InfoMentor, whether the company is considered as a data controller or data processor, is strongly committed to processing personal data with the appropriate security measures to ensure its protection.
InfoMentor operates according to the requirements of ISO-27001 and ISO-9001 information security standards. All security measures that are taken are based on data classification and data process impact assessments. The company has a written security policy and conducts a regular data processing risk assessment. A regular review and assessment of the effectiveness of technical and organizational security measures for ensuring the security of all processing of data is conducted and is led by InfoMentor’s Chief Operating Officer.
InfoMentor’s security team comprises of employees in each office. The team oversees the development and implementation of security measures and meets weekly to review issues at hand.
All information concerning InfoMentor’s users is handled with the utmost caution to ensure that information is not lost or ends up in the hands of unauthorized persons.
5.1. InfoMentor employees access to information
Employee access rights to the InfoMentor system is based on their job requirements and role within the company by the least privilege.
Access to information regarding the users of the InfoMentor system is controlled and segregated by lines of duty, and employees should only perform transactions in the systems which are necessary for them to complete their job functions. InfoMentor’s employees must be able to justify all in-system transactions if a review of their transaction log were to be done. The InfoMentor system has built in logs which can track all actions an employee makes within the system to ensure traceability of actions.
Access rights and supervision of employees is in accordance to InfoMentor’s defined operating procedures on information security. Managers for each of InfoMentor’s departments conduct regular reviews of their employee’s access privileges. The Chief Information Security Officer is responsible for ensuring the employees system access is in accordance to their job function. If an employee leaves the company or is terminated, all access privileges are to be revoked or removed.
5.2. Employee confidentiality and non-disclosure
All of InfoMentor’s employees sign a non-disclosure agreement to ensure confidentiality of information. Employees are obligated to keep all information they may come across during their work regarding the company, its customers or the users of InfoMentor system, confidential. InfoMentor’s employees are required to perform this obligation dutifully in order to prevent the possible damage to the interest of the data subjects in the InfoMentor system. Employee confidentiality and non-disclosure is retained even after the employee has resigned from his job with InfoMentor.
5.3. Response to personal data breach
InfoMentor, whether in the capacity of a data controller or a data processor, emphasizes clear working procedures in response to possible data breach involving personal information.
InfoMentor as a data processor will notify the data controller, the school administration and contact person immediately if a security breach occurs. The controller shall then notify the Data Protection Authority and the data subjects as applicable in accordance to current data protection regulation. InfoMentor will assist the data controller as necessary in this process. InfoMentor documents the breach and evaluates its effects and remedial action taken.
InfoMentor as a data controller will notify the Data Protection Authority as applicable to laws and regulation. Effects and risk to the rights and freedoms of the data subjects will be evaluated and if the personal data reach is likely to result in a high risk, InfoMentor shall communicate the personal data breach, its effect and remedial action taken to the data subject. InfoMentor documents and evaluates the breach, its effects and necessary remedial actions.