Arbor's Data Protection Compliance Guide for Customers

GDPR puts the 'privacy by design' principle into law, which means that  security and privacy-enhancing features should be an integral part of how a system is constructed. We follow this principle at Arbor.

This article explains our policies regarding data protection for all our products, including our security features, principles, and processes. It will answer any concerns you may have, whether you’re a Head Teacher, a MAT leader, or a Data Protection Officer.

• For an overview of how we protect your data, take a look at our website.
• We also have a Data Protection Impact Assessment template (DPIA) available here to assist you in the event you decide to conduct a DPIA in relation to your use of MIS: DPIA template

Overview

Arbor complies fully with the requirements of GDPR, protecting the data we store with a comprehensive Information Security Management System which the International Organisation for Standardisation (ISO) audits annually. This system is governed by our Information Security Management Committee, which consists of senior management across various business areas.

• Physical security is maintained with risk assessments and access control at every Arbor office. Access to Arbor locations is restricted with secure keys, CCTV, 24/7 security personnel and secure perimeter doors.
• Digital security is maintained not only by awareness training for our staff and personal vigilance, but also by a number of digital safeguards. All our business systems require two-factor authentication. Data is kept on Arbor’s central system rather than any individual device, so schools can give and revoke permissions to different users.

Arbor MIS also has a number of tools to help you keep your school GDPR compliant:

• Data quality dashboards to help keep personal data accurate
• you can enforce password rotations for your staff and user login histories can be viewed by headteachers and system administrators for access control
• Role-based, granular permissions so that, for instance, an individual who can see a student’s child protection status cannot necessarily view or edit documents relating to that status
• Two-factor authentication can be enabled for your staff on request, as well as enforced regular password changes (not available for the Parent Portal or Parent App): Two-factor authentication
• Subject Access Requests functionality, so that it is possible to download information about a data subject (whether staff, student or guardian) with the click of one button: Downloading Profiles

Data Retention Dashboards for personal records highlight records that exceed data retention timelines, so they can be deleted in bulk: Managing data retention for your MIS data

Our certifications

We have certifications for:

• ISO 9001 - Internationally recognised as the gold standard for Quality Management Systems. It helps organisations ensure that their processes comply with rigorous standards for quality assurance and are measurably effective. Certification requires an independent audit to be passed annually. Certificate number 411702023. 
• ISO 27001 - International standard for Information Security Management Systems. It contains a large number of controls an organisation must implement, considering everything from how personal information is handled, through to physical security of locations where information is stored or processed. Maintaining certification requires passing an independent audit annually. Certificate number 343312020.
• Our server infrastructure provider, Amazon Web Services, is also certified with ISO 27001, ISO 27017 and ISO 27018.
• Cyber Essentials - Cyber Essentials is an effective, Government backed scheme that helps protect organisations, whatever their size, against a whole range of the most common cyber attacks. Certificate number fedfe8ac-458c-46cc-adba-aa108c396af5.
• We are on the DfE cloud supplier checklist, and the G-Cloud list of approved cloud suppliers.
• You can find our certificates by clicking the links at the bottom of this article. These certifications mean our security management is audited annually to the highest international standards.

Data storage and partners

How do we store data?

Arbor MIS is fully cloud hosted in Amazon Web Services UK’s London servers. All personal data is physically stored in the UK. Backups are also stored in the UK.

All our architecture is housed in a private firewalled network to reduce external access and increase security. The school MIS operates a single-tenanted database model - this means that data is segregated from other customers in our database and persistence layers. Instances are recycled daily to reduce the risk of persistent threats, and all servers are updated routinely with the latest security patches. We use industry standard encryption methods for data in-transit and at-rest using the AES-256 algorithm.

Is the rest of our supply chain secure?

Arbor maintains back-to-back contracts with our subcontractors so that all data security policies and responsibilities flow down to them, meaning all school data is kept secure. These standards are renewed every year, keeping protection up-to-date.

