GDPR Frequently Asked Questions

Overview

Many of you have been in touch to ask us about our data protection procedures and safeguards and so we have placed as many of your questions in this FAQ. If you have other specific questions feel free to contact us on CEM@cambridge.org

FAQ	Our Position
What is a school’s relationship with CEM?	The school is joint Data Controller with CEM.
What are my rights as a data subject?	Subject to applicable law, you may have the right to: obtain confirmation that we hold personal data about you, request access to and receive information about the personal data we maintain about you, receive copies of the personal data we maintain about you, update and correct inaccuracies in your personal data, object to the processing of your personal data, and have your personal data blocked, anonymised or deleted, as appropriate. The right to access your personal data may be limited in some circumstances by local law requirements. To exercise these rights, please contact us by emailing privacy@cambridge.org.
Please provide a summary of the activities undertaken to ensure CEM provides adequate protection to personal data.	All staff undertake compulsory Information Governance and Data Protection training every year. Data Protection Impact Assessments have been undertaken on CEM processing activities. All information flow documentation is in place and risk assessments undertaken. Relevant policies and procedures have been updated to align with data protection legislation. End User Licence Agreements have been updated in line with data protection legislation. A Privacy Notice is available to customers on www.cem.org/privacy-notice. Retention of personal data has been defined and is also available at the above link.
What personal data do you process on our behalf?	Please see our Privacy Notice at www.cem.org/privacy-notice to see what personal data we process for each of our assessment systems and entrance assessments.
What technical and organisational security measures do you have in place to ensure a level of security appropriate to the risk?	We do not currently anonymise personal data we hold as we believe our technical and organisational security measures are strong enough to mitigate the risk to data held on our servers. All staff laptops are encrypted. Confidentiality – access to data on CEM’s network is restricted to CEM staff only. A unique username and password is required to access the network. The network is protected by industry standard firewalls at the perimeter. Servers are high availability virtual servers, backed up every night. Servers run as virtual servers, facilitating rapid restoration in the event of systems failure. The CEM network undergoes ongoing vulnerability tests using reputable 3rd Party software.
Do you engage sub-processors?	Only for some paper-based Entrance Assessments.
Does your End User Licence Agreement contain specific GDPR clauses?	Our latest Assessment and Monitoring Systems EULAs can be found at www.cem.org/gdpr.
Where is my data stored?	All personal data is stored in UK based data centres.