designed to minimize the impact of a security breach and restore normal operations as quickly as possible. The plan outlines a step-by-step process for detecting, responding, and recovering from security incidents. We have a dedicated team of experts who are trained to handle such situations, and they follow strict protocols to ensure a coordinated and efficient response.
In the event of a security breach, our Incident Response Plan includes measures such as isolating affected systems, investigating the extent of the breach, and implementing immediate remediation measures. We work closely with relevant authorities and engage in open and transparent communication with our clients throughout the process.
With our Incident Response Plan in place, you can have confidence in our ability to handle any security incidents swiftly and effectively should they occur. We prioritise the security of your client information and are committed to maintaining the highest standards of data protection.