a black and white photo of a clock tower

Introduction

This Data Protection Impact Assessment (DPIA) has been carried out to assess the impact of data processing activities carried out by Bitz ‘n’ PC’z Ltd for a school, in accordance with the General Data Protection Regulation (GDPR).

Background

Bitz ‘n’ PC’z Ltd provides a range of services to schools, including network management, device management, data backups and technical support.  We process personal data on behalf of schools, including information about pupils, staff and parents.

Scope

This DPIA covers the processing activities of Bitz ‘n’ PC’z Ltd that involve personal data of the school’s pupils, staff and parents. The DPIA will assess the potential impact on the rights and freedoms of the individuals whose data is being processed.

Risks and Mitigations

  1. Data Breach Risk: There is a risk of data breaches due to the processing of sensitive personal data by Bitz ‘n’ PC’z Ltd. Personal data could be exposed if our systems are not secure.

Mitigation: Bitz ‘n’ PC’z Ltd implements appropriate security measures, including encryption of data in transit and at rest, two-factor authentication and access controls.  We also implement a robust incident response plan in case of a data breach.

  1. Access Control Risk: Bitz ‘n’ PC’z Ltd may have access to personal data that they do not require to provide their services to the school. There is a risk that this data could be accessed or used inappropriately.

Mitigation: Bitz ‘n’ PC’z Ltd has a clear understanding of the personal data they are processing and only access data that is necessary to provide their services. We also implement appropriate access controls to ensure that only authorised personnel can access personal data.

  1. Data Transfer Risk: Bitz ‘n’ PC’z Ltd may transfer personal data outside the European Economic Area (EEA) for processing.

Mitigation: Bitz ‘n’ PC’z Ltd ensures that appropriate safeguards are in place when transferring personal data outside the EEA. This could include the use of Standard Contractual Clauses (SCCs) or ensuring that the recipient country has an adequate level of data protection.

  1. Retention Risk: Bitz ‘n’ PC’z Ltd may retain personal data for longer than necessary.

Mitigation: Bitz ‘n’ PC’z Ltd has a clear retention policy in place, which sets out how long personal data will be retained for and the reasons for retention. We also ensure that personal data is securely destroyed when it is no longer required.

Data Protection Act and GDPR Compliance

Bitz ‘n’ PC’z Ltd operates in full compliance with the General Data Protection Regulation (GDPR) and the UK Data Protection Act (DPA), including the following principles:

  • Lawfulness, fairness and transparency: We ensure that personal data is processed lawfully, fairly and transparently, by obtaining explicit consent or relying on a lawful basis for processing.
  • Purpose limitation: We only collect and process personal data for specified, explicit and legitimate purposes and do not use it for any other incompatible purposes.
  • Data minimisation: We only collect and process personal data that is necessary for the specified purposes and do not retain it for longer than necessary.
  • Accuracy: We take reasonable steps to ensure that personal data is accurate and up to date, and rectify any inaccuracies or incomplete data without delay.
  • Storage limitation: We only store personal data for as long as necessary, and securely delete or anonymise it when it is no longer needed.
  • Security: We implement appropriate technical and organizational measures to ensure the security of personal data, including protection against unauthorised or unlawful processing and accidental loss, destruction or damage.
  • Accountability: We are accountable for compliance with UK Data Protection Law and GDPR and maintain appropriate records of our data processing activities. We also provide individuals with information about their rights and how to exercise them.

Age Appropriate Design

  • We do not sell products or provide services for purchase by children, nor do we market to children
  • If you are under 18, you may use our website only with consent from a parent or guardian
  • Certain areas of our website are designed for use by children over 6 years of age.  These areas include password generation tools and cyber security training videos
  • We collect data about all users of and visitors to these areas regardless of age, and we anticipate that some of those users and visitors will be children
  • Such child users and visitors will inevitably visit other parts of the site and will be subject to whatever on-site marketing they find, wherever they visit.

Frequently Asked Questions

We store customer data for the purposes of operating our business.  This includes, but is not limited to: names, addresses, email addresses, customer comments, account numbers, contracts and service management records.  We do not store any information relating to pupils or parents unless said parent is a client of our business.

  1. Email: Customers may send and receive data via email, including attachments.
  2. File transfer protocol (FTP): Large files or a large volume of data may be transmitted via FTP, which allows for the transfer of files between computers over a network.
  3. Cloud storage: Data may be transmitted and stored on cloud-based platforms, such as OneDrive and Sharepoint, which enable access to data from anywhere with an internet connection.
  4. Web-based platforms: Customers may enter and receive data via web-based platforms, such as online forms, e-commerce sites, chatbot or customer portals.
  5. Physical storage devices: Data may be transmitted via physical storage devices, such as CDs, DVDs, USB drives or external hard drives.
  6. APIs: Data may be transmitted via APIs (Application Programming Interfaces), which enable the exchange of data between different software systems.
  7. Messaging applications: Customers may use messaging applications, such as WhatsApp, SMS, Teams, or Slack to send and receive data.
  8. Social media: Data may be transmitted via social media platforms, such as Facebook or Twitter, where users can share information with each other.
  9. Remote Monitoring & Management (RMM): Data may be transmitted via RMM, such as chat messages and file transfers.

Data at rest in our third-part providers’ datacenter is AES encrypted using a uniquely generated key. In addition, they use a multi- tenant architecture that ensures data from different clients remains segregated and inaccessible to unauthorised clients. Using an array of security equipment, techniques and procedures, the datacenters achieve true three-factor, financial-grade security. All access points are controlled and all areas are monitored and recorded. The exterior radius structure meets Level III explosion resistance standards and there are multiple man traps with reinforced walls. The datacenter is SOC 2 Type 2 certified, ensuring adequate controls related to security and availability of information systems. In addition, a staff of specially trained security guards and highly experienced engineers provide 24x7x365 building and network monitoring, with both internal and external video surveillance and a 60-day minimum retention policy.  Access is highly restricted to authorised personnel, using strict authentication controls.

Yes, all devices employee Bitlocker protection.