Data Protection Policy

Policy information

Organisation, scope and contact

This policy applies to all parts of Opendium Limited, hereafter referred to as Opendium, a company registered in England and Wales with company number 5465437.

Opendium is registered with the Information Commissioner's Office as a data controller with registration number ZA264193.

Opendium's data protection officer is Stephen Hill, Technical Director.

Data protection queries should be submitted by email to dataprotection@opendium.com.

Operational date

This policy is in effect from May 25th 2018 until it is replaced. Replacement policies will be published on the Opendium web site from time to time.

Authorship and approval

This policy was prepared by Stephen Hill, Technical Director and approved by the board on May 10th 2018.

Introduction

Opendium needs to gather and use certain information about individuals. They include customers, users of customers' systems, suppliers, business contacts, employees and other people that Opendium has a relationship with or may need to contact.

This policy describes how this personal data must be collected, handled and stored to meet the company's data protection standards and to comply with the law.

Why this policy exists

This data protection policy ensures that Opendium:

  • Complies with data protection law and follows good practice.
  • Respects and protects the rights of individuals.
  • Is open about how it stores and processes individuals' data.
  • Keeps data secure.

Definitions

  • Opendium - Opendium Limited is a company registered in England and Wales with company number 5465437.
  • Data subject - A natural person to which data relates.
  • GDPR - Regulation (EU) 2016/679 (General Data Protection Regulation).

Groups of data subjects

Opendium interacts with people and processes their data for a number of distinctly different reasons. For the sake of clarity, we have divided these into different groups and the remainder of this document is divided up such that each group of data subjects only needs to read the sections that apply to them. In some cases a data subject may be a member of more than one group. The groups are defined as follows:

  • Visitors to websites owned or operated by Opendium.
  • Individuals with whom Opendium has a direct relationship. This may include, but is not limited to, customers, suppliers, business contacts and employees.
  • Users of online safety and network security systems that are supplied by Opendium (hereafter referred to as online safety systems). This may include, but is not limited to, students, staff and visitors to customers' premises.
  • Users of other systems that are supplied by Opendium. This may include, but is not limited to, staff and visitors to customers' premises.

Website visitors

Who?

This section of the data protection policy applies to visitors to websites that are owned or operated by Opendium.

What?

Data about a subject's browsing habits within our websites may be collected through the use of cookies and log files. Log files typically contain IP addresses and web addresses that the data subject has requested.

Data subjects may submit additional information to the web site by means of forms, such as "contact us" and "request a demo". Data subjects who have contacted us via one of these methods are considered to have a direct relationship with Opendium and therefore covered by the "Direct relationship" policy below.

Why?

The legal basis for processing these data is given by Article 6, Paragraph 1(f) of GDPR - "processing is necessary for the purposes of the legitimate interests pursued by the controller or by a third party, except where such interests are overridden by the interests or fundamental rights and freedoms of the data subject which require protection of personal data, in particular where the data subject is a child."

Cookies are used to enhance the user experience on our web site and we collect log files for fault finding, to improve performance and to analyse trends.

We work with third parties to collect user data for purposes of conversion tracking and serving ads targeted to users’ interests. Users can opt out of some of those third parties’ interest-based advertising through the Do Not Track functionality in their web browser or by setting their Twitter tracking/advertising preferences and following the Google Analytics opt-out instructions.

We will not facilitate the merging of personally-identifiable information with non-personally identifiable information collected through the website without the data subject's express consent. We may make use of the Google Analytics "Demographics and Interest Reports" feature.

Data subjects may submit additional information to the web site by means of forms, the reasons for which are described by the forms themselves.

Log file data are collected in accordance with Recital 49 of GDPR. Such data are exempt from the Right to Erasure (Article 17) requests as per Article 17, Paragraph 3(e).

This information may be kept indefinitely and may be shared with law enforcement organisations upon request. Data subjects have the following rights:

  • Right of access, rectification and erasure of their personal data.
  • The right to request restriction of the processing of their data or to object to its processing.
  • The right to lodge a complaint with a supervisory authority.

Direct relationship

Who?

This section of the data protection policy applies to individuals with whom Opendium has a direct relationship. This may include, but is not limited to, customers, suppliers, business contacts and employees.

What?

We may process the following personal data:

  • Names
  • Contact details (email addresses, telephone numbers, street addresses, etc.)
  • The data subject's relationship with our customers and other organisations, such as job title.
  • Notes
  • Emails
  • Telephone call recordings

Why?

The legal basis for processing these data is given by Article 6, Paragraph 1(f) of GDPR - "processing is necessary for the purposes of the legitimate interests pursued by the controller or by a third party, except where such interests are overridden by the interests or fundamental rights and freedoms of the data subject which require protection of personal data, in particular where the data subject is a child."

