InVentry and UKGDPR

Helping our customers

With you being the controller for the data processed within your organisation, we understand that the data within your InVentry unit is important to you. Although the system provided is supplied by InVentry Limited, the data remains within your control. In the same way you would put data into Excel or Word on your own computer does not make Microsoft a processor, the addition of data to your InVentry system and the processing it undertakes does not make InVentry a processor. However, in certain circumstances InVentry will become a processor and this will be explained later in this document.

The system installed on site has been developed to reflect the requirements of the DAP2018/UKGDPR, in particular:

  • Articles 12 – 23 – Rights of the data subject
  • Article 32- Security of Processing

We have taken measures to ensure that all data within the system is always secure and safe. These include;

  • Data housed on the InVentry system within your premises is encrypted at a database level using 256-bit encryption.
  • Data located in the Cloud copy (if appropriate) is encrypted at the same standard.
  • Ability to manage access to the user console and supporting interface.
  • Ability to customise the visitor/staff interface.
  • The ability to delete data in a managed manner
  • Ability to seek consent when required
  • Data is transferred using TLS 1.2/HTTPS

The information that InVentry captures when visitors and staff sign into your site is your data, and as such, the system allows you to choose what this is and how it is managed. However, we would advise that you consider the data being processed in line with the requirements laid down in GDPR with regards to the principles relating to data processing described in Article 5. It is worthwhile noting that this is one you make as the controller of data on your site. We would recommend that this retention period should reflect the organisations policy on data.

In all the above instances described above, the information held within your InVentry system is under your local control on a PC within your network, and subject to your own data protection and handling policies.

Lawfulness of Processing

‘Lawfulness of processing’ is at the heart of GDPR and organisations must ensure that this is complied with, but you don’t have to rely just on consent. Organisations can process data without necessarily asking consent to do so, other grounds include;

  • Processing is necessary for compliance with a legal obligation to which the data controller is subject;
  • Processing is necessary for the performance of a task carried out in the public interest or in the exercise of official authority vested in the controller

So, for example;

  • The Regulatory Reform (Fire Safety) Order 2005 England and Wales – Requires an emergency evacuation plan that includes ensuring all those on site are safe accounted for.

This would provide legal grounds for processing data or in performance of a task acting in the public interest using an InVentry system.

InVentry Limited as a processor

There are five occasions where all or some of the information from your InVentry system would be processed by InVentry Limited, all of which involve processing data whilst not on your site or within your network.

The first of these is where your system includes a cloud version to support the service delivered. As part of the latest version of InVentry, a cloud copy of up to the whole system database is taken to enable specific services such as Acive Directory to be performed more efficiently.

The second of these would be when using InVentry Anywhere. InVentry Anywhere is a subscription based licensed service that takes visitor and staff information, when requested by the organisation, from your system for the purposes of emergency evacuation such as a fire. The information is uploaded to the InVentry Anywhere cloud server (hosted within the UK) using SSL/HTTPS and updated each time a visitor or staff member signs in our out. Visitor and staff (other than app log in details) information is purged from this server at 23:59:59 each evening as it is no longer required or accurate and this reflects Principle D – ‘Accurate and, where necessary, kept up to date’ of Article 5 in UKGDPR.

The third occasion where your data is processed by InVentry Limited would be for fault finding and service desk support, this is part of your maintenance licence. Before accessing your system, consent will be sought including an agreed time. There may be times where we need to take a copy of the data on your system to test it within our offices. Before removing data in any form, as before we will seek your consent to do so, either verbally or written and take all steps to minimise its collection. This data is subject to a stringent internal policy and procedure ensuring that ownership of the data is recorded, these include:

  • Where images of data are required, they are clipped to reduce the amount of data captured.
  • Permission to download an organisations database can only be authorised by a senior service desk member of staff.
  • All data is deleted and removed from our internal servers, of which those used for customer data storage are not backed up, and records once the fault has been fixed and this is recorded.

The next is if the organisation chooses to use the badge making service. The data submitted in this process is a decision for the controller, based on their requirements. When the data is submitted, it is uploaded to and downloaded to our office from our secure cloud severs where it is stored for a maximum of 24 hours via HTTPS. Once the badge order is confirmed and dispatched, we retain the data for 51 days to ensure correct completion of the order.

The last is if you choose to use the SMS/Email option for notifications of visitor arrival and email notifications. If you opt for this, the mobile number is shared with a service provider who is compliant with the requirements of GDPR and solely for this purpose. The retention periods for this service is outlined in our data sharing agreement.

Anonymous Data

InVentry Limited collects anonymised data to allow for future developments to the software along with providing insights and metrics to help you improve how you use your InVentry system within your organisation. This data includes:

  • Number of visitors per day
  • Number of staff signed in per day
  • Database size
  • Name of current MIS system (if applicable)
  • Geographical location of InVentry system
  • Hardware details of InVentry system

More details can be found at https://bit.ly/3PKa9OO

If you have any further questions, do not hesitate to get in touch with us via dpo@inventry.co.uk