The LGfL started its GDPR compliance programme in 2017 and is currently working with subject matter experts to implement guidance and recommendations provided by the Information Commissioner. The programme includes the conduct of Data Protection Impact Assessments to understand the nature and ensure the appropriateness of our processing, and to ensure that we are applying the right protective measures necessary to protect your personal data.
Our programme is actively monitored by our Trustees and our Senior Leadership Team and is supported by the allocation of dedicated resources and investment.
The LGfL is also providing advice to schools and our customers on our website. These can be found at here. We are intending to help schools further by offering additional software and services as part of our broadband package.
LGfL has a sophisticated framework of protective measures to ensure the security of information and the availability of systems and services, including:
-
Ensuring that our public infrastructure complies with the relevant technical standards for enabling access to central government systems;
-
Implementing ISO27001 (our principal technology partners are ISO27001 already compliant);
-
Employing a “defence in depth” approach to our systems, with multiple lines of defence including firewalls, anti-virus and ransomware protection;
-
Incorporating alerting and monitoring systems that raise alarms and, where appropriate, drive proactive action;
-
Providing a range of products and services, such as filtering and malware protection, at no additional cost to schools;
-
Accessing the Internet via the Joint Academic Network (JANET). JANET is a very secure way of Accessing the internet which includes a range of protection measures including DDoS protection;
-
Regularly request independent security checks that help us to ensure that our security systems are up to date;
-
Vulnerability Assessment testing of new services that are brought on line to minimise the risk of hacking; and
-
Ensuring the reliability and integrity of our staff who work with schools by conducting enhanced DBS checks, reminding staff of their and our obligations, and providing adequate training on the use, care, protection and handing of personal data.
In addition:
We are continuing to build our Centre of Excellence for Cyber Security that is a service included in the schools broadband service and offers schools a range of new products and services that will provide further assistance to schools as part of the broadband package, including the Elevate Toolkit, Malwarebytes and Meraki Systems Manager.
If you are sending an email via StaffMail to a colleague in your school or to another LGfL supported school that uses StaffMail, the email will not leave the LGfL secure network so is therefore sent securely.
If you are sending an email that contains Personal Identifiable Information (PII) to an external recipient, StaffMail uses Transport Layer Security (TLS) to send emails across the Internet which is a secure method of sending emails. StaffMail has been configured in line with Government email standards and further information on TLS can be found on this link - https://www.gov.uk/government/publications/email-security-standards/transport-layer-security-tls.
You must check with the external email recipient that their email system uses TLS before sending any PII to them via StaffMail as if they do not, the email will be sent in plain text (insecure). For information, most London councils, Google Mail and Microsoft Office 365 all use TLS. To check if an email domain supports TLS, enter their email domain into this link - https://www.checktls.com/TestReceiver
If the external recipients email provider does not support TLS, LGfL has purchased Egress licences for all LGfL supported schools as part of your subscription and at no additional cost to your school. Egress is a secure email product that works alongside Microsoft Outlook or G Mail and it encrypts emails, end to end, to the recipient. Primary schools are entitled to 5 licences per school and secondary schools are entitled to 15 licences per school. To claim your Egress licences for your school, please email egress@lgfl.net who will be able to assist you. Further information on Egress can be found on this link - https://www.egress.com/what-we-offer/email-and-file-protection.
NOTE – LGfL advises you to ensure that you have the necessary Data Sharing Agreements in place with external companies that you are sharing PII with in accordance with Data Protection Law.
On 19 December 2017 the Crown Commercial Services published Procurement Policy Note 3/17, explaining how all public bodies should bring existing and future commercial arrangements concerning data processing into line with the new data protection legislation.
The LGfL is updated its contracts with its major suppliers based on the recommendations of the Crown Commercial Services and will ensure that all future contracts contain the recommended drafting. Agreements with smaller suppliers will be updated appropriately.
This is also an obligation that you should be imposing on all your suppliers, including LGfL, as applicable.
Recognising that you have the obligation but lack the appropriate resources, we have proactively provided you with a Data Processing Addendum that is supplementary to your Network Services Agreement you have with LGfL.
LGfL is required to appoint a Data Protection Officer because of the nature of the data processing it undertakes. LGfL has appointed a DPO who can be contacted at dataprotectionenquiries@lgfl.net.
LGfL felt it important to make an early appointment of a DPO to support its programme for the implementation of the GDPR.
LGfL recognises that compliance with the GDPR is not a “one-time fix”, policies and procedures will need to evolve over time as new guidance is published by the Information Commissioner. Dealing with data protection issues will be a continuous and normal business activity, and LGfL’s data protection team will act as a first point of reference for schools.
All types of personal data and categories of data subjects that the LGfL processes on your behalf are listed in the appendix of the Data Processing Addendum which is supplementary to your existing Network Services Agreement with LGfL and is being sent to all the LGfL customers.
LGfL are working with subject matter experts in this field who are advising the Trust on matters relating to data protection and who will be providing training to LGfL officers. Our primary sub processor, Atomwide, have achieved their ISO27001 accreditation.
All the LGfL technical partners, sub processors and members of the LGfLaai Federation are listed in the appendix of the Data Processing Addendum which is supplementary to your existing Network Services Agreement with LGfL.
LGfL is registered with the ICO and our registration number is Z8306062
All the LGfL policies relating to Information Security are being reviewed as part of our GDPR compliance programme to ensure that they are aligned to the new legislation. The LGfL has ISO27001 certification which requires the Trust to have an Information Security Management System (ISMS).
LGfL and its technical partner Adept implements Role Base Access Control (RBAC) polices across its systems which is demonstrated on our support site i.e. Staff and customers can only see information relating to their establishment that they have been given permission to see by the head teacher or head teacher proxy which is fully auditable.
LGfL has various insurance policies and we are liaising with our insurance brokers to ensure that the Trust has the required cover in line with GDPR guidelines.
Should your school no longer wish to subscribe to LGfL services, there are several processes that take place to delete your data and remove your school from our databases. This will occur as soon as we receive your notification. To further support these processes, every four months we run a purge process that deletes unallocated USO accounts. Staff accounts are deleted if they have been unallocated for a year or more. Student accounts are deleted if they have been unallocated for six months or more.
