On 25 May 2018 most processing of personal data by organisations will have to comply with the General Data Protection Regulation. You will need to do some work to ensure that you comply. This is not legal advice; you may need to seek specialist advice from a third party to help you. We hope that the answers below will help you with your compliance work.
What do I need to do for GDPR?
Look at this short ’12 steps to take now’ guide from the ICO: https://ico.org.uk/media/1624219/preparing-for-the-gdpr-12-steps.pdf There also a page dedicated to small charities: https://ico.org.uk/for-organisations/charity/charities-faqs/ The Information Commissioner’s Office (https://ico.org.uk/) is the regulatory authority and is the definitive source of information and guidance. NCVO also have some charity-specific resources at https://www.ncvo.org.uk/practical-support/information/data-protection There is a very helpful ICO telephone line which you can call for help with your GDPR questions if the online resources are not enough: 0303 123 1113 and select option 4.
Will there be any changes to the Lamplight system relating to the GDPR?
We have already updated the system that you’ll have everything you need available to you to comply with the GDPR. However, you may need to make some changes to the way your system is configured in order to meet the obligations that you have identified as data controller. For example, do you need to review, add or amend the fields that you use to capture consent? If you are dealing with subject access requests, do you record individual client data in group work records? If so you may need to adjust how data is recorded in those work records. Lamplight is producing information sheets to help organisations to make the changes that they need to make to the system themselves in order to meet their duties under the GDPR.
Compliance with the GDPR is an ongoing duty and so we may make further changes to the system either as we identify additional functions that may be required, or as we improve existing functions to increase the ease with which organisations can meet their obligations. For example, improvements to the way in which changes are logged and managed in the system.
When clients/activities are archived does their data continue to be stored?
Yes it does. System administrators can view archived profiles in people > view, and un-archive them if necessary.
Is it possible to permanently delete data from the system?
You can permanently delete data to clear it completely in the system admin section. The data cannot be retrieved easily and this function should be used with caution. Where information is deleted permanently, it will remain in our back up system for 28 days until it is finally deleted and can never be retrieved.
Can I restrict processing of certain profiles without deleting or archiving?
Yes you can. There is a factsheet available which takes you through this process.
As administrator, am I able to change the information that must be entered when a new client is added to the system? For example, I may want to add the question: ‘Has the client provided consent?’ at the moment when a new name is added.
Yes, it is possible for you to add the additional fields that you need. You can then use these fields to filter lists or groups of service users when, for example, sending a mail-out or arranging events. These fields can also be used in data views so you can review this information.
You should plan any changes that you wish to make carefully. If you are changing existing fields then please be aware that any edits you make to existing options will be made to the profiles that already have data in those fields. E.g. if you change the field “Consent to send text message” to “Consent to contact” then the meaning of a ‘yes’ response would be widened for anyone who already had that response in the field.
What changes should I make to my system when capturing the consent of my clients?
We can’t offer general advice on the fields that you need to add in order to meet your obligations under the GDPR. You certainly need to be sure that you have a legal basis for processing data; you may want to add consent boxes if you decide these are needed, although of course if someone says no to having their data processed, they shouldn’t be entered into Lamplight in the first place. You can add new custom fields through system admin, and you could make it an essential field (this is set in global settings) which would mean that it has to be completed before a profile can be saved.
Do I need to keep demographic data anonymously?
This is a judgement you will have to make yourselves. Processing “special categories of personal data” is prohibited under the GDPR unless one of the exceptions applies. You should consult Article 9 of the GDPR for these exceptions. Personal data should also be processed in line with the Principles relating to processing personal data found in Article 5 of the GDPR. There are many different things to consider as you decide whether you should be processing this data and whether it should be anonymous and we cannot advise you on what decision you should make.
We would point out however that keeping demographic data separate from profiles doesn’t necessarily mean that it’s anonymous: it may be possible to identify an individual from their demographic information even if their name is not on it.
You may also wish to consider whether the monitoring and reporting requirements placed on you by funders and local authorities, or the requirements of your equalities policy, can be met if demographic data is kept anonymously.
The Contact Permissions in profiles are defaulted to ‘Yes’ in our system. Can this be changed?
Yes they can. We can change the defaults if you’d like us to – this will change it for all profile types. Please email email@example.com if you’d like us to do so. Our view at the moment is that what the defaults should be will vary from customer to customer. We’re open to changing this globally if more customers start taking the view that they should be ‘no’ by default, but few have so far.
