What information do we collect about you?
We collect information about you when you register with us or place an order for products or services. The only personal information held is a contact name plus the school name and email address.
Lawful basis for processing this data
We process this data using Article 6(1)(b) of the GDPR as our lawful basis:
“processing is necessary for the performance of a contract to which the data subject is party or in order to take steps at the request of the data subject prior to entering into a contract”
How will we use the information about you?
We collect information about you to process your order, manage your account and keep you informed about updates and developments.
We do not pass your information on to any other parties for marketing or any other purposes.
We would like to send you information about additional training courses and services we offer that may be of interest to you. You may opt out at a later date. You have a right at any time to stop us from contacting you for marketing purposes
Access to your information and correction
You have the right to request a copy of the information that we hold about you. If you would like a copy of some or all of your personal information, please email or write to us at the following address. We want to make sure that your personal information is accurate and up to date. You may ask us to correct or remove information you think is inaccurate.
How to contact us
Information for schools using our software package
istek has no access to your PFM software or any of the data you have stored on it. This is held on your own school computing system.
If you ever ask us to assist with problems that require us to view your data, it will be stored securely on our in-house servers which have firewalls in place to prevent intrusion and virus protection. No data is held off site or on the cloud. Backups are taken regularly and stored securely. We do not share any data with any external organisations.
How does GDPR affect sharing Private Funds Manager data with Istek UK Ltd?
You will need to ensure that if you need to share data with Istek for the purposes of support or corrections, that we are adhering correctly to the requirements of the law and in accordance with your own policies.
What is the lawful basis for sharing PFM data with Istek?
If you have a technical, accounting or other query that cannot be solved by telephone support, we may ask to either have a copy of your data or we may ask to be allowed access to ‘remote-in’ to your system to view the data on your screen. We will only do this if it is not possible to resolve the issue simply by telephone support. The lawful basis for sharing this data is “processing is necessary for the performance of a contract to which the data subject is party or in order to take steps at the request of the data subject prior to entering into a contract”
Inherited policies on consent etc
We will not be accessing, viewing or using your data in any way other than to assist with your problems. Therefore, all issues of consent will be inherited from you the school.
How we can access your data
To access your data we will either request a copy is emailed to us or uploaded onto a web service OR we will ask to remotely access your screen to view the data. You can specify if you have a preference and we will use your chosen option.
a. Emailing data to us
If we ask you to email data to us, there will be 2 LEVELS of password protection for your data. The first is a password that is automatically applied to your database when you purchase from us. The second is that you will be asked to ZIP the data file and assign your own password. We will then phone you to obtain this second password. If we need to return corrected data to you, we will assign the same secondary password to your database.
b. Uploading data to a web server
If we upload data to a web server, we will use the DROPBOX environment. Dropbox for Business & Education works extremely hard with data protection, and complies with ISO 27001, 27017, 27018 & 22301. It is also certified with SCA STAR, SOC3, SOC2, SOC1, FERPA & COPPA. It is fully compliant with GDPR . Please visit www.dropbox.com for further GDPR details.
c. Remoting into your screen
To remote into your screen we use Teamviewer, Microsoft Teams or Zoom. Each of these is ISO 27001 and SSAE-16, SOC2 certified and fully GDPR compliant. When we remote in, we issue a unique login code each time, and the user is required to manually grant access for us to view the screen and additionally to allow control of the mouse. The screen is very obviously different when we are viewing it, and it clearly states when we have left. The user at the school is required to remain present to watch everything we do whilst remoted-in.
How we handle your data
Istek UK Ltd maintains a database of all data received from schools, via email or webserver, and this shows us school name, file name, nature of problem, date received, resolved and destroyed.
When we receive data in email form, it will be downloaded and unzipped using your own password. We will then work on the data as needed on our own computers. Each data set will be handled by one support person only. No copies will be made, either on the hard disk or other media and school data is not included in any of our system backups.
If we need to make corrections to the data and return it to you, we will ZIP and password protect the data (with the second password). Once you have successfully downloaded and restored the data and have confirmed to us that the problem is resolved, your data will be deleted from our system and the email sent will also be deleted.
When we receive data in Dropbox form, it will be downloaded and unzipped using your own password. We will let you know it has arrived successfully, and YOU will then need to delete it, IF you have a Dropbox account where data is held. We will then work on the data as needed on our own computers. Each data set will be handled by one support person only. No copies will be made, either on the hard disk or other media and school data is not included in any of our system backups.
If we need to make corrections to the data and return it to you, we will upload it to our own Dropbox account. Once you have successfully downloaded and restored the data and have confirmed to us that the problem is resolved, your data will be deleted from our system AND from Dropbox.
Remoting – in
When remoting in, we have no copy of your data.
End of life IT care
If we need to print anything from your data for the purposes of resolving your issues, or if you email us any documents that we need to print, these will be shredded once the issue has been resolved.
We will not copy your data onto CD or DVD but if we receive any of these with data on, they will be shredded after resolution. Data sticks received from schools will be wiped and returned or destroyed.
Our own redundant or broken computers have their hard disks removed before disposal. Hard disks are then wiped using CESG approved Blancco driver erasers and then shredded. The mechanical equipment of computers themselves is either recycled if there is no data element or destroyed. This is carried out by an ASIDA accredited disposal company.