Integritypolicy in English
InfoMentor Integritypolicy – Version 3 – Valid från November 1st, 2021
InfoMentor designs, develops, and manages the software InfoMentor. InfoMentor is a comprehensive information and education system for schools and other educational institutions. InfoMentor’s customer base is made up of roughly 1200 customers and our services include various consulting, customer service and hosting of independent websites. The company operates in three different countries; Iceland, England and Sweden where its headquarter is located.
InfoMentor makes life easier for schools. It seamlessly combines curriculum planning, pupil assessment, progress analysis and parental engagement in one place. It supports teaching and learning best practice, whilst reducing workload so teachers have more time to focus on the development of their pupils. Our core ideology is that all students should reach their full potential. The InfoMentor system is built on the latest educational research and practices to optimize pupil’s performances. Our company goal is to be one step ahead and we aim to achieve this in each of InfoMentor’s projects.
InfoMentor is the data processor of the data processed in the InfoMentor system. The data processor is the entity which processes personal data on the behalf of the data controller in accordance to specified instructions from the controller based on processing agreements. InfoMentor is therefore the data processor for schools and educational institutions which use the InfoMentor system. Educational institutions and schools using the system host all collected information and data.
InfoMentor is the data controller for processing personal data which is collected for the purpose of InfoMentor’s services offering, sales, or marketing. The data controller is one who determines the purpose and means of collecting personal data and has the responsibility to ensure that all data processing is carried out in accordance to current data protection regulations and that the data processing is based on valid legal grounds and professional standards.
1. InfoMentor’s policy for processing personal data
InfoMentor is dedicated to protecting privacy and confidentiality. All processing of personal data, whether InfoMentor is considered a data processor or a data controller, is conducted in accordance to current data protection regulations and based on valid legal grounds and professional data protection standards.
The company main emphasis include:
- Privacy regulations are taken into account during program design, development and implementation.
- Processing of personal information at InfoMentor requires that all necessary organizational and technical measures is taken into account in accordance to current laws and regulations.
- Processing of data for a data controller is based on a valid contract that sets out the subject-matter and duration of the processing, the nature and purpose of the processing, the type of personal data and categories of data subjects and the obligations and rights of the controller.
- The InfoMentor information system supports users’ obligations to comply with privacy regulations and the processing in the system offers adheres to the legitimate consent for data processing.
- Providing InfoMentor’s customers with support, education, and advice on data privacy.
- Ensure the appropriate technical and organizational measures are maintained and reviewed on a regular basis.
- As the data controller, InfoMentor is able to meet the requirements of data subjects’ rights in accordance to current privacy regulations and, where InfoMentor is the data processor, InfoMentor is able to assist the data controller in fulfilling their privacy requirements towards the data subjects.
Responsibility, confidentiality and respect for the rights and freedom of data subjects and their privacy is the foundation of InfoMentor’s approach to processing and handling of personal data.
2. Processing personal data in the InfoMentor information system
InfoMentor is the data processor of the InfoMentor information system. All processing of personal information in the interest of the data controller is made in accordance to processing contracts which sets out the subject-matter and duration of the processing, the nature and purpose of the processing, the type of personal data and categories of data subjects and the obligations and rights of the controller. InfoMentor, as a data processor hosts the InfoMentor system, which includes the retention of the data which the system stores.
InfoMentor does not record any personal information into the InfoMentor system such as information about students, family members or employees and it does not collect any information from the InfoMentor system for the means of processing information its own benefit.
The data controllers of InfoMentor are in most cases preschools, elementary schools, colleges, or other educational institutions. In the InfoMentor system, it is possible to record various information about students and their family members, such as names, addresses, telephone numbers and various information related to the education and schooling of students. It is also possible to enter necessary information about employees. Data controllers (Employees of the educational institutions) record personal information into the InfoMentor system and are responsible for the information contained therein. The data controller needs to ensure that records are relevant, fair, transparent, and that data processing is carefully made in accordance to current data privacy laws and regulations. Administrators of the educational institutions control who has access to the InfoMentor information system. Decisions regarding storing users’ information, retention periods, backup and storage procedures, sending and erasure of personal data concerning the students, parents and employees, resides with the controllers (educational institutions).
InfoMentor does not share or provide any information from the InfoMentor system unless a formal request is made from the data controller or there are clear legal grounds in place.
