Data Security and Safeguarding
VEO’s mission is to accelerate learning and improve teaching globally through connection, reflection, feedback and collaboration. Our purpose is to improve education, learning, knowledge and practice.
Keeping our users’ information safe is essential to our mission and our highest priority. We have strict measures in place to ensure your data is stored securely, safeguarding those that use our software at all times. Data is only used to support the education and learning needs of our users.
All data stored within VEO is held in a best-in-class environment that is trusted by several Government, Public Sector and Corporate organisations for storing highly sensitive data. As a leader in data storage and security, the solution provides state-of-the-art network security, electronic surveillance, physical security and multi-factor access control system to protect client data. Further details of this are available here.
Data centres have trained security teams staffing the premises 24 hours a day. Furthermore their environment is assured as compliant with the following programs:
CSA – Cloud Security Alliance Controls
ISO 9001 – Global Quality Standard
ISO27001 – Security Management Controls
ISO27017 – Cloud Specific Controls
ISO 27018 – Personal Data Protection
PCI DSS Level 1 – Payment Card Standards
SOC 1 – Audit Controls Report
SOC 2 – Security, Availability, & Confidentiality Report
SOC 3 – General Controls Report
CJIS – Criminal Justice Information Services
DoD SRG – Department of Defense Data Processing
FedRAMP – Government Data Standards
FERPA – Educational Privacy Act
FFIEC – Financial Institutions Regulation
FIPS – Government Security Standards
FISMA – Federal Information Security Management
GxP – Quality Guidelines and Regulations
HIPAA – Protected Health Information
HITRUST CSF – Health Information Trust Alliance Common Security Framework
ITAR – International Arms Regulations
MPAA – Protected Media Content
NIST – National Institute of Standards and Technology
SEC Rule 17a-4(f) – Financial Data Standards
VPAT / Section 508 – Accessibility Standards
Further information is available here.
Video Enhanced Observation Ltd. is registered with the Information Commissioner’s Office register of data controllers, reference ZA125489.
Users’ personal data will not be used for the purposes of marketing different services or organisations. Any communications will be for the purpose of enhancing their own user experience.
VEO Web and Native Apps
A user can upload video to their own private, password protected space on the VEO web app. Users can upload any video file to their private space on the VEO system.
VEO video and data uploaded to the VEO System are held on Amazon Web Services (AWS) servers and are encrypted at rest and in transit.
For organisations in the UK, all of the above services are hosted on servers based in Ireland, i.e. within the European Economic Area. Video and tag data are held separately on the AWS system, and are only pulled together in the VEO apps. All AWS security is employed, including AES256 encryption rest and SSL on transfer.
Access to the VEO web app is available on any web-enabled device, but only via the user’s unique username/ID and password. The same username and password is used for our native and web apps.
VEO will comply with the Data Protection Act in deleting any video or data that has not been accessed by users after a relevant time.
Users can delete video and data from VEO, removing them from the system completely.
Organisations using VEO should put in place appropriate consent systems, especially when dealing with children or vulnerable adults. Furthermore, participants in any VEO recordings should be notified as necessary. VEO has access to template consent forms which can be adapted by any organisations, if required.
Overall, the main objective of the GDPR is to allow individuals (or “data subjects”) to have more control over their personal data, as well as a more comprehensive understanding of how that personal data is used.
When an organisation captures a person’s image, whether it is by camera, video, or mobile phone, and that person can be identified, then the image is likely to be considered personal data under the GDPR. This means that the image must be processed in line with the data protection principles (see below).
Processing means anything this is done to the image for example recording it, using it or sharing it.
