OnwardsandUpwards is the trading name of scendency Limited,
registered in England & Wales with company No. 05053362.
The following information was updated on 24 May 2018.
Data Protection (GDPR)
Under the terms of GDPR our school subscribers are the ‘Data Controllers’ in OnwardsandUpwards. As a subscriber you have complete charge of all your data, what to store and for how long and to delete as required.
We, as Data Processors are responsible to ensure your data is kept safe on your behalf.
We use our partner of many years, UKFast to host all of our subscriber live systems here in the UK.
UKFast have the highest certified standards of electronic and physical security of compliance to GDPR regulations and beyond.
UKFast is registered with the ICO for GDPR. ISO 270018 is an ISO standard for Information Security.
NB: See our Terms & Conditions section 44.
What is GDPR
The General Data Protection Regulation (GDPR 2016/679) aims to harmonise data protection legislation across EU member states, enhancing the privacy rights for individuals. It applies to organisations processing Personal Data which have an establishment within the EU and also those organisations which operate outside the EU but offer goods or services to, or monitor the behaviour of, individuals in the EU. The GDPR is applicable from 25 May 2018.
What is a Data Subject
A data subject is the individual to whom personal data relates.
What is a Data Controller
A data controller is the party that collects data and is responsible for how it is processed and used.
With regard to the OnwardsandUpwards system the data controller is the licensee (school)
What is a Data Processor
A data processor stores the data on behalf of the data controller
With regard to the OnwardsandUpwards system the data processor is the licensor (Escendency Ltd)
What is a Superuser
A superuser is a person authorised by the data controller to request an action with regard to the data belonging to the data controller.
How does this impact OnwardsandUpwards Customers?
1. Third party organisations
All of our data processing and storage resides with our hosting provider UKFast which is registered with the ICO for GDPR. ISO 270018 is an ISO standard for Information Security. See below (Our Hosting Provider's Certification documents) for further information.
No other third party is involved as a data processor
2. Preparation for GDPR
We have consulted with our hosting provider and GDPR legislation and we are satisfied that we comply with the legislation to the best of our knowledge.
3. Nature and purpose of the data processing
As data processor, OnwardsandUpwards provides the facility to the data controller to store and retrieve information as they see fit. That data belongs to the data controller and is under their control.
4. Technical and organisational security measures to protect personal information
The OnwardsandUpwards software has been built to current industry standards security, whereby all permissions must be granted rather than assumed. Two factor authentication is provided for further security.
All personal data is held on UKFast's secure servers.
Data controllers are encouraged to use secure and unique passwords.
Data controllers are advised not to share any data, that could identify an individual, externally to the OnwardsandUpwards system.
Employees of OnwardsandUpwards agree to, and are committed to, a duty of confidence.
5. Acting on the instructions of the controller
The data controller will supply OnwardsandUpwards with the names and email addresses of its superusers. OnwardsandUpwards will only act upon instructions from those designated superusers unless required by law to do otherwise.
6. Assisting the data controller to exercise their rights under the GDPR
OnwardsandUpwards will assist the data controller in all cases to manage their data in compliance with GDPR regulations including the management and removal of personal data.
7. Destruction or return of data
(a)All data belonging to the data controller will be destroyed and/or returned to the data controller on request or upon the termination of the contract between licensor and licensee unless directed otherwise.
(b) All data backups (including data belonging to the data controller) expire after 1 month of initial backup.
(c) Data deleted by the data controller is no longer held on UKFast's secure servers apart from scheduled backups - see 7(b).
Our Hosting Provider's Certification documents
Our GDPR Checklist (revised 10/5/2018) is available for download.
Also refer to GDPR in section 44.0 of our Terms & Conditioned (above).