Bailey Solutions aims to be fully compliant with the GDPR and offer clear answers to customers who need to know how Bailey Solutions handles personal data and what measures are being taken in light of the new legislation. Below are listed a number of common questions about the ways in which personal data that you enter into your hosted KnowAll Matrix is handled and stored, and how data security is safeguarded on the hosted platform.
Who is the Data Controller?
You, as our client, are the data controller.
You decide which personal data you wish to enter in your hosted KnowAll Matrix.
Who is the Data Processor?
You, as the client, will enter, update and remove personal data in the system, so in this sense you will be a Data Processor.
As the supplier, we will process personal data on your behalf only to the extent that we will provide system functionality for you to process that data according to your own instructions.
That includes storing the data securely and responsibly.
What personal data is held in our system hosted by Bailey Solutions?
As the Data Controller, you will decide what data you will hold for your data subjects. The system will hold personal data for data subjects or users that you enter in the system.
Each user account created in the system requires as a minimum:
- unique username
- password (salt hashed)
- first name
- email address
In addition, the system will hold a user’s roles and permissions or user type, which decide what they can do in the system.
At your discretion, further personal information can be added including:
- date of birth
- organisation number / ID
- job title
- branch / office
- reading level / group
- phone number
- postal address
All of these fields are entirely optional, and entering this data is left to the client’s discretion as the Data Controller.
In our software it is possible to categorise data subjects and classify the personal data fields as personal, sensitive, confidential etc. This is combined with restrictions on who can get access to the data according to data subject categorisation and sensitivity of the data held about them.
For what purposes will personal data be held in the system?
To use the library, your library users will presumably enter a contract to use the library services for various purposes.
To use the services, the user must be identified (as above) and contactable (more information below).
Transactions about the subject’s use of the library services may include:
- Record of items borrowed
- Record of items renewed
- Record of items returned
- Requests for the library to buy items
- Authorisation of purchases
- Requests to receive items to read on a circulation list
- Record enquiries
- Answers to enquiries
- Bookmarked items
- Saved searches
Who deals with requests from data subjects about the personal and transaction data stored in the system?
You do as the primary Data Processor.
Only if the request requires deletion from system files would Bailey Solutions get involved.
How is data about subjects deleted?
You can delete users from the system. This is a full and complete cascading deletion, including the user’s transactions.
You can alternatively mark a user as inactive and you will still be able to get access to information about them.
A further option was added in June 2018 to anonymise/redact users, retaining the inactive users and their transactions, but removing any data which can identify the subject, i.e. no personal data will remain.
What is the data retention period for personal data in the system?
The system has no retention period.
You will be responsible for reviewing data subjects. Also see the next question.
How can I review subjects who have are inactive for a prescribed length of time?
Currently, there is a basic facility to review the personal data stored against individual user accounts in the system. User accounts may also be deleted or redacted (anonymised) in bulk.
Future versions of our software will provide functionality to help the review of your inactive subjects for the number of months specified by you in your system settings. On delivery of the system, by default the review period will be set at 24 months but may change as UK legislative requirements dictate.
As the Data Controller it will be your responsibility to make sure this review period is set to the correct number of months.
Who can get access to the personal data recorded in the system?
Only the system’s user accounts with sufficient permissions, assigned to them by you, can get access to private data about subjects/users with personal data in the system.
These are typically system administrators or power users.
At your request, Bailey Solutions technical support staff may get access to this information purely for the purposes of providing technical assistance with the software. This will be achieved by adding a Bailey Solutions user account to your system which you can delete at any time.
Who manages the user’s passwords in the system?
When you create new users, the system will require you to create a new password for the user. Passwords are encrypted with a one-way salt hash. Thus no-one can see passwords in the system.
Passwords can be changed by the user using the Change password or Forgot Password functionality in the system. Passwords may also be reset by admin/power users with sufficient permissions.
Who creates and manages the personal data in the system?
Initially, when setting up the system during the implementation phase you may ask us to add personal data to system from files that you send us. This data will only be stored on Bailey Solutions servers for a few hours while the import is processed.
Access to the data is restricted to the data conversion programmer.
After the implementation phase, you enter, amend and delete users in your system.
You can create users as follows:
- Manually using Add User function
- Imported from a file created by you and imported by you using the Import Users function
Currently, ordinary users cannot add, amend or delete their own personal data but can check the personal data held about them.
Sometimes, at the client’s request we import data into the system on a recurring basis.
Can any third parties access the data?
Yes. Acora supply and manage the servers for our hosted platform. Their support staff are also able to log on to them and potentially access the SQL databases containing your personal data.
Acora have their own robust privacy policies and contractual obligations with us to prevent misuse of data.
For more information about Acora, please visit their website.
Where is our personal data stored?
The databases for our hosted customers are stored on servers held by a third-party company, Acora. These servers are housed in a highly secure ISO 27001-accredited data centre, known as ‘The Bunker’. This is a former Ministry of Defence command and control bunker in Sandwich, Kent, designed to withstand nuclear attack. It is located 100 feet/30 metres underground, with around-the-clock manned and automated security. There is also a similarly equipped secondary data centre at the former Greenham Common air base.
Can Bailey Solutions quickly restore personal data in the event of a loss or outage?
All of our hosted customers’ databases are backed up nightly by Acora. At all times, a backup will be available from any day in the past week. Beyond that, 5 weeks’ worth of weekly (Friday) backups and a year’s worth of monthly backups (from the last day of each month) are held. The backup data is stored at Acora’s secondary (Greenham Common) data centre.
Does Bailey Solutions encrypt personal data in transit?
All our clients’ data is encrypted in transit.
Does Bailey Solutions encrypt personal data at rest?
Currently, clients’ data is not encrypted at rest.
Is backup data encrypted?
All backups of your data are encrypted both in transit and at rest.
What happens to personal data in our system after we end our contract with Bailey Solutions?
On termination of the contract, a copy of the data will be returned to you and you will need to delete personal data if required. The data will be returned in SQL database format.
Bailey Solutions will delete all your data, including personal data after the copy of the database has been supplied to you.
Are Bailey Solutions employees trained in data security, customer confidentiality and data protection, and how often do they receive further training?
Staff contracts contain clauses on data protection and client confidentiality. Further training is carried out annually.
Staff are also required to formally sign off that they have read data protection policy documents, accessed with our HR software. They must re-read and re-sign when these policies are updated.
Would Bailey Solutions inform us and/or the Information Commissioner’s Office (ICO) in the event of a data leak or breach?
Yes, in the event of a breach, Bailey Solutions will inform both the customer within 48 hours and the ICO within 72 hours.
Bailey Solutions will take all reasonable measures to prevent further leaks.
Has Bailey Solutions been involved in a breach or leak of personal data in the last 7 years?