We may use this information to:

  • Contact the data subject regarding our products or services
  • Carry out obligations arising from any contracts between ourselves and the data subject themselves or organisations with which the data subject is involved.
  • Send the data subject communications that they have requested.
  • Carry out business with the data subject or organisations with which the data subject is involved.
  • Process a job application.

Some of these data are collected in accordance with Recital 49 of GDPR. Such data is exempt from the Right to Erasure (Article 17) requests as per Article 17, Paragraph 3(e).

We will not share these data with third parties except with the data subject's permission.

This information may be kept indefinitely and may be shared with law enforcement organisations upon request. Data subjects have the following rights:

  • Right of access, rectification and erasure of their personal data.
  • The right to request restriction of the processing of their data or to object to its processing.
  • The right to lodge a complaint with a supervisory authority.

Online safety users

Who?

Opendium supplies online safety systems to a variety of organisations, such as schools. This section of the data protection policy applies to individuals who's data is processed by Opendium online safety products. This generally includes, but is not limited to: staff, students and visitors of organisations that use Opendium online safety products.

We are not the controller of the data that are collected by online safety systems. The controller for these data is likely to be the organisation that operates the online safety system and they are therefore the point of contact for data protection enquiries. However:

  • In order to provide technical support, our engineers generally have access to data stored on each customer's system. Therefore we are regarded as a data processor. This document describes our policies which determine how we may process that data.
  • We are the controller for the following personal data relating to users of Opendium online safety systems:
    • Data that is collected for network security reasons and automated fault reporting in accordance with Recital 49 of GDPR.
    • Personal data that is provided directly to us by the data subject.

What?

The following personal data may be routinely collected by online safety systems and are not controlled by us:

  • User names
  • Real names
  • Contact information, such as email addresses
  • Ages or year groups
  • Passwords
  • Notes / comments made by the system administrator
  • Emails
  • Network addresses

Network traffic and web browsing history, including decrypted traffic

These data could include data which GDPR deems "special categories of personal data".

The above data may also be collected and controlled by us and stored on systems owned or operated by us in the following circumstances:

  • In relation to a web site that the data subject has reported as miscategorised. The data subject will have submitted their personal data directly to us and given consent for their processing.
  • For network security reasons and automated fault reporting. These are collected in accordance with Recital 49 of GDPR.

Opendium may collect and control anonymised or pseudonymised data.

Why? - customer controlled data

Schools have a number of online safeguarding obligations under the Prevent duty and the Keeping Children Safe in Education guidance. The internet filtering and reporting systems that allow schools to carry out these duties have to collect a large amount of personal data about the users in the form of internet traffic logs.

Opendium is not the controller of these data and it is the data controller's responsibility to determine the lawful basis for gathering these data and acquire any necessary consent from the data subjects.

In order to provide technical support, our engineers generally have access to data stored on each customer's system. Our engineers will protect the data as follows:

  • We will not transfer personal data from a customer's system to any system that is not owned or operated by either us or that customer.
  • We may transfer personal data from a customer's system to systems that are owned or operated by us for the following reasons:
    • To provide off-site backups of the system
    • To provide the customer with technical support or for fault finding. These data may be stored in Opendium support tickets and will be deleted from our other systems as soon as they are no longer required, or within one month at the most, unless we receive written authorisation to extend the retention period.
    • To assist the customer with their safeguarding duties.
    • As anonymised or pseudonymised data. Under GDPR, these will no longer be considered "personal data" and Opendium will not attempt to deanonymise them. Opendium may share these data with third parties, on the understanding that no attempt will be made to deanonymise them.
  • Personal data which are stored on our systems will be retained for no longer than three years unless we are instructed in writing to extend this retention period. These data will be deleted within one month of the termination of our data processing agreement unless it is extended or replaced.
  • No personal data will be sent from or accepted to an Opendium employee's direct email address or telephone number. Limited transfers of personal data may be made by means of our support email address or telephone number. Support tickets and emails are considered unstructured data in accordance with Recital 15 or GDPR and we will apply a "best efforts" approach with regards to any personal data which they contain. Employees receiving any such emails will delete the email and inform the sender that they must resend it to our support address. However, our email system may retain archived copies.
  • We may process personal data in order to provide the customer with technical support and for fault finding purposes.
  • We may process personal data for other reasons upon written authorisation from the customer.