Our server infrastructure is maintained by engineers who work at Arbor Education Partners d.o.o., which is a fully-owned subsidiary company of Arbor Education Partners Group Ltd. They are subject to the same GDPR compliant security procedures as our central staff, plus our server security requirements. Remote access to servers by our engineers requires secure cryptographic keys that are unique to each engineer.

What’s our policy for third-party apps?

Arbor can replace a lot of the third-party applications used by schools alongside their legacy MIS, but we welcome integration from your other processors with our open RESTful API. Once we’ve vetted your apps for compliance, they can apply to become an Arbor approved partner.

Nobody will be able to access your school’s Arbor-stored data without your school’s explicit, written permission.

You can find a list of third-party organisations which have already been approved here: Arbor's Third-Party API Integrations. You’ll be able to grant or reject access from the partners you use, and revoke their access at any time. All our partners have to prove their own GDPR compliance, and in particular a fine-grained permissions model that only gives data access to those who need it.

It’s then the partner’s responsibility to maintain the quality of their integration with Arbor. If we’re investigating an issue for you and believe it’s actually an issue from one of your integrated processors, we’ll let you know as soon as possible so you can take it up with them directly.

Our Authorised Sub-processors

Arbor staff

The objective of our access policy, for both schools and our own staff, is that every user will have permission to access only the level of data that they need to do their job, and only for as long as they still need it. All these policies are also audited as part of our ISO 27001 certification.

• Arbor’s Access Control Policy - Our Access Control Policy doesn’t grant access to any systems unless there is a justified business need. Each system has a business owner, and a policy that governs who can gain access and what justifications support a user being granted privileged access.
• Checking & training our staff - All our staff and contractors undergo a DBS check, and employees require two references before starting work. All staff receive data protection and information security awareness training as part of their induction, followed by annual refresher training and supplemented by our continuous professional training program which includes frequent security awareness training. All staff involved in information security management have both significant industry experience, and formal training on the skills required.
• Revoking Permission - When employees leave Arbor, their access to all business systems is revoked as part of our off-boarding procedure. We conduct semi-annual access control audits for every business system, and those users with business owner or administrator Level permissions have their access reviewed quarterly.

Managing data on the MIS

Complying with Subject Access Requests

Arbor will make every reasonable effort to help you get what you need from our system, and this includes helping you comply with Subject Access Requests in a secure way.

Unlike some legacy MIS systems which hold different types of data in a variety of separate places throughout your school, Arbor can show you all the information you have permission to access about a student, staff member, or guardian directly from their profile page: Information Request File, Subject Access Request (SAR) or Freedom of Interest Request

You can even remove all staff information from the download with just one tickbox, to protect your other data subjects during the request.

How can data be deleted from Arbor?

Schools can use our built in Student and Staff Data Retention dashboard to help comply with their GDPR responsibility to delete unnecessary data.

Please see our full guidance on using this feature, and what to do if the built-in retention period has not yet been passed: Managing data retention for your MIS data

Can we back up data in case of deletion?

Arbor will be able to restore the system to any point in the past 30 days in the case of accidentally deleted data, in case you remove something and can’t change it back with our built-in editing tools.

This will incur a charge if this data issue has occurred due to user error, or lack of due diligence on the school's side. Please contact us if you need to request this, or for more information on charges.

However, our built-in warnings against data deletion make this very rare.

What if we want to leave Arbor?

If you wish to terminate your Arbor contract at the end of your Licence Period and you have given the required 90 days’ written notice not to renew your Service, you will have a 30 day period after termination in which we can export your data to a new MIS.

We can provide your data as a full database backup, either:

• using our open RESTful API
• extract using MYSQL database
• directly to you in a standard CTF file format
• directly to you in a CSV file

All your data will be fully deleted from our servers 30 days after your final contract termination date..

Security and access to data on the MIS

Access control

One of the most powerful ways Arbor protects your school data is permission based access. Each user has a level of permission planned in collaboration with you when Arbor is implemented, that ensures each user can only view the data relevant to their role.

