Information to our customers about GDPR
The EU’s General Data Protection Regulation (GDPR), approved by the European Parliament in 2016, is the most important change within data protection regulation in 20 years. It replaces the Data Protection Directive 95/46/EC and local law and regulations across the EU/EEA. The new regulation is designed to strengthen the individual’s rights to privacy and harmonize data privacy laws across Europe.
itslearning has been committed to data privacy for nearly 20 years and welcomes the new regulation. We will do our part to ensure that all our customers are GDPR compliant by May 2018. There is a big, untapped potential in using technology and cloud services to improve teaching practices and learning outcomes. One of the keys to unlocking this potential is to earn the trust of teachers, students and parents. In this sense the increased focus on data protection and privacy due to GDPR will be beneficial for all parties.
itslearning GDPR Commitment
As an organization that is already compliant with current privacy regulations, GDPR is fortunately not a big step. At itslearning, our organizational and technical security is already designed with personal data protection in mind, and we constantly update our services and procedures to maintain the highest level of data security.
For the cloud services we provide to our customers and their end users, itslearning is what both existing and new EU regulation defines as a processor. As a processor we do not decide the purpose or lawfulness of the processing, we merely process data on our customers’ behalf. The GDPR regulations force stricter requirements upon all processors of data. We will fully comply with these requirements for all of our services, including itslearning, Fronter and SkoleIntra. In itslearning we have been working with GDPR for a long time to analyse the new regulation, and making the necessary changes to our services, procedures and organization. In the coming months we will make available all documentation, contract addendums and procedures that you might need to prove your GDPR compliance. We expect to be fully compliant by Q1 2018 – well in time for the new regulations.
As a part of our commitment to GDPR you can expect itslearning to:
- Ensure organisational and technical security for all services.
- Help you with the documentation needed to demonstrate compliance and inform your users.
- Provide you with new contract addendums that comply with GDPRs requirements for Data Processing Agreements (DPA)
- Provide the necessary support for you when your users are executing their data subject rights.
itslearning has appointed a Data Protection Officer (DPO) as defined under GDPR. Most of our customers will be required to appoint or contract a DPO as part of their GDPR compliance. In addition to monitoring our own compliance and providing advice and training to our own staff, our DPO will be available to our customers and their DPOs to discuss data privacy issues.
Contact details for our DPO:
John Arthur Berg
+ 47 55 23 60 70
What does GDPR require from you as a customer?
Most of our customers are already hard at work ensuring their compliance to the new GDPR regulations. The amount of work needed to be compliant depends on what type of organisation you are and what processes and policies are currently in place. If you haven’t already started working on your GDPR compliance, we recommend that you appoint a project team, assess your current situation and get legal advice in order to see what needs to be done.
In general, GDPR will require you to:
- Document and assess all processing of personal data and the systems being used. The purpose and lawfulness of the processing should be defined and you should make sure you don´t process personal data that is not needed for the defined purpose.
- Ensure the organisational and technical security of the processing, and be able to demonstrate it. Assess your internal processes for data retention and security, and document it. Ensure that your own technology can provide sufficient technical security, and document it.
- When you are using third-party services, like ours, to process personal data, you need to make sure that the data processing requirements are compliant with GDPR.
- When acquiring new technology that is likely to result in a high risk to personal data, you need to perform a risk analysis – a Data Protection Impact Assessment (DPIA). As an existing customer, our services are not new technology to you. But doing a DPIA might still be a good idea and will help you in documenting compliance.
- Users (data subjects) have stronger rights under GDPR. Our customers will have to have a process in place for taking data subject requests, and for assessing the validity of the requests.
- A particularly important data subject right, is transparency and information. Make sure the information to your users on everything required under GDPR is easy accessible, including how they can exercise their rights. If your users are young, you should make sure this information is available to parents too.
Please note that many of these requirements are already in place under current regulations, so your organisation might already be close to compliant!
For general information on GDPR, please visit our GDPR website which will be updated as the project proceeds with relevant information and FAQs.
For general questions related to itslearning product and services, you can as always contact our support organisation. For contractual or commercial questions, please contact your account manager.
For specific GDPR-related questions from our customers, please contact our Data Protection Officer, [email protected] or call +47 55 23 60 70. Please note that any communication with our DPO must be in English or Norwegian.
FAQ (For customers)
Will GDPR require us to get consent from all of our users (or their parents)?
For most of our customers, no. Under GDPR, consent is only one of six lawful reasons to process data. Our customers need to choose the lawful basis that most closely reflects the true nature of the relationship between you and your users. For most of our customers, consent would not be the most appropriate lawful basis for the processing. For many of our customers, the lawful basis of processing would be related to tasks performed in public interest or related to your legal obligations.
Can itslearning use personal data for their own purposes?
No. Both currently and under the new GDPR regulation we can only process data on direct instructions from our customers. The data is yours, and only a handful of itslearning staff has access to personal data under strict confidentiality and security. We can only process personal data independently if it is vital to the integrity or security of the service, or to analyse or evaluate the quality of the service provided.
What kind of information are we obligated to provide users about the personal data processing?
The right to transparency and information to the users (or their parents) is strong under GDPR. Information you need to make easily available may include:
- Identity and contact details of the controller / controller’s representative
- The contact details of the Data Protection Officer
- The purpose of the processing and the legal basis for processing the data
- Any intentions to transfer personal data to a third country (outside EU/EEA) and what safeguards have been put in place, and means of obtaining a copy of it.
- The period for which the personal data will be stored, or criteria that determine the period.
- The data subject’s rights (Access, rectification, erasure, etc.)
- The right to lodge a complaint with the supervisory authority
- Where the data originates from
- Any use of automatic decision making/profiling.
Can any of our users now require us to delete their data (“AKA right to be forgotten”)?
