Key decision makers and key people at Unicorn Training Group are aware that the law has changed to GDPR (DPA 2018) and have provided the required resources to ensure compliance. This includes having a project manager dedicated to GDPR compliance, ensuring that key objectives and milestones have been met. Our staff must also complete GDPR and information security training courses and assessments annually.
Data Protection Officer
Unicorn have designated a Data Protection Officer who is responsible for data protection compliance and has the knowledge, support and authority to carry out this key role effectively.
Information Security and Third-Party Audit
Unicorn operate an ISO 27001 certified Information Security Management System (ISMS) to ensure that the appropriate technical and organisational measures are in place to protect the confidentiality, integrity and availability of personal data. The scope includes our offices and hosting environments. Our ISMS is independently audited by the British Standards Institute (BSI) to validate that it is implemented correctly, and that the data we process is adequately protected.
By default, Unicorn LMS data is retained for the duration of the service being provided. As the data controller, our customers can delete an Individual's personal data from their account whilst the service is active if this is required.
If the service is terminated, we will ask the customer to specify whether we are to permanently delete the data or archive the database as an encrypted off-site backup for potential future access. If we cannot contact the customer, we will retain the data for 90 days and then permanently delete it. Once deleted, there will be no other copies and it will be permanent. If the database is archived, we will keep it for up to 6 years before permanently deleting it.
Personal Data Processed by Unicorn LMS
Unicorn LMS has been designed to process the following types of personal data: name, company provided email address, photograph, about/bio, employment start/end, job title, employee ID, line manager, job role and performance reviews. Additionally, login times, system actions, content usage, assessment results, and continued professional development (CPD) are also recorded for each user account. We process data that our customer and the end user choose to include as part of the provision of the Services ("incidentally-collected Personal Information"). Unicorn LMS has not been designed to process sensitive/special categories of personal data. Unicorn are the data processor and our customers are the data controller; therefore, it is our customers who ultimately determine what personal data is processed and the legal basis for doing so.
Data Processing Locations
All Unicorn LMS data is processed within the EU.
Datacentre: Equinix TeleCity data centre at Powergate, Acton, London (Unicorn manage all equipment and Equinix staff do not have the ability to login to any Unicorn System)
Offsite Encrypted Backups: Amazon S3 Ireland (decryption keys not stored with backups)
DR Environment: Microsoft Azure Holland (The DR solution is not a hot standby and our customer’s data is not currently stored within it. Data will only be stored in this environment during a genuine disaster recovery scenario.)
All equivalent security controls apply to all locations.
We do not transfer Unicorn LMS data to any other third parties.
Unicorn LMS Privacy Information
The Unicorn LMS privacy notice is publicly available from: https://www.unicorntraining.com/privacy-and-cookie-policy
Subject Access Requests and the Rights of Individuals
Unicorn LMS has built in features that enable our customers to respond to subject access requests and deliver the GDPR data subject rights.
• The right to be informed - The Unicorn LMS privacy notice is easily accessible online and describes how a user’s personal data is processed. Customers who have their own LMS single tenancy instance can include a link to their own privacy notice when a new user logs in.
• The right of access - Unicorn LMS administrators can run reports against individuals to provide a copy of the personal data undergoing processing. Active users can also login to Unicorn LMS and access their information online.
• The right to rectification - Unicorn LMS administrators can edit records to rectify inaccurate or incomplete data concerning users.
• The right to restrict processing - Unicorn LMS administrators can archive user accounts to suppress any further processing of the personal data. This can be done manually or setup as an automated task based on the length of user inactivity.
• The right to erasure - Unicorn LMS administrators can delete all personal data associated with a user account. This can be done manually or setup as an automated task based on the length of time an account has been archived or a user has been inactive.
• The right to data portability - Data exported using the reporting feature can be exported to CSV or XLS open file formats.
• The right to object - Unicorn LMS administrators can archive an individual’s account and delete their personal data. The Unicorn Helpdesk can assist our customers with requests if required.
In the unlikely event of a personal data breach, procedures are in place to detect, report and investigate the event.
Privacy by Design
Unicorn operate a privacy by design approach to ensure that we have considered and integrated data protection into our data processing activities at every stage. We have a framework in place to conduct Privacy Impact Assessments (PIAs), assess risks, conduct information audits, document information flows, and record the personal data we process.
Appendix 1 – GDPR Processor Obligations
|Chapter||Article||Obligations on data processor||How Unicorn Training Group complies|
|4 controller and processor||27||Must designate representative within the EU.||N/A. Unicorn are based in the UK and process data only within the EU.|
|28||Definition of Data Processor and Data Controller||For the purposes of the Data Protection Legislation, Unicorn’s customer is the data controller and Unicorn is the data processor.|
|28(2)||Must not engage another sub-processor without data controller’s consent||
The 2018 Unicorn LMS terms and conditions state that the customer consents to Unicorn using third party processors. Unicorn currently use the following sub-processors:
*Amazon S3 hosted in Ireland for storing encrypted offsite backups (decryption keys not stored with backups)
*Microsoft Azure hosted in Holland for our DR environment. Note: the DR solution is not a hot standby and our customer’s data is not currently stored within it. Data will only be stored in this environment during a genuine disaster recovery scenario.
|28(3)||There must be a binding contract or other legal act between the data controller and the data processor, including the obligations required under GDPR.||The 2018 Unicorn LMS Terms and Conditions include the conditions set out in Article 28(3) (a-h)|
|28(4)||Any sub-processor must be engaged under the same obligations as referred to in to in Art 28(3) above||Unicorn ensure that sub-processors are bound by written agreements that state the level of data protection is at least equivalent to what is required in the 2018 Unicorn LMS Terms and Conditions. https://help.unicornlms.com/hc/en-us/articles/360000307885-Data-Protection-GDPR-Update-Clause|
|29||Must not process other than in accordance with data controller’s instructions||The 2018 Unicorn LMS Terms and Conditions, as well as the customer’s own usage and configuration of the system, are the customer’s instructions to Unicorn for processing any personal data. Unicorn will not process data outside of this scope.|
|30(2)||Must maintain records of processing activities||Unicorn maintain records of the processing activities performed on behalf of our customers.|
|31||Must co-operate with supervisory authority||Unicorn will cooperate with the ICO.|
|32||Must implement appropriate technical and organisational measures||
Unicorn operates an ISO 27001 certified Information Security Management System.
|33(2)||Must notify data controller without undue delay of personal data breach||Unicorn will notify the customer without undue delay on becoming aware of a Personal Data breach.|
|37(1)||Must designate Data Protection Officer (“DPO”) in certain circumstances||Unicorn have appointed a data protection officer.|
|37(7)||Must publish and communicate contact details of DPO||Unicorn will provide details of the data protection officer with our customers on request.|
|38||Must comply with rules regarding expected duties of the DPO||Unicorn follow the rules regarding the duties of the DPO.|
|5 Transfers of personal data to third countries or international organisations||46||Must only transfer or disclose personal data to a third country where based on international agreement.||Any judgement of a court or tribunal and any decision of an administrative authority of a third country requiring Unicorn to transfer or disclose personal data may only be recognised or enforceable in any manner if based on an international agreement, such as a mutual legal assistance treaty, in force between the requesting third country and the Union or a Member State, without prejudice to other grounds for transfer pursuant to this Chapter.|