This is useful because GDPR demands you only let people access data that’s necessary for their job, and only for as long as necessary.

You might give your pastoral team the ability to view and edit child protection data, whilst a child’s form tutor can only view it, and a teacher who never works with them cannot access it at all.

These role based permissions are built into every Arbor feature and can be given and taken away by the school on an ad hoc basis, giving you the flexibility you need to comply with GDPR without interrupting your flow of work.

See what has been accessed or changed

Because Arbor is based on live data, entered in real time by the school, it is always as complete and correct as the school wishes it to be.

Arbor will not edit your data unless we have been instructed  to do so, such as when migrating data from a previous MIS.

• You’ll be able to review and search the data of students and staff on our dashboards and profile pages, and edit it whenever necessary, which will change the data across the entire system instantly.
• You can keep your old policies about how often you update personal data, and divide up the responsibility by giving administer permissions to different users.

The school or MAT leader will have access to a dashboard that also shows when each user has logged into the system, including Arbor’s own admins: See when users are logging in

Staff are able to access audits of attendance and assessment data. We can also provide you with a full audit of the actions of individual users on your system on request, but please note that this may incur a charge.

Logging in

Each user has a secure and unique password, and we support a number of additional security features, including:

• password rules and enforced regular password changes
• two-factor authentication

In a cloud-based MIS like Arbor data isn’t stored on any device, and the Arbor system automatically logs out after a period of inactivity.

This means that even if there’s a breach in your school’s physical security, the data stored with us is less likely to be compromised. By accessing our cloud through their staff login, Parent Portal or Student Portal users won’t have to print or email personal data, which again reduces the risk it falls into the wrong hands.

Issues, breaches and emergencies

Can we restore systems in an emergency?

Arbor maintains a full Business Continuity Plan which is regularly reviewed by our Information Security Management Committee. In the case of physical disruption such as fire or flood, our cloud-based systems allow for speedy relocation to another data centre within the UK to minimise disruption.

Our Devops team maintains continuity plans in the event of failure. Server configuration is stored as code, and we are able to establish an entire new set of server infrastructure rapidly.

Snapshot backups are taken daily and also point-in-time backups are maintained, which means we can restore the system to any point in the last 30 days. Our backup restore procedure and the rest of these policies are routinely audited.

Identifying risks and vulnerabilities

Our Devops team monitors for new vulnerabilities. Any new threats deemed a high risk are assessed by our engineering management, and a response plan is formulated.

All server operating systems are automatically patched with the latest security fixes every night. All software libraries are upgraded to the latest version, incorporating security fixes, upon every new release of our software (this happens at least once per working day). An internal security committee assesses our software and infrastructure every month for possible vulnerabilities, and plans fixes for any they find. External penetration testing is also conducted annually.

Data breaches and errors

All servers are monitored for standard key metrics (CPU, memory, network load, requests). These metrics are collected into a central monitoring server, whilst all logs are collected into a centralised logging system. Alert trigger rules are defined on both metrics and logs to proactively alert our Devops team to possible issues and unusual activity. These alerts are investigated within several hours and resolved.

All errors within the application, including those reported by schools, are collected into a central error collection system. Each error is assigned to an engineer, who attempts to reproduce and, if necessary, fix the problem within 1 working day.

• We will try to notify you as soon as we become aware of a data breach that impacts your data (in accordance with our Contract with you). 
• If you are concerned there may have been a data breach, please contact us immediately. We will then conduct a thorough investigation. Please email our Data Protection Officer at dataprotection@arbor-education.com.

All incidents are detected and reported to our Chief Technical Officer who then is responsible for coordinating our technical teams, gathering evidence, assessing the incident, and managing the response plan. All communications procedures will be followed, the incident will be logged, and corrective action will be taken to mitigate the risk in the future. Our Security Incident Response Plan is audited as part of our ISO 27001 certification.