The deletion of data in the InfoMentor system is only performed when there is a formal request from the data controller. When there are no longer any substantive or valid reason for the retention of data, the data controller should inform InfoMentor of which electronic data should be discarded. When data is discarded, it is not possible to recover. Erasure of personal data is subject to defined operating procedures which InfoMentor has specified.
As InfoMentor has the responsibility of operating and servicing of the InfoMentor system, there are instances where it may be necessary for InfoMentor’s employees to access the system while assisting users or repairing the system. There are strict operating procedures in place at InfoMentor regarding which employees can perform such services and they are only ever conducted when a formal request is available from the data controller. All in-system actions of InfoMentor’s employees are logged and traceable back to individuals. All employees of the company are bound by confidentiality. See chapter 5 for further information of technical and organizational security measures.
3. Processing personal data for the purpose of servicing users of the InfoMentor information system
InfoMentor is the data controller for the processing of general personal information which the company collects and stores in connection to customer service and consultation to the customers of the InfoMentor information system.
Data controllers contact information
Data controllers (Educational institutions) regularly send InfoMentor information regarding contact persons to the InfoMentor services team. Contact information InfoMentor receives contains names and e-mail addresses of the contact person (data subject).
Customer service and system user consultation
InfoMentor records this information in order to send information, instructions and other content relating to the InfoMentor system to the contact persons.
The data controller notifies InfoMentor if there are any changes to the contact persons and if there are changes to the contact persons, the former contact information, e-mail, and name is discarded.
When a user in the InfoMentor system requests services and advice by e-mail or phone, a service ticket is created and linked to the user (when they ask for assistance from a programmer or a member of the InfoMentor support team). This is done in order to contact the person for the purpose of the service ticket and also to provide an overview and record over the services rendered to users and customers. Personal data collected from this process is stored in an access controlled and restricted customer relations system. Service tickets are otherwise not stored or registered in a personally identifiable way.
The personal information we may collect are:
- Username (National identification number/social security number)
- Job title
- School or institution
- E-mail address
- Phone number
InfoMentor does not share any information that the company collects due to services rendered to users of the InfoMentor system to third parties. A formal request can be made to erase any information from the customer relations system. See chapter 5 for further information on technical and organizational security measures.
4. Processing personal data for the purpose of general service provision, sales or marketing of InfoMentor
InfoMentor is responsible for the processing of general personal information that the company collects and records in connection with various services, sales and marketing. This may include registration on mailing lists relating to demonstrations of InfoMentor‘s products and services, registration of system training-courses, requesting notifications from information systems, participation in a specialists groups on social media or participation in pedagogical evaluation on the InfoMentor’s website. InfoMentor collects this information direct from the person, for example on demonstrations or through its websites www.infomentor.se or www.infomentor.is
The purpose of collecting this personal information is to enable InfoMentor to communicate with and to serve customers. The collection of information is also to be able to share information to interested parties regarding updates and new products in the company’s operations and for marketing activities.
All data processing for this purpose is built on a balancing of legitimate interests of the company, necessity to enter into and perform contracts with customers and an informed consent of the data subject. Registering on mailing lists can be unsubscribed at any time by sending an email to firstname.lastname@example.org
The personal information we may collect are:
- Name and e-mail address of a person who accepts to be on InfoMentor’s mailing list to get information f.ex. about new products and services.
- Name, e-mail address, job title and educational institution of a person who is interested in being on InfoMentor’s mailing list.
- Name and e-mail address of an individual who is interested in an introduction to the InfoMentor system.
- Name, e-mail address, job title and educational institution for those who register for a course / conference or other event at InfoMentor.
All personal information collected by InfoMentor is stored in an access controlled customer service system or in a closed electronic storage area. See chapter 5 for further information on technical and organizational security measures.
Personal data collected for mailing lists is erased at the request of the data subject, and the data subject can unsubscribe by clicking a link on the bottom of the newsletter. Data subjects may also send an e-mail request to email@example.com to request to be removed from the mailing list or request erasing of personal information for other registrations at InfoMentor. All personal information about the data subject is consequently erased from the system.
InfoMentor does not share or transfer any personal information to third parties that the company has collected and recorded for sales, service or marketing purposes to third parties.
5. Security measures
InfoMentor, whether the company is considered as a data controller or data processor, is strongly committed to processing personal data with the appropriate security measures to ensure its protection.
