Nessy’s commitment to data privacy
At Nessy we are committed to enriching the lives of children through education and as part of that commitment we have always taken responsibility to carefully protect the privacy and rights of anyone who chooses to share their personal data. Nessy has never sold any personal data and never will do. The information Nessy collects about students is used to build a profile of their educational requirements and used within the Nessy platform to direct their learning and maximise the effectiveness of the program. Educational data is sometimes used for research purposes but no personal details released and the information is always completely anonymous with restrictions upon confidentiality.
What is GDPR?
The General Data Protection Regulation (GDPR) will become law in all countries across Europe from May 25, 2018. From that date, all EU residents will have greater control over their personal data with a much bigger say over what, how, why, where, and when their personal data is used, processed, or disposed.
Any organisation that works with EU residents’ personal data in any manner, irrespective of location, has obligations to protect the data of these residents.
How is Nessy complying with data protection regulations?
How is personal data identified?
We have completed a full data audit to understand what personal data we hold and where it is held.
How is data integrity and security reviewed?
Once a year we conduct a full security review on the Nessy platform. This covers areas such as:
- Reviewing and updating the encryption algorithms we use on customer data
- Reviewing any third-party software we use on the nessy.com site, working to reduce this list where possible
- Conducting an internal audit of all IT equipment and software used within Nessy, making improvements where appropriate
We anonymise personally identifiable data where possible and appropriate.
We have upgraded our storage and backup systems and implemented total database encryption across our learning platform.
Updating our processes and policies
We have reviewed and updated our IT Acceptable Usage Policy for Nessy employees.
We have created a Data Breach Process document to follow in the unlikely event that the Nessy platform is compromised in any way.
We have created a Data Retention Policy to outline how long we will store and hold any personal data.
Reviewing our providers
We are in the process of reviewing any services that we share personal data with to ensure they meet the standards set out by the GDPR.
We are in the process of reviewing any third-party software we use and will remove or replace any software that is no longer required or doesn’t meet the standards set out by the GDPR.
Deleting redundant data
We commit to removing any personal data from the Nessy platform that meets the criteria set out in our Data Retention Policy.
We take all appropriate steps to fully remove all data before disposing of redundant IT hardware.
We are constantly developing the Nessy Learning platform to make our applications safer, easier to use and more effective. This includes introducing mechanisms to seek informed parental consent for students to use Nessy, as well as the ability to download and view all the data we hold about you and your students.
What happens if there is an unauthorised disclosure of data?
Within 24 hours the Nessy has a data protection officer will inform the relevant authorities and the people affected where there has been a breach of security measures, leading to an unauthorised disclosure of data and the Nessy developer team will take immediate steps to prevent further data loss. Where there has been an unexpected loss of data steps will be taken by the developer team to retrieve the lost data before informing the account holder.