The GDPR principles
Personal data shall:
- be processed fairly and lawfully and in a transparent manner
- be collected for specified, explicit and legitimate purposes
- be adequate, relevant and not excessive
- be accurate and where necessary kept up to date
- be kept for no longer than is necessary
- processed in a manner that ensures appropriate security of the personal data
Individuals have the right to be informed about the collection and use of their personal data. This is a key transparency requirement under the GDPR. When an organisation uses the VEO services and takes a video of someone, they need to tell the person:
- that they are going to do this
- why and the legal basis
- what they are going to do with the image
- who may see it
- how it is stored and how long for, and how security is ensured
- how to exercise any other rights
- who to contact for queries
This is known as a privacy notice.
If filming is going to take place, people should be told beforehand and given the opportunity to object or simply move out of the video.
A privacy notice can be provided in a number of ways, for example by letter to the individuals concerned, on a poster put up around the organisation or on the organisation’s website.
Guidance for Schools
The DfE provides a range of model privacy notices for schools to adopt is one part of the schools communication with data subjects.
Read them here.
ICO Minimum Standards
The ICO have also set out the minimum standards of privacy notices
Read them here.
Consent must be obtained from all individuals appearing in a video – you must explain the context in which the video will be used.
Consent must be freely given, specific, informed and unambiguous.
Consent requires a positive opt-in. Don’t use pre-ticked boxes or any other method of default consent.
Make it easy for people to withdraw consent and tell them how.
Keep evidence of consent – who, when, how, and what you told people.
Keep your consent requests separate from other terms and conditions.
For young people under 16, use a parental permission form to obtain consent for a child to be videoed.
Consent may be given to cover a period of time (e.g. an academic year or another relevant time period) as long as the purpose for which consent has been given remains consistent.
Storage and Security
It is a requirement under the GDPR to make sure that personal data is kept secure; this includes video recordings. VEO is the data processor of the footage you record and its obligations are therefore limited to the more technical aspects of the services such as storage, security, retrieval and erasure. VEO uses AWS (Amazon Web Services) to host its encrypted video and data. They are one of the world’s leading service providers for hosting secure and confidential data. Details on AWS compliance with GDPR are available here.
Disclaimer: This content is provided for informational purposes only and should not be relied upon as legal advice, or to determine how GDPR might apply to any individual organisation. The information is provided “as-is” and VEO makes no warranties (express, implied or statutory) as to the content included in this document.
VEO is a platform to support professional learning in education, healthcare and commercial environments. VEO does not rely on or require Protect Health Information (PHI) in order to fulfil its education, training and knowledge sharing purposes. VEO does not actively collect or use PHI, nor will it be a future strategy of the Company.
However, VEO’s users, educators or trainees using the VEO system, may in the course of their activities upload video, tag data or video annotations which overtly or inadvertently contain PHI. VEO’s users are in complete control over with whom they share such data, and may only share that data with other users registered by the client organisation with VEO accounts. These accounts are password protected.
VEO is not used specifically to share PHI, and the focus of the video, data and annotations uploaded will be the activity of the trainees and educators, rather than the PHI itself. VEO would encourage users to reduce any use of PHI to the minimum necessary for the intended educational purposes.
VEO is a platform to support professional learning in education, healthcare and commercial environments. VEO does not rely on or require school students’ Personally Identifiable Information (PII) whether Direct or Indirect identifiers. Neither does VEO rely on or require schools students’ education records in order to fulfil its education, training and knowledge sharing purposes. VEO does not actively collect or use PII, nor will it be a future business strategy of the Company.
However, VEO’s users, educators or trainees using the VEO system, may in the course of their activities upload video, tag data or video annotations which overtly or inadvertently contain PII. VEO’s users are in complete control over with whom they share such data, and may only share that data with other users registered by the client organisation with VEO accounts. These accounts are password protected. Any PII data can be accessed at any time by data owners or school authorities on request. Any such data can be deleted by users within the system, or on request to VEO.
VEO is not used specifically to share PII, and the focus of the video, data and annotations uploaded will be the activity of the trainees and educators, rather than the PII itself. VEO would encourage users to reduce any use of PII to the minimum necessary for the intended educational purposes.