Contents
- Introduction
- Getting started checklist
- User account management
- Data Management/Deletion
- Usage, training and impact
- Data Processing Agreement/Organisation Agreement
Introduction
The roles and responsibilities of the Organisation Administrator/Data Controller fall into the following sections:
- User account management
- Data management
- Compliance
- Usage, training and impact
The organisation may choose to allocate these roles to different individuals within the business or have one person responsible for all of them.
Getting started checklist
We have put together a getting started guide for administrators. Please see here
User account management
- Create users
- Manage users (editing, deactivating, activating deleting, restoring deleted accounts)
- Manage group requests
- Manage programme invites
Granting Power
- Creating new admin users
- Approving new uber admins
Data Management/Deletion
- Approving the creation of collaboration networks & groups, enabling data to be shared outside of your organisation
- Moving users between organisations they are uber administrators of
- Authorising the deletion of the organisation's data. See the following guides
Enabling Restricted Features
-
- Including approving downloading and data transfer. For the full list of restricted features please see here.
Compliance
- Customer GDPR compliance guidance can we reviewed here.
- Safe guarding tools
- Appropriateness of system use
Usage, training and impact
Data Processing Agreement/Organisation Agreement
The Organisation Administrator must agree to the Data Processing and Organisaton Adminstrator Agreement before they can use their account. (this is agreed to via the platform).
- Organisation Administrator & Data Processing Agreement (UK and Oceania Customers)
- Organisation Administrator & Data Processing Agreement + Standard Contractual Clauses (EU Customers)
- Organisation Administrator & Data Processing Agreement (US Customers)
SECTION 1: ORGANISATION ADMINISTRATOR AGREEMENT
3. Data Management
3.1 The monitoring, recording, holding and processing of images of distinguishable individuals constitutes personal data as defined by the General Data Protection Regulation ("GDPR"). This Agreement is intended to ensure that in the use of IRIS Connect it is compliant with the requirements of GDPR, with related legislation and with the CCTV Code of Practice published by the Office of the Information Commissioner.
3.2 While the IRIS Connect system does contain a feature to apply anonymisation filters, you acknowledge that recorded data may still represent personal data (for example if it is triangulated with other sources to identify an individual). Users must use their own judgement to decide if the anonymisation filters have sufficiently obfuscated data subjects before sharing any data.
3.3 If your intended use of the system is likely to collect personal data, you agree to do so in a way which is compliant with the requirements of the GDPR or applicable local regulatory framework. This may include but is not limited to the following:
3.3.1 Documenting your legal basis for processing personal data
3.3.2 Ensuring appropriate transparency and privacy notices
3.3.3 Ensuring robust mechanisms for ensuring ongoing compliance
3.3.4 Providing appropriate channels for appeal
3.3.5 Ensuring appropriate registration with the Information Commissioner's Office (ICO)
3.3.6 Adopting a balanced and reasonable policy to managing Subject Access Requests (SARs) and third party disclosures which safeguards the rights of all data subjects and respects the original purpose of the data collection
3.3.7 Enforcing data retention periods in line with your Organisation’s Data retention policy
Further support around legal processing is available on the IRIS Connect website.
3.4 A nominated Organisation Administrator (who must be authorised by your Organisation to make decisions about the management of their data) must manage the Organisation’s compliance with this Agreement. By using the Organisation Administrator Account, the Organisation Administrator agrees the following on behalf of the organisation:
3.5 Management of Content
Your organisation is the data controller for all data uploaded by Users at your organisation to the IRIS Connect system. Your designated Organisation Administrator/s is responsible for making day to day decisions about the management of recorded data, permissioning collaboration groups, data sharing and the monitoring of data recorded by your Organisation.
3.5.1 IRIS Connect provides a content oversight tool which enables Organisation Administrators to review randomised thumbnail images from videos recorded within the organisation. This tool is designed to enable the identification of inappropriate content. You agree to only use this tool for this sole purpose.
3.5.2 You will be responsible for the management and monitoring of data owned by your Organisation. If a User at your organisation flags an issue with a recording or any other content, you agree that you are responsible for investigating the issue and for ensuring that any inappropriate content is removed.
4. System Management
4.1 A nominated Organisation Administrator (who must be authorised by your Organisation to make decisions about the management of their data) must manage the Organisation’s compliance with this Agreement. By using the Organisation Administrator Account, the Organisation Administrator agrees the following on behalf of the organisation:
4.2 Management of Users
Unless Users in your organisation are enrolled on a third party provider programme you will be responsible for the creation/amendment/deletion/suspension & management of the User accounts at your Organisation. If a leaving User chooses to transfer any data that they are managing to the Organisation Administrator – you will be bound by the EULA as if that data was your own.
4.2.1 If you use your Organisation Administrator Account to create additional Organisation Administrator Accounts then you confirm that;
4.2.1.1 you understand that the User for that account will be required to accept these same terms;
4.2.1.2 that any additional Organisation Administrator Accounts will only be created for individuals that you warrant are entitled to and in a position to sign up to such terms;
4.2.1.3 you are responsible for the actions of any User using an Organisation Administrator Account that you have issued them, any breach of the Organisation EULA by that User will be deemed as a breach of the Organisation EULA by yourself;
4.2.1.4 you will only create User accounts for employees, students or trainees at your organisation.
4.3 Management of Scope:
You are required to monitor User requests for engagement with third party providers and to provide, deny or revoke permission for Users from your organisation to share data and participate in collaborative activities.
4.3.1 third party providers may have additional terms as part of their service subscription. You acknowledge that while you will always retain overall rights to uploaded data, these agreements may include additional conditions. For example third party agreements may introduce new stipulations for the management and ownership of non-video IPRs generated by course participants.