Servers and technical information
Where are your servers located and where is our information stored?
We use the AWS London region exclusively.
How is data transferred between us?
Data is transferred over an encrypted https connection at all times.
What measures are in place to prevent IT breaches?
A number of security measures are in place to prevent data breaches: our System Security page gives more details.
Do any of your team at Lamplight have access to our individual client data?
Our Technical Director has access to the servers, and from there the underlying data, which we require in order to maintain the servers, take backups etc. No other staff have this access. Our access to the data is governed by our Hosting Agreement and the confidentiality clauses it contains.
Where access is necessary to provide a service you have requested, the relevant staff member (and only that staff member) will have access to your data. For example if we are migrating data for you then the data migrator and the technical director will have this access. Or, if you are having some support or training, the staff providing this will have access to the system. This access will be given directly by you and we will only access the data for the purposes of providing the relevant service, e.g. looking at a problem profile or setting up training exercises which require some familiarity with the data.
All staff, sub-contractors and associates are subject to confidentiality agreements as specified in your hosting agreement.
AWS have posted a GDPR statement that they will be compliant by May 2018 for many of the services that you contract with them. Can you confirm that your contract with them will provide a GDPR compliant solution (and any price implication thereof)?
We can confirm this, and there will not be any price implications for you. Details of the AWS GDPR are available at https://aws.amazon.com/compliance/gdpr-center/
How can we improve the security of our system?
There are a number of ways you can improve the security of your system.
- Add two-factor authentication. You install an app on your phone, which generates a 6 digit number every 30 seconds. You enter this number after your username and password. This means that as well as knowing what your password is, an attacker would have to have your phone (and be able to unlock it). You will need to set up the app before enabling two-factor authentication.
- Use a good, unique password. Create a password policy in the Admin menu that requires longer passwords (e.g. 10 characters or more) and that doesn’t contain any of the commonly used passwords. Use Password Manager software to generate and securely store passwords that are different for each site you use. You can force a password reset for staff through the admin menu if you are a system administrator to make sure that everyone complies with the new policy.
- Consider restricting access by IP address through system admin (if you always access Lamplight from a static IP) and/or by day and time.
You may want to think about using these in combination, or in different ways for different users. For example, you might require system administrators or other ‘power users’ to use 2 factor authentication, because there is a greater impact if their account is compromised.
Also consider the security of other systems. For example, losing control of your email account would mean that an attacker could reset passwords (to Lamplight and probably many other things) and gain access that way.
System Administrators should also familiarise themselves with the available security functions, so that (for example) you know how to lock a login if there is a concern that it has been compromised.
Does Lamplight have a Data Protection Officer?
No, on our analysis we do not meet the requirements for mandatory appointment of a DPO.
Does your Hosting Agreement need to change to include …?
Yes, we are working with our lawyer to update the Hosting Agreement and will be issuing an update by the end of April.
What information do we hold in Lamplight? I need to do an audit of our system and see what data we’re holding
You can download a spreadsheet of all the field settings in your system through the Admin menu in one go. Go to System Admin > File Transfer > Download field settings from your system and a file will be downloaded. You can then review these fields with your team.
How do I fulfil a Subject Access Request?
We are producing a detailed factsheet to help you with this. But the short answer in most cases will be to go into a profile and print it, and then ‘print to pdf’. You will need a way to securely transfer this to the Data Subject (email is not secure; encrypted USB keys are).
Do we need a Data Protection Officer?
We don’t know: this is a judgement you’ll need to make based on the current ICO guidance (https://ico.org.uk/for-organisations/guide-to-the-general-data-protection-regulation-gdpr/accountability-and-governance/data-protection-officers/) If you do appoint a data protection officer, please provide us with their details so that we can identify them and support them appropriately.
What is our record management process in regards to Personally Identifiable Data (PID)?
We don’t have one for your data: this will be up to you. There are tools in Lamplight to help you with this, though – for example the Permanent Delete in system administration.
What access controls does Lamplight have in place?
Access to the Lamplight servers is restricted to SSH access from particular IP addresses. Firewalls are used throughout, and networks sub-divided, to restrict traffic. We do not have physical access to the servers; this is managed by Amazon. Our System Security page provides more information.
Do you have a Data Protection policy?
We do have a data protection policy. However, we are currently updating it and will publish it in the next week or two.