DPIA support document

Data & information security overview

This document is maintained by Holiday Activities Information Security Compliance team, and reflects the current information security and management procedures, controls, policies and practices across the company. It aims to clarify Holiday Activities’ position in the data processing chain and answer frequently asked questions.

Company overview

Controller Name Evouchers Limited

ICO Registration Number ZB504479

Head of Information Security Gemma Stannard

Data Protection Manager David King

Data Protection email data@evouchers.com

Data Protection and Information Security key information

Here you’ll find further information about Holiday Activities, including general information, the purpose of the application and how we manage data subject rights.

The Holiday Activities Platform is produced by Evouchers Limited (trading as Holiday Activities), more information can be found at https://www.holidayactivities.com/.

Section 1

General details about Evouchers

Evouchers Limited

Private limited company

14159254

Furlong House, 2 Kings Court, Newmarket, Suffolk, England, CB8 7SG

Software development

N/A

2022

Section 2

Contact details

These are the ways that customers can contact Holiday Activities.

01638 438094

Monday to Friday 8.30am to 5.30pm

David King

Data Protection Manager

01638 438094

Section 3

Accountability

This can be found on our website, and is located here

An example of our legal documentation is available at https://www.holidayactivities.com/legal-documents/

This can be provided on request.

We have an internal Data Protection Policy, which can be provided on request.

Held as part of our ISO 27001 certified Information Security Management System (ISMS), can be provided on request.

As part of our ISO 27001 certified ISMS, we have a remote working policy which can be provided on request.

No

Our data breach responsibilities are documented in our Data Processing Agreement. Additionally we have an internal data incident response policy which is reviewed annually.

User passwords are marked based on how easy a password is to guess, no explicit policy is provided to users.

Our business continuity plan is held as part of our ISO 27001 certified ISMS and can be provided if required.

Yes

Annually at minimum

ZA118834

99.5%

On induction and then annually, applies to all staff

On induction and then annually, applies to all staff

Section 4

Accreditations

14/12/2023

31/01/2024

Yes, the whole organisation

Yes

No

Not applicable

Section 5

About your software application

Holiday Activities

Holiday Activities is the dedicated platform built to run and report on your local authority HAF programme. Whether you are a local authority, parent/recipient, school or activity provider we aim to make the process of distributing and using HAF vouchers as simple as possible.

Yes

Improvements in the provision of Holiday Activity Fund vouchers to students

Parents and other consumers can buy the app

Yes

Yes

We request access to SEN information to support our platform functionality. Additional special category data may be collected directly from parents when booking an activity.

No

Yes. When booking onto an activity, a parent may provide supporting information such as details on allergies.

Support staff

They don’t use this app.

Students and Contacts

Holiday Activities will request information on all students and their contacts.

Personal and optional special category

This information is used to provide platform functionality (such as filtering) and to send out Holiday Activities Fund vouchers

No

This is not applicable, we only collect data necessary for our functionality.

This app doesn’t need to meet the code

We develop the app ourselves

Holiday Activities is developed and maintained in the United Kingdom.

Yes

Section 6

Data protection

Yes. Access to customer data is highly restricted. However, all employees undergo employment screening and are DBS checked on joining the business.

Within the EEA

Holiday Activities has a list of sub-processors on our website

No

No

Yes

More information on our retention period can be found in our Data Processing Agreement.

No

No

Yes, AWS (Amazon WebServices) computing environments are continuously audited, with certifications from accreditation bodies across the world, including ISO 27001, FedRAMP, DoD CSM, and PCI DSS Holiday Activities requires that all API calls are authenticated with a secure API token and transmitted on a secure SSL connection. Additionally, backups are all managed and stored in AWS and are encrypted at rest. The system maintains an automated 17 day back-up policy, where Holiday Activities can restore the database to any point in time within that time window.

Yes

Yes

Yes

Yes

No

Yes

Yes

Yes

Yes

Yes

Data subject rights

1. The right of rectification

Yes. Access to customer data is highly restricted. However, all employees undergo employment screening and are DBS checked on joining the business.

2. The right to erasure

Holiday Activities can delete data if required. Contact will be made with the school and/or local authority prior to doing so.

3. The right to restrict processing

Holiday Activities provides schools the ability to block specific individual data sets on the application.

4. The right to be informed

We will provide all users with an accessible privacy policy and data agreements where applicable.

5. The right of access

If a data subject contacts Holiday Activities directly, we will contact the school to confirm data can be provided. Requests can be made to support@holidayactivities.com.

6. The right to data portability

Data can be extracted in the form of a CSV file to be used elsewhere.

7. The right to object

At the request of the school, or the data subject via the school, Holiday Activities can block an individual’s data from being processed.

Section 7

Network security

This section explores how secure your network is and the software it runs.

More frequently than annually

Yes

Yes

Yes

Section 8

Risk Management

Accidental or unlawful destruction, unauthorised disclosure and unauthorised access

Yes

Yes

Yes

Yes

Yes