Probably not. A user can only require their data to be deleted if the lawful basis of the processing is Consent (see above) or if the original purpose or lawfulness is no longer valid. Our customers will have to have processes in place to carefully evaluate data subjects’ requests for their data to be deleted. You can contact our Data Protection Officer for advice in difficult cases. If a data subject is granted the right to be deleted, itslearning will, either through our software or our support services, be available to help execute a data subject’s rights.
Can our users now require us to give them a copy of all their personal data?
To some extent, yes. All your users now have strong rights to transparency, information and data access. Any data subject can exercise his rights in requesting a copy of all their personal data, as long as it doesn´t adversely affect others, or if this data isn´t already available to him/her. However, this is not an absolute right; other laws might require you to protect the data subject, or others, from accessing certain types of information. You will need to carefully evaluate these requests under GDPR against rights and obligations in other regulations. You can contact our Data Protection Officer for advice in difficult cases. If a data subject is granted the right of access, itslearning will, either through our software or our support services, be available to help execute a data subject’s rights.
Can a user contact itslearning directly (e.g. student, parent, teacher) to exercise his rights under GDPR?
No. Under GDPR, the data subject (user) rights is between him and the controller (our customers). Any data subject requests from end users to itslearning will be handed over to the customer. itslearning will cooperate in good faith with customers to ensure they can exercise the rights of the data subjects in a prompt manner.
When does itslearning delete personal data?
itslearning deletes personal data when instructed by our customers, or if the contract between us and the customer is terminated. The procedures around deleting customer data upon termination of service should be provided in writing or in a Data Processor Agreement.
An instruction to delete a user in our services can either be manually performed in the platform by a customer representative, automatically performed through an integration with a student administrative system (or similar) or upon request to our support organisation.
When users are deleted in our systems, there are safeguards in place to prevent errors leading to an irreplaceable loss of data. In many cases customers will have to manually confirm the deletion of customer data, including personal data.
Does itslearning have to notify users if they have been affected by a data breach?
Do I need to appoint a Data Protection Officer?
In many cases, Yes. You are required to appoint a DPO if you:
a) Are a public/government institution
b) Process certain types of sensitive data on a large scale
c) The processing involves large-scale monitoring or surveillance
Please note that it is the organisation, not the system, that needs a DPO. In many cases, your organisation might already have a DPO. The DPO can be a contracted role. Many government institutions offer DPO services to other institutions.
Can I require a cloud service provider, like itslearning, to only host personal data in my country?
One of the main objectives of the new GDPR is the free flow of personal data inside the European Economic Area (EEA), under one common regulation. In most cases, restricting vendors in processing data across the EEA would not be permitted under GDRP.
Does itslearning process data outside the EEA? Is it allowed to process data outside the EEA?
GDPR does not forbid personal data to flow outside the EEA, but it puts in place strong safeguards to ensure that any processing of data outside the EEA is done following the principles of GDPR. In addition, controllers or processors that process data outside the EEA must provide detailed information about the nature of the processing, and in some cases, allow customers or users to object to the processing.
For most of our European customers, itslearning processes all personal data inside the EEA. There are some exceptions in cases where itslearning facilitates optional integration to 3rd party non-EEA based tools or services. In these cases, both itslearning and our customers must follow the requirements set out by GDPR.
I have heard that itslearning is not secure enough under GDPR! Is this true?
GDPR does not set out detailed requirements for what constitutes a “secure” cloud-based service. It is the joint responsibility of our customers (controllers) and itslearning (the processor) to provide appropriate organisational and technical security for personal data processed, and be able to demonstrate it. The main change from current regulations to GDPR is a strengthening of liability for organisations that do not provide appropriate security.
For two decades, itslearning has successfully protected the processing of personal data of millions of users. However, past performance is not always indicative of future results. So, we continuously invest in organisational security, network and infrastructure security, and application security to ensure we can offer beyond what is appropriate security for our end users. We also regularly allow 3rd parties to audit our security, and we welcome our customers to perform their own audits.
As most software companies, itslearning does not go into detail about security measures in place. But amongst the safeguards and processes in place to protect against known threats, including:
- Application security, such as use of encryption of all traffic, strongly hashed passwords, safeguards against vulnerabilities such as Cross site scripting, SQL injections, phishing and others.
- Network security, firewalls and systems to detect suspicious behaviour, or to stop malicious attempts to gain access, or compromise the resilience of the service (e.g. DDOS attacks).
- Organisational security, like access policies, audit logs and confidentiality agreements.
- Physical security to ensure the prevention of unauthorized access to infrastructure processing personal data.
- Procedural security – IT management processes to minimize the risk of human errors, or testing regimes to identify software weaknesses before releasing new features to our cloud services, or policies to ensure data is only processed on instruction from our customers.
Where does itslearning obtain personal data about users?
itslearning does not independently obtain user data to our services. User data can either be manually submitted to the platform by customers’ representatives, through an integration with a third-party system, or in some cases by the users themselves.
Most commonly, personal data in itslearning comes from “student information systems” under the control of our customers. We only import data from third-party systems on the instruction from our customers.
Does itslearning send data to 3rd parties?
Does GDPR impact US customers or US end users?
Not legally. EU, obviously, does not have no legislative power over US soil. GDPR does not offer any rights or freedoms to data subjects located in the US. And GDPR does not put obligations on US customers that does not process data no EU/EEA data subjects. Rights and obligation of US data subjects and organisations is secured in state or federal regulation, or through contractual or voluntary arrangements.
But itslearning offers, for most parts, the same services and same level of security to our US customer as European customers. US customers will benefit from itslearnings approach to, and culture for, security personal data under GDPR. The fundamental principles in European personal data protection is a part of or fabric and contractual commitment we offer to our US customers.