4.3.2 You acknowledge that agreeing to such conditions represents a contract between you and the third party provider and agree to be bound by their terms and monitor User engagement to ensure organisational compliance.
4.3.3 On the IRIS Connect system organisation administrators may authorise the creation of groups which enable Users to share recorded data and collaborate with Users from other organisations. Such “community groups” enable Organisation Administrators to create participation agreements to be agreed by all members of the group.
4.3.4 You agree that if you authorise your Users to participate in community groups you agree to be bound by the terms you have agreed to and to monitor User engagement to ensure compliance
4.3.5 You acknowledge that if the group is created by your organisation you are responsible for ensuring that inter-organisation sharing is appropriate and proportional and that the participation agreement clearly identifies the following :
4.3.5.1 What data may be shared and in what format
4.3.5.2 The purpose for the data sharing and for how long it will be shared
4.3.5.3 Such additional provisions as are necessary to ensure legal processing both within your organisation and collaborating organisations
4.4 Management of Use:
The IRIS Connect system is for professional development, educational research and learning development, consequently, you agree:
4.4.1 To ensure that the use of the system is aligned with the stated purpose and that the system is not used for surveillance of staff or learners
4.4.2 To ensure that use of the system complies with the End User Licence Agreement (EULA) including, but not limited to:
4.4.2.1 To use the system to promote better learning outcomes
4.4.2.2 That all Users conduct themselves in a professional manner, to not use the system to bully or intimidate other Users or data subjects
4.4.2.3 To ensure recorded content is appropriate to and aligned with the purpose
4.4.2.4 To make sure recording equipment is positioned so it’s visible, safely located and unlikely to record data which is not required or not for the purpose you are using the system
4.4.2.5 To make sure Users are empowered to report to the organisation administrator, content or use that does not meet the above criteria
4.4.2.6 To ensure Users maintain system security and don't share passwords
4.5 Management of Privacy and Disclosures:
The IRIS Connect system incorporates a privacy by design philosophy which on a day-to-day basis gives Users control of the following:
4.5.1 When reflections are made and deleted
4.5.2 Who has access to reflections and how long for
4.5.3 Your participation in live reflections
4.5.4 The creation of groups and the content thereof
4.6 In exceptional circumstances IRIS Connect will enable managed onsite review or third party disclosures in situations where the following are being investigated either by the organization, or law enforcement agency:
4.6.2.1 Suspected system misuse and severe breaches of the EULA
4.6.2.2 Suspected professional misconduct
4.6.2.3 Suspected criminality
4.7 GDPR requires that personal data collected for one purpose cannot be further processed for another, incompatible purpose. If the sound and images recorded for professional development are subsequently used in an investigation, you agree that you will seek advice to be absolutely certain that the circumstances warrant using sound and images for this new purpose.
4.8 The IRIS Connect Web Platform (https://app.irisconnect.com) is a secure service for the selective sharing of recordings. Role based log in and encrypted communications ensure that the recordings are secure and managed within the privacy by design model. Under normal operation, recordings and other data may not be downloaded from the web platform.
4.9 If we receive a formal request from the data controller we will enable resources to be downloaded from the platform. You agree that in these circumstances IRIS Connect will cease to be the data processor and the organisation will be fully responsible for the data and responsible for any damages caused by a breach or security or privacy.
6. The Rights and Obligations of the Data Controller
6.1 The data controller is responsible for ensuring
6.1.1 that the processing, including the transfer itself, of the personal data has been and will continue to be carried out in accordance with the relevant provisions of the applicable data protection law (and, where applicable, has been notified to the relevant authorities of the State where the data controller is established) and does not violate the relevant provisions of that State. For clarity for our EU customers this means the GDPR (see Article 24 GDPR), the applicable EU or member state data protection provisions, and the Clauses.
6.1.2 that it has instructed and throughout the duration of the personal data-processing services will instruct the data processor to process the personal data transferred only on the data controller’s behalf and in accordance with the applicable data protection law and the Clauses;
6.1.3 that the data processor will provide sufficient guarantees in respect of the Security Measures specified in Appendix C to this contract;
6.1.4 that after assessment of the requirements of the applicable data protection law, the security measures are appropriate to protect personal data against accidental or unlawful destruction or accidental loss, alteration, unauthorised disclosure or access, in particular where the processing involves the transmission of data over a network, and against all other unlawful forms of processing, and that these measures ensure a level of security appropriate to the risks presented by the processing and the nature of the data to be protected having regard to the state of the art and the cost of their implementation;
6.1.5 that it will ensure compliance with the security measures required for the applicable data protection law;
6.1.6 to make available to a data subject upon request a copy of the Agreement, with the exception of Appendix C, and a summary description of the security measures, as well as a copy of any contract for sub-processing services which has to be made in accordance with the Agreement, unless the Agreement or the contract contain commercial information, in which case it may remove such commercial information;
6.1.7 that, in the event of sub-processing, the processing activity is carried out in accordance with Clause 17 by a sub-processor providing at least the same level of protection for the personal data and the rights of data subject as the data processor under the Agreement;
6.1.8 that it will ensure compliance with Clause 6.1.
6.2 The data controller has the right and obligation to make decisions about the purposes and means of the processing of personal data.
6.3 The data controller shall be responsible, among others, for ensuring that the processing of personal data, which the data processor is instructed to perform, has a legal basis.
6.4 Monitoring implementation of this Agreement rests with nominated Organisation Administrators/Data Protection Officer (DPO) and IRIS Connect.
6.5 For the purpose of the GDPR, Organisation Administrators are nominated as Data Protection Officer (if no DPO has been required to be nominated under GDPR).