Data Protection FAQs
We are committed to ensuring that all personal data is handled with the highest standards of security and compliance. This FAQs document is designed to provide you with answers to common questions we receive from schools regarding our data processing practices, security measures, and compliance with data protection legislation.
General Information
1. What services do you provide?
We provide financial consultancy and advisory services to the education sector. Our services are tailored to meet the specific needs of our clients and can include the deployment of software products and integrations.
You can read more about the services we provide to the education sector here.
2. Are you a controller or processor?
Dependent on the service we provide, we may act as a data controller or a data processor.
Generally, if we are providing financial services and advice such as accountancy services, we act as a data controller.
When we provide schools with tools and platforms such as XfE, we act as a data processor.
If you are unsure what our data protection relationship is with your organisation, please contact our DPO using the email address privacy@thornewidgery.co.uk for more information.
3. What categories of personal data do you process?
This varies depending on the service you have signed up for. The personal data types are likely to be:
- Name;
- Address;
- Contact details such as telephone number and email address;
- HR information including health data;
- Payroll information such as bank payment details, and submitted travel and subsistence claims;
- Any narrative added by the school to purchase orders etc such as pupil or staff initials;
- Health data about pupils. For example, pupils with EHCPs may have their initials added to identify funding and costs associated with each EHCP.
Data security
4. What security measures have you implemented to protect personal data?
- Single sign on supported for Xero.
- Multi factor authentication used for databases and for team logins.
- Annual training on UK GDPR and Cyber Security undertaken by the team.
- Fully regulated by the ICAEW in relation to all of the above.
- Policies and procedures relating to information security.
- All staff subject to a duty of confidentiality.
5. Do you have an information security policy?
We have a general information policy that outlines our commitment to protecting personal data, the security measures we have in place and the role and responsibilities of our staff in maintaining data security.
6. What is your procedure in the event of a data breach?
We have a written procedure that includes immediate containment, investigation and notification to affected parties.
If we are acting as a data processor, we will inform the controller of any breach affecting their data without any undue delay.
7. How is our data backed up?
Thorne Widgery’s data is backed up insert frequency e.g. daily via our document management. The back up servers are located in insert country.
Data held on the XfE platform is backed up insert frequency e.g. daily via a hosting solution. The back up servers are located in insert country. We ensure that adequate safeguards are implemented for any transfers outside of the UK.
Any data held in other applications we implement as part of our service level agreement with you is backed up in accordance with their procedures.
8. Do you have a business continuity and/or disaster recovery plan?
Yes, we have a business continuity and disaster recovery plan. This helps us keep key operations running during disruptions and minimises interruptions to service.
Compliance
9. Are you UK GDPR compliant?
Yes, we are UK GDPR compliant.
We are registered with the Information Commissioner’s Office (registration number Z9686887).
We have appointed a Data Protection Officer who can be contacted via email on privacy@thornewidgery.co.uk, or telephone on 01432 276393.
Where we act as a data processor, we provide contracts that include a data processing addendum compliant with Article 28 of UK GDPR to clients.
We maintain a records of processing activities (ROPA), and we also regularly review and update our compliance measures.
We carry out all necessary due diligence on any third party software products or integrations we deploy for schools.
We regularly assess our data protection practices ensuring compliance with UK GDPR.
10. Do your staff have data protection training?
Yes, our staff receive annual data protection and cyber security training.
11. Are your staff subject to a duty of confidentiality?
Yes, all our staff are subject to a duty of confidentiality within their employment contract.
Data handling and processing
12. How long do you retain our data for?
Following termination of a contract, data is held for 28 days before being automatically deleted. The controller can request return or deletion of the data at the end of the contract.
13. How do you handle data subject rights requests?
Where we act as a data processor for the information requested, we forward the request to the relevant data controller to process. We provide assistance to the controller as necessary to support them responding to rights requests.
14. Do you have a data protection policy?
We have a general information policy that covers various areas of data protection and we also issue a staff handbook that outlines best practices.
15. Is AI used in any of the software products you use or implement for schools?
No, none of our products or the third party products we implement currently use AI.
Sub-processors
16. Do you engage any sub-processors? If so, who are they?
Yes, we deploy third party software products for our clients. In these instances, the third party software companies are sub-processors.
You can find our current list of authorised sub-processors here.
17. How do you ensure that sub-processors comply with data protection requirements?
We carry out due diligence on all sub-processors we engage. We have compliant data processing agreements in place with all our sub-processors.
18. Do the software products that you deploy for schools have audit trail functionality?
Yes, all the software products we use, including third party products have audit trail functionality.
Data transfers
19. Do you transfer data outside of the UK? If so, how do you ensure these transfers are compliant with UK GDPR?
We are a UK based company. However, we do use processors based outside of the UK. When we do, we ensure compliance with UK GDPR by using appropriate safeguards, such as the International Data Transfer Agreement (IDTA), EU Standard Contractual Clauses (SCCs) and UK Addendum or ensuring that the recipient country has an adequate level of data protection as determined by the UK government.
We also regularly review and update our processes to align with the latest regulatory requirements and guidance.
Data access and control
20. Who has access to the data within your organisation?
Access to data is strictly limited to authorised personnel based on their roles and responsibilities. Access is regularly reviewed and adjusted as needed.
Termination and exit
21. What happens to personal data upon termination of our contract?
If we act as a data processor, the controller can request the return or deletion of their data at the end of the contract.
Audits and monitoring
22. Can we audit your data processing activities? If so, what is the process?
If we act as a data processor, the controller can request to audit our processing activities by contacting our DPO via privacy@thornewidgery.co.uk