InfoMentor operates according to the requirements of ISO-27001 and ISO-9001 information security standards. All security measures that are taken are based on data classification and data process impact assessments. The company has a written security policy and conducts a regular data processing risk assessment. A regular review and assessment of the effectiveness of technical and organizational security measures for ensuring the security of all processing of data is conducted and is led by InfoMentor’s Chief Operating Officer.
InfoMentor’s security team comprises of employees in each office. The team oversees the development and implementation of security measures and meets weekly to review issues at hand.
All information concerning InfoMentor’s users is handled with the utmost caution to ensure that information is not lost or ends up in the hands of unauthorized persons.
5.1. InfoMentor employees access to information
Employee access rights to the InfoMentor system is based on their job requirements and role within the company by the least privilege.
Access to information regarding the users of the InfoMentor system is controlled and segregated by lines of duty, and employees should only perform transactions in the systems which are necessary for them to complete their job functions. InfoMentor’s employees must be able to justify all in-system transactions if a review of their transaction log were to be done. The InfoMentor system has built in logs which can track all actions an employee makes within the system to ensure traceability of actions.
Access rights and supervision of employees is in accordance to InfoMentor’s defined operating procedures on information security. Managers for each of InfoMentor’s departments conduct regular reviews of their employee’s access privileges. The Chief Information Security Officer is responsible for ensuring the employees system access is in accordance to their job function. If an employee leaves the company or is terminated, all access privileges are to be revoked or removed.
5.2. Employee confidentiality and non-disclosure
All of InfoMentor’s employees sign a non-disclosure agreement to ensure confidentiality of information. Employees are obligated to keep all information they may come across during their work regarding the company, its customers or the users of InfoMentor system, confidential. InfoMentor’s employees are required to perform this obligation dutifully in order to prevent the possible damage to the interest of the data subjects in the InfoMentor system. Employee confidentiality and non-disclosure is retained even after the employee has resigned from his job with InfoMentor.
5.3. Response to personal data breach
InfoMentor, whether in the capacity of a data controller or a data processor, emphasizes clear working procedures in response to possible data breach involving personal information.
InfoMentor as a data processor will notify the data controller, the school administration and contact person immediately if a security breach occurs. The controller shall then notify the Data Protection Authority and the data subjects as applicable in accordance to current data protection regulation. InfoMentor will assist the data controller as necessary in this process. InfoMentor documents the breach and evaluates its effects and remedial action taken.
InfoMentor as a data controller will notify the Data Protection Authority as applicable to laws and regulation. Effects and risk to the rights and freedoms of the data subjects will be evaluated and if the personal data reach is likely to result in a high risk, InfoMentor shall communicate the personal data breach, its effect and remedial action taken to the data subject. InfoMentor documents and evaluates the breach, its effects and necessary remedial actions.
6. Rights of data subjects in regard to personal data processing
InfoMentor as a data processor is highly committed to ensuring the InfoMentor information system is designed and developed with the data subject’s rights in mind and that the system is capable of assisting the data controller in ensuring compliance with the obligations towards the data subjects.
Data subjects cannot approach InfoMentor directly regarding personal information that is stored in the InfoMentor system as the information that the system retains is the responsibility of the educational institutions (the data controllers). In such cases, the data subject needs to go to the corresponding educational institution with the request of removing personal information. As the data controller, InfoMentor is committed to ensuring that the rights of the data subjects relating to their stored personal information complies to applicable privacy laws and regulations.
When processing personal data is based on the data subject’s consent, data subjects can at any time withdraw their consent.
If a data subject believes that the processing of personal information at InfoMentor in any case does not comply with applicable data protection laws or regulations and does not adhere to safe data processing methods, they can send a complaint or notice to our data protection officer (firstname.lastname@example.org).
Everybody has the right to seek out the Data Protection Authority (the Information Comissioners Office, or ICO) if they believe their privacy rights have been infringed upon or if they believe privacy laws have been broken. Information regarding complaints and notifications to the Data Protection Agency can be found on their website: https://www.imy.se/ .
All decisions regarding processing of personal data are made by InfoMentor’s management team and the board of directors, with the assistance and guidance of our data protection officer.
Please note that this policy will be regularly reviewed and may change accordingly, as to reflect InfoMentor’s business operation and handling of personal data at any given time.
8. Data protection officer – further information
If you have any concerns, comments or requests for further information regarding the processing of personal information at InfoMentor, please contact our data protection officer at this email adress: email@example.com