Why? - Opendium controlled data

  • If a data subject reports that a website is miscategorised, Opendium may use their personal data to help to evaluate the reported web site and may share these data with the online safety customer to which they relate. These data will be retained for no longer than three years. The legal basis for processing these data is given by Article 6, Paragraph 1(a) and Article 9, Paragraph 1(a) ("the data subject has given consent to the processing of his or her personal data for one or more specific purposes" and "the data subject has given explicit consent to the processing of those personal data for one or more specified purposes, except where Union or Member State law provide that the prohibition referred to in paragraph 1 may not be lifted by the data subject"). Data subjects have the following rights:
    • Right of access, rectification and erasure of their personal data.
    • The right to request restriction of the processing of their data or to object to its processing.
    • The right to withdraw consent.
    • The right to lodge a complaint with a supervisory authority.
  • We receive automated fault reports which may contain personal data in accordance with Recital 49 of GDPR. Such data are exempt from the Right to Erasure (Article 17) requests as per Article 17, Paragraph 3(e). It is not practical to separate any personal data in these reports from other data and as these data are controlled by Opendium, they will not be erased upon termination of the data processing agreement. These fault reports are used to improve our products and provide technical support to our customers.
  • Anonymised or pseudonymised data may be collected and controlled by us in order to improve and demonstrate our systems. Under GDPR, anonymised or pseudonymised data is not considered "personal data" and we will not attempt to deanonymise the data. We may allow third parties to access these anonymised or pseudonymised data, who will be held to the same standards as ourselves.

Other users

Who?

Opendium supplies various systems not described elsewhere in this document. This section of the data protection policy applies to individuals who's data is processed by these systems. This may include, but is not limited to: staff, visitors and customers of organisations that use these systems.

We are not the controller of the data that are processed by these system. The controller for these data is likely to be the organisation that operates the system and they are therefore the point of contact for data protection enquiries. However:

  • In order to provide technical support, our engineers generally have access to data stored on each customer's system. Therefore we are regarded as a data processor. This document describes our policies which determine how we may process that data.
  • We are the controller of some data that is collected for network security reasons and automated fault reporting in accordance with Recital 49 of GDPR.

What?

Please refer to the data controller for information about what information may be processed.

Personal data may also be collected and controlled by us and stored on systems owned or operated by us for network security reasons and automated fault reporting in accordance with Recital 49 of GDPR. These data may include information such as IP addresses and user names.

Opendium may collect and control anonymised or pseudonymised data.

Why? - customer controlled data

Opendium is not the controller of these data and it is the data controller's responsibility to determine the lawful basis for collecting this information.

In order to support our customers, our engineers generally have access the data stored on each customers' systems. Our engineers will protect the data as follows:

  • We will not transfer personal data from a customer's system to any system that is not owned or operated by either us or that customer.
  • We may transfer personal data from a customer's system to systems that are owned or operated by us for the following reasons:
    • To provide off-site backups of the system
    • To provide the customer with technical support or for fault finding. These data may be stored in Opendium support tickets and will be deleted from our other systems as soon as they are no longer required, or within one month at the most, unless we receive written authorisation to extend the retention period.
    • As anonymised or pseudonymised data. Under GDPR, these will no longer be considered "personal data" and Opendium will not attempt to deanonymise them. Opendium may share these data with third parties, on the understanding that no attempt will be made to deanonymise them.
  • Personal data which are stored on our systems will be retained for no longer than three years unless we are instructed in writing to extend this retention period. These data will be deleted within one month of the termination of our data processing agreement unless it is extended or replaced.
  • No personal data will be sent from or accepted to an Opendium employee's direct email address or telephone number. Limited transfers of personal data may be made by means of our support email address or telephone number. Support tickets and emails are considered unstructured data in accordance with Recital 15 or GDPR and we will apply a "best efforts" approach with regards to any personal data which they contain.  Employees receiving any such emails will delete the email and inform the sender that they must resend it to our support address. However, our email system may retain archived copies.
  • We may process personal data in order to provide the customer with technical support and for fault finding purposes.
  • We may process personal data for other reasons upon written authorisation from the customer.

Why? - Opendium controlled data

  • Opendium receives automated fault reports which may contain personal data in accordance with Recital 49 of GDPR. Such data are exempt from the Right to Erasure (Article 17) requests as per Article 17, Paragraph 3(e). It is not practical to separate any personal data in these reports from other data and these data are therefore controlled by Opendium, and will not be erased upon termination of the contract with the customer. These fault reports are used to improve our products and provide technical support to our customers.
  • Anonymised or pseudonymised data may be collected and controlled by Opendium in order to improve and demonstrate our systems. Under GDPR, anonymised or pseudonymised data is not considered "personal data" and Opendium will not attempt to deanonymise the data. These data may be passed to third parties on the understanding that no attempt will be made to deanonymise the data.