Bell Educational Services Ltd implements data protection privacy framework on advice from IT Governance’s expert consultants
This case study reveals how IT Governance assisted Bell Educational Services to ensure it fully complied with the Data Protection Act. Enter your email address at the bottom of this page if you would like a PDF version of this case study. Call us on +44 (0) 845 070 1750 to discuss your own data protection consultancy requirements.
Bell Educational Services Case Study
Bell Educational Services Ltd contacted IT Governance to obtain advice and project support from our experienced data protection consultants. Bell’s management team wanted to know the exact standing of the organisation’s legal situation, security practices and operating procedures in relation to the Data Protection Act.
Management Systems consultants Ralph O’Brien and Nick Orchiston and qualified DPA auditor Richard Campo from IT Governance enabled the company to achieve its compliance goals and helped the organisation to plan and implement best practice measures to protect confidential data at all points in their system.
For more than 60 years Bell has carried out English language teaching activities around the world as an educational charity, becoming one of the leading providers of language education in Britain. Over the last ten years more than 100,000 students from over 90 countries have studied English with Bell in the UK alone. This sizeable business operation has generated large stores of data, much of which is personally identifiable and confidential.
At the beginning of 2012 the Senior Management Team at Bell decided to review its Data Protection Act compliance and carried out a risk assessment that looked at the threats to confidential data stored within the organisation. To establish what corrective actions would be necessary to address areas of risk, Bell called in a DPA consultant from IT Governance.
The main drivers for this compliance project were:
compliance with the UK Data Protection Act 1998;
protection of personal/sensitive information regarding Bell students; and
prevention of data breaches that could lead to loss of reputation.
Gordon Sinclair, the Deputy IT Manager and IT Project Manager, described the project requirements below:
“Bell wanted to take appropriate steps to ensure that confidential data was being handled in accordance with UK law and also that sufficient safeguards were in place to secure that data in line with the risk appetite of our business. Caring for our students includes protecting their personal data, and our reputation in the education and training market was only one of several good reasons for ensuring that we were compliant. This meant that we needed to assess how we handled our data to ensure that we had all the appropriate security controls in place to provide the highest level of protection at all times.
Click here to read more »
We hired IT Governance Ltd’s experts to assess our data protection arrangements, identifying what constituted information protected by the Data Protection Act in our system, the activities regulated by the Data Protection Act designed to protect this data, the various rights and obligations under the Data Protection Act, who was responsible for the “purpose and manner” of processing and what the Law requires, and how long data protection rights and duties would last in relation to the confidential data held.
When Bell commenced this project in 2012 we wanted experienced data protection consultants to assess the exact standing of our legal situation, security practices and operating procedures in relation to DPA compliance. This covered everything from storage of student records, how we handled credit card data, what information was held, our retention guidelines (i.e. what we actually needed to retain and for how long), and data workflows to the methods used to move data around, including paper-based records.”
Gordon Sinclair explained the process:
“We began with a gap analysis performed by IT Governance’s Ralph O’Brien, who identified where we needed to enhance controls to data handling. The work extended to Ralph’s recommending tougher security measures and helping us to migrate our manual systems to electronic data handling.
One of the key challenges that we found when attempting to implement privacy compliance was that of trying to establish a set of meaningful guidelines or a recognised standard against which to work. Standards are an increasingly important requirement in governance frameworks: we need a standards-based approach to understand what needs to be achieved; to set common governance goals across and between organisations; to understand whether the responsible managers are competent to implement those controls; and to audit whether those controls have been properly established and maintained. On the advice provided to us by IT Governance we decided to align our privacy framework at Bell against BS10012 – Data Protection – Specification for a personal information management system (PIMS).
Click here to read more »
The core of our data handling is our registration process, which we are gradually migrating to our CRM system. We are moving information to a secure system based on Active Directory with robust IT security controls such as regular AV scanning, gateway monitoring and a full set of security policies (45 in total). Management Systems consultant Nick Orchiston showed us how to interpret what we were already doing in this regard into further documents that would support our data security. With his help, we also instituted training ‘drop-ins’ for staff handling confidential data to enable them to apply the new policies effectively. Perhaps one of the most useful aspects of IT Governance’s advice, though, came in terms of senior management team buy-in to the ideas that Nick put forward. As an IT department, we were able to make faster progress with the DPA project thanks to Nick’s knowledge and understanding. It was decided that we appoint a member of the Risk Committee as a Data Protection Officer (DPO) as part of their contractual responsibility, which assisted us in configuring the data protection structure to complement our current risk register. It’s a decision that we have valued ever since because we have been able to embed DPA awareness and compliance throughout Bell. It’s even part of everyone’s terms of employment when they join the organisation and forms part of their induction – something that Nick suggested. Data security is considered as important as any other senior management responsibility, and is delegated to all our departments. The idea of trying to implement effective DPA compliance without this senior level of buy-in and integration of the data protection culture into everyday working practice would have been a struggle for us in the IT department.
I would recommend anyone in our situation to hire a consultant like Nick, who has senior management experience from a long career, and of course I would also point you in the direction of IT Governance Ltd!
We had complete confidence that the law’s requirements were being interpreted with clarity and that the output would be robust.”
Gordon Sinclair summarised the outcome of the project like that:
“Before completing this phase of our DPA compliance project, we wanted a thorough external audit of our information security and data protection processes and documented procedures. We invited IT Governance to conduct this and Richard Campo carried out the work. Richard proved to be a highly effective auditor and his guidance on our implementation of data protection processes was enlightening. Not surprisingly, he had a high level of awareness about the requirements of the DPA and how the processes that we were operating could be beefed up to further strengthen our stance. The results of this audit performed in 2013 satisfied our Risk Committee that, as an organisation and in terms of the commitment of our individual staff members, we had performed due diligence and that we were fully compliant in terms of UK law. As you can imagine, since we are a respected educational establishment that is among the best in the world, we mark our own efforts strictly so I have a high level of confidence in the outcomes.
For me, the interesting by-product of greater efficiency was a particular plus point in this project. The move from more traditional processes that were admin-heavy to an IT-based system throughout has been especially satisfying, proving the value of IT investment. We now have the ability to get into the system from anywhere in the world, securely and on demand. Uncontrolled work has been removed. I would point out to any IT manager tasked with protecting data that IT Governance helped us achieve this through a process-based review. DPA compliance is not just about meeting a regulatory requirement; it can be turned into an opportunity to improve systems and workflows to the extent that it puts control of information back into the hands of IT for the benefit of the enterprise. Our DPA project was not a cost centre: it helped us to grow our business and continues to do so now”.
Download this case study now
To get a PDF version of this case study enter your email address below and we will send you a copy straight away.
IT Governance has broad and deep experience in all aspects of data protection, privacy and the protection of personally identifiable information (PII). Just as we have helped Bell to achieve DPA compliance on time and within budget, so we can help you, whatever your need. Call us now on 0845 070 1750 and experience our service for yourself.