At The Morrisby Organisation, we have always taken data privacy and security very seriously. With the General Data Protection Regulations (GDPR) having come into effect on 25 May 2018, we undertook a programme to ensure that we were fully compliant. This document outlines some of the steps we have taken.
“Candidate” - someone who is using our services for career guidance purposes.
“Adviser” - someone who manages Candidate accounts on behalf of a school/centre.
Appointed a Data Protection Officer
As Morrisby processes a large volume of personal data it is our obligation under GDPR to appoint a data protection officer. We have appointed Steven Cole, the IT Director. He can be contacted for GDPR related matters at firstname.lastname@example.org or +44(0)330 500 5000.
Personal Data Audit / Privacy Impact Assessment
We conducted a thorough personal data audit to establish:
- All of the personal data that we hold;
- Where all personal data is stored;
- Whether it is necessary for us to process all the data that we collect;
- The security procedures in place to protect personal data during transfer, processing and storage;
- All data flows.
After the audit we made changes to our processes, policies and systems to ensure that all of our personal data processing is GDPR compliant.
Where do we store Personal Data?
We have ensured that all of our data storage locations are GDPR compliant. Most of our Candidate data is stored within the EEA on hosted servers and cloud services. For data that we store or transfer outside the EEA, we will take all reasonable steps to ensure that it is treated as safely and securely as it would be within the EEA and under the GDPR. Such steps may include, but not be limited to, the use of legally binding contractual terms between us and any third parties we engage and the use of the EU-approved Model Contractual Arrangements.
Updated Our Policies
We’ve updated our data policies to be GDPR compliant. These include:
- Data Retention Policy: https://www.morrisby.com/data-retention;
- Security policy: this is an internal document;
- Data Protection Policy: https://www.morrisby.com/data-protection.
All employees receive training on our privacy and data retention policies.
Established Our Lawful Basis for Processing Data
GDPR provides six lawful methods that can be used as the lawful basis for processing personal data. We have established our lawful basis for all of our data processing operations.
Our most important data processing operation is that of Candidate data, for which, we identified that legitimate interests, GDPR Article 6(1)(f), is our lawful basis. We conducted and documented a thorough necessity and balancing test to ensure that the legitimate interests are not outweighed by the fundamental rights of the data subject (the Candidate). We concluded that the case was overwhelming due to the legitimate interests of the Candidate (the data subject), the school, and Morrisby all being strongly aligned.
Our Role as a Data Controller and Data Processor
For schools and organisations where the students enter their data for themselves, We are the data controller for candidate personal data and we control which information is collected and processed. So, rather than being a data processor for the school, who would be acting as a data controller, we are a data controller instead.
For schools and organisations making use of MIS integration, the school is also acting as a data controller, so Morrisby and the school are joint data controllers. In this situation, there is a data sharing document that schools must agree to: https://www.morrisby.com/data-sharing-agreement-mis.
Data Processing Agreements
We have ensured that we have GDPR compliant data processing agreements with all of our data processors.
Security review and update
We have taken a number of measures to enhance our security infrastructure. Publishing details of security measures can in itself pose a security risk, but we are able to give some example general guidelines on some of the measures we take:
- 365/7/24 Managed SIEM for proactive monitoring and detection of intrusions and threats.
- Annual penetration testing performed by a CREST certified company.
- Encrypting of data at rest and in transit.
- Daily automated vulnerability scans;
- Patches and updates are applied promptly and regularly;
- The use of of tightly configured Firewalls;
- The use of virus and malware protection;
- Strong password policy for all employees;
- Website user accounts are locked out after too many login attempts;
- We have achieved Cyber Essentials Plus certification.