Replies
No one has replied to this post.
I might be wrong, but I think the Department believe they are the data controller for the ILR (I also think a lot of people disagree with this)?
Are ITHCs not part of Cyber Essentials though? Can't think of how we'd share it with the Dept anyway, not like there's a return if it's meant to be an annual thing?
Yes... I've got into this debate with our DPO where DfE consider us a processor, which we disagree with. We collect data for our own use, so we are both controllers who share data. We do get CE every year as we have a Welsh Govt education contract which requires it. I've thrown it back to our IT team to say if they are happy CE meets ITHC if we were asked by DfE problem goes away (unless anyone here disagrees!)
David Dalby
IT Health Checks (ITHC) - who's doing what?
Created
Sense check with everyone what your IT departments are doing about the clause in teh ESFA/DfE contract:
1.17 The Provider will ensure that any IT systems and hosting environments that are used to handle, store or process Department Data will be subject to independent IT Health Checks (ITHC) using a NCSC approved ITHC provider before go-live and periodically (at least annually) thereafter. The findings of the ITHC relevant to the Service being provided are to be shared with the Department and all necessary remedial work carried out. In the event of significant security issues being identified, a follow up remediation test may be required.
Do you consider ILR (or other) data to be "your" data rather than the Departments and you (just) share it with them? I think JISC have done an event recently where they spooked our IT team. Can you share what your IT teams are doing about this/interpretation of "Department" data please?