General Data Protection Regulations (GDPR) Resources
To help you fulfil your GDPR obligations and ensure our systems support you to do this, we have produced the following documentation for you to use in your organisation. Click the buttons below to download the relevant documents. If you have any questions or queries, check out the FAQ section below, or get in touch via our contact us page.
If you only use the InVentry onsite system, we don’t do anything with the data. The system sits on a computer that you have purchased and sits on your network. If you have a maintenance contract, we cannot access to your system without your consent and would always seek this before doing so.
If you don’t use any of our other services such as InVentry Anywhere, the permanent ID badge making or Advanced Trip Management we do not process the data held on your system. You always remain the controller of the data and we would only ever do what is agreed in our maintenance contract. More details can be found in our Privacy Statement which can be found at https://inventry.co.uk/gdpr-policies/.
When we process data to deliver services on your behalf, we will only ever do what has been agreed in the contract. For example, we will never share your data with a third-party organisation unless legally required to do or handle it in a way that has not be explained in the contract. Where data is processed in the cloud or by our staff, it is done so in a way that complies with the GDPR. More details of this can be found in our data sharing agreement which can be requested by customers, and our Privacy Statement which can be downloaded above from https://inventry.co.uk/gdpr-policies/.
First let’s clarify the difference between capturing a picture and biometric data. A good comparison for this is getting a speeding a ticket…when the camera flashes, the picture is processed through an electronic system to identify the car and matches this against information held in database to identify the owner. This is the same for biometric use, the system has a database of images which it will compare the new image against to see if they are the same person by matching features such as eyes, nose etc. Unless the image is run through a system like this it is not defined as biometric data. Taking a photograph for a person to use as part of a badge making process or in an evacuation list to assist identification would not constitute biometric data as defined in Recital 51 of UK GDPR – ‘The processing of photographs should not systematically be considered to be processing of special categories of personal data as they are covered by the definition of biometric data only when processed through a specific technical means allowing the unique identification or authentication of a natural person.’ Before collecting data for biometric use, the system will seek consent of the individual using the system to use it for this purpose. Only by giving this data be used for this purpose.
As this data is special category data it requires additional grounds for processing including consent the organisation needs to obtain this. If using this with visitors consent can be obtained either prior to their arrival or it can be obtained from visitors as they arrive via the system. If you wish to use with staff then additional consent must be obtained individually. With regards to students in education, additional consent is required before implementing biometric identification and guidance on this from the DfE can be found online.
Any data that we process using an IAAS cloud-based service is a secure service and subject to the necessary requirements laid down in UKGDPR. More details of these can be found in Appendix 1 of our Privacy Statement which can be found at https://inventry.co.uk/gdpr-policies/ or on request by emailing email@example.com.
Where data is stored at InVentry offices is done so on our secure network and under our internal security protocols to ensure it is dealt with in line with Article 32 of UKGDPR. More details of this can be requested by emailing firstname.lastname@example.org.
The short answer is no you don’t with certain exceptions. The longer answer is that there are legal obligations placed on organisations to keep registers of those who attend site for various reasons including The Health & Safety Act and Fire Regulations. This legislation requires organisation to keep records to ensure accurate evacuation but the choice of how you do this is down to you. This legislation provides the lawful grounds for the processing of data as listed in Article 6 of the UKGDPR – Lawfulness of Processing.
Where the customer requires integration with other systems it uses such as Active Directory or their Information Management System this is done using an API (Application Programming Interface) developed in partnership with the service provider. This transfer is either via the internal network or is via the internet, all transfer is done via https to ensure that it remains secure in transit.
The same level of encrypted communication (https/TLS1.2) is used when the support team need to access the organisations system via the internet to conduct work on a school system.
The InVentry system installed on the computer purchased from your reseller is encrypted at the 256bit AES industry standard.
To avoid any issues when being attached to a customer network, the InVentry system and its supporting network infrastructure is subject to the policies of the customer. For example, the application of antivirus is the responsibility of the customer to avoid any clashes in configuration.
The only cases where personal data could be displayed on the InVentry screen system are:
When the system is set up to allow ‘quick pick’ which retains data for a period of time agreed with the customer to allow quick signing in for visitors returning within the agreed timescale.
The customer has pre-registered visitors for events or regular visitors to make signing in quicker.
In the case of visitor entering their own details, the system will be/is set up to ensure that they are asked for their consent for this to be displayed. In the case of pre-registered visitors, it is the responsibility of the customer to gain consent for this when arranging the pre-booking.
InVentry does not take a copy of the customer database so it is key that the customer set the location for the systems automatic back up. Any data entered by the customer into the on-premise InVentry system can be set in line with its own retention policy. This can be done via the data purge setting that can be found in the console of the system.
Where InVentry processes data, the retention policy for this can be found in our Data Processing Agreement which can be requested by customers, and our Privacy Statement which can be found at https://inventry.co.uk/gdpr-policies/. These policies also include details about storage and deletion of data processed by InVentry Ltd.