Data Governance
-
- Part of:
- Trust Centre
Suggested audience: All Hwb users and stakeholders.
Overview
One of the key benefits of schools using Hwb and its associated tools, is the level of due diligence that is undertaken by the Welsh Government to ensure digital services are fit for purpose and compliant.
Data Location
Our contracts contain robust data protection provisions which comply with the requirements of Article 28 of the General Data Processing Regulations (GDPR). For the education services with Microsoft and Google, we have ensured that the Security and Privacy Additional Terms contracts, such as EU Model Contract Clauses, have been reviewed and accepted.
Digital Service | Data location |
Hwb website (https://hwb.gov.wales) | AWS EU West |
360 degree safe Cymru | UK |
Just2easy | AWS EU West |
Microsoft Office 365
| Azure AD - United Kingdom Exchange - United Kingdom SharePoint - United Kingdom - Cardiff OneDrive - United Kingdom - Cardiff Skype for Business - United Kingdom Microsoft Teams - United Kingdom OneNote - United Kingdom - Cardiff |
Google G Suite for Education* | EU / USA |
* Welsh Government has opted into the enhanced Google data processing amendment and model contract clauses as a means of meeting the adequacy and security requirements of the EU data protection directive. Model contract clauses were created specifically by the European Commission to permit the transfer of personal data from Europe. Please refer to this link for further information on Google for Education privacy and security.
Data Flows and Brexit
The basis on which the UK will leave the EU has still to be decided.
The Government has made clear that the General Data Protection Regulation (GDPR) will be absorbed into UK law at the point of exit, so there will be no substantive change to the rules that most organisations need to follow.
But organisations that rely on the transfers of personal data between the UK and the European Economic Area (EEA) may be affected.
Personal information has been able to flow freely between organisations in the UK and European Union without any specific measures. That’s because there is a common set of rules - the GDPR.
But this two-way free flow of personal information will no longer be the case if the UK leaves the EU without a withdrawal agreement that specifically provides for the continued flow of personal data.
In this event, the Government has already made clear its intention to permit data to flow from the UK to EEA countries. But transfers of personal information from the EEA to the UK will be affected.
The Information Commissioners Office has produced guidance and tools to assist organisations understand and mitigate the issue. More information can be found here:
Data protection if there is no Brexit deal
Data protection and Brexit ICO advice for organisations
How will personal data continue to flow after Brexit
Cloud Services Governance
The following table summarises some relevant governance aspects applicable to Google G Suite for Education and Microsoft Office 365.
Compliance | G Suite for Education | Office 365 |
Data Protection – Model Clauses | ✓ | ✓ |
Data Protection – Privacy Shield | ✓ | ✓ |
National Cyber Security Centre (NCSC) Cloud Security Controls | Compliance asserted for all controls | Previously Pan Government Accredited |
Cloud Security Alliance | Security, Trust and Assurance Registry (STAR) Attestation | STAR Self-Assessment |
ISO27001 | Expiry 13 April 2021 | Expiry 18 January 2022 |
ISO27017 | Expiry 13 April 2021 | Expiry 18 January 2022 |
ISO27018 | Expiry 13 April 2021 | Expiry 18 January 2022 |
PCI / DSS | ✓ | ✓ |