General Data Protection Regulations (GDPR) Resources
To help you fulfil your GDPR obligations and ensure our systems support you to do this, we have produced the following documentation for you to use in your school. Click the buttons below to download the relevant documents. If you have any questions or queries, check out the FAQ section below, or get in touch via our contact us page.
If you only use the InVentry onsite system, we don’t do anything with the data. The system sits on a computer that you have purchased and sits on your network. We have no access to this without your consent and would always ask for this before doing so. If you don’t use any of our other services such as the support desk, ID badge making or InVentry Anywhere we do not process the data. You always remain the controller of the data and we would only ever do what is agreed in the contract.
First let’s clarify the difference between capturing a picture and biometric data. A good comparison for this is getting a speeding a ticket…when the camera flashes, the picture is processed through an electronic system to identify the car and matches this against information held in database to identify the owner. This is the same for biometric use, the system has a data base of images which it will compare the new image against to see if they are the same person by matching features such as eyes, nose etc. Unless the image is run through a system like this it is not defined as biometric data. Taking a photograph for a person to use as part of a badge making process or in an evacuation list to assist identification would not constitute biometric data. Before collecting data for biometric use, the system will seek consent of the individual using the system to use it for this purpose. Only by giving this can the image be used for this purpose.
The short answer is no you don’t with certain exceptions. The longer answer is that there are legal obligation placed on schools to keep registers of those who attend site for various reasons including The Education Act and The Health & Safety Act. This legislation requires schools to keep records and the choice of how they do this is down to them. Additional consent is required for using biometric identification, but this obtained from visitors as they arrive. Should you wish to use this with staff (under GDPR ) and students (under GDPR and guidance from the DfE (https://goo.gl/PWDaeX)) you will be required to obtain consent before implementing its
All transfer is done via https to ensure that it remains secure in transit. This is also the same when the support team need to access the school system via the internet to conduct work on a school system.
The InVentry system installed on the computer purchased from your reseller is encrypted at the 256bit AES industry standard. The key is stored away from the system with InVentry so should it be computer be compromised, the data will remain secure. The computer and its supporting network infrastructure is subject to the policies of the school to enable it to be maintained without any reliance on input from InVentry.
The only cases where personal data could be displayed on the system are:
- When the system is set up to allow ‘quick pick’ which retains data for a period of time agreed with the school to allow quick signing in for visitors returning within the agreed timescale.
- The school preregisters visitors for events or regular visitors to make signing in quicker.
- In the case of visitor entering their own details, the system will be/is set up to ensure that they are asked for their consent for this to be displayed. In the case of preregistered visitors, it is the responsibility of the school to gain consent for this when arranging the pre-booking.