DPIA support document
Data & information security overview
This document is maintained by Holiday Activities Information Security Compliance team, and reflects the current information security and management procedures, controls, policies and practices across the company. It aims to clarify Holiday Activities’ position in the data processing chain and answer frequently asked questions.
Company overview
Controller Name Evouchers Limited
ICO Registration Number ZB504479
Head of Information Security Gemma Stannard
Data Protection Manager David King
Data Protection email data@evouchers.com
Data Protection and Information Security key information
Here you’ll find further information about Holiday Activities, including general information, the purpose of the application and how we manage data subject rights.
The Holiday Activities Platform is produced by Evouchers Limited (trading as Holiday Activities), more information can be found at https://www.holidayactivities.com/.
Section 1
General details about Evouchers
Evouchers Limited
Private limited company
14159254
Furlong House, 2 Kings Court, Newmarket, Suffolk, England, CB8 7SG
Software development
N/A
2022
Section 2
Contact details
These are the ways that customers can contact Holiday Activities.
01638 438094
Monday to Friday 8.30am to 5.30pm
David King
Data Protection Manager
01638 438094
Section 3
Accountability
This can be found on our website, and is located here
An example of our legal documentation is available at https://www.holidayactivities.com/legal-documents/
This can be provided on request.
We have an internal Data Protection Policy, which can be provided on request.
Held as part of our ISO 27001 certified Information Security Management System (ISMS), can be provided on request.
As part of our ISO 27001 certified ISMS, we have a remote working policy which can be provided on request.
No
Our data breach responsibilities are documented in our Data Processing Agreement. Additionally we have an internal data incident response policy which is reviewed annually.
User passwords are marked based on how easy a password is to guess, no explicit policy is provided to users.
Our business continuity plan is held as part of our ISO 27001 certified ISMS and can be provided if required.
Yes
Annually at minimum
ZA118834
99.5%
On induction and then annually, applies to all staff
On induction and then annually, applies to all staff
Section 4
Accreditations
14/12/2023
31/01/2024
Yes, the whole organisation
Yes
No
Not applicable
Section 5
About your software application
Holiday Activities
Holiday Activities is the dedicated platform built to run and report on your local authority HAF programme. Whether you are a local authority, parent/recipient, school or activity provider we aim to make the process of distributing and using HAF vouchers as simple as possible.
Yes
Improvements in the provision of Holiday Activity Fund vouchers to students
Parents and other consumers can buy the app
Yes
Yes
We request access to SEN information to support our platform functionality. Additional special category data may be collected directly from parents when booking an activity.
No
Yes. When booking onto an activity, a parent may provide supporting information such as details on allergies.
Support staff
They don’t use this app.
Students and Contacts
Holiday Activities will request information on all students and their contacts.
Personal and optional special category
This information is used to provide platform functionality (such as filtering) and to send out Holiday Activities Fund vouchers
No
This is not applicable, we only collect data necessary for our functionality.
This app doesn’t need to meet the code
We develop the app ourselves
Holiday Activities is developed and maintained in the United Kingdom.
Yes
Section 6
Data protection
Yes. Access to customer data is highly restricted. However, all employees undergo employment screening and are DBS checked on joining the business.
Within the EEA
Holiday Activities has a list of sub-processors on our website
No
No
Yes
More information on our retention period can be found in our Data Processing Agreement.
No
No
Yes, AWS (Amazon WebServices) computing environments are continuously audited, with certifications from accreditation bodies across the world, including ISO 27001, FedRAMP, DoD CSM, and PCI DSS Holiday Activities requires that all API calls are authenticated with a secure API token and transmitted on a secure SSL connection. Additionally, backups are all managed and stored in AWS and are encrypted at rest. The system maintains an automated 17 day back-up policy, where Holiday Activities can restore the database to any point in time within that time window.
Yes
Yes
Yes
Yes
No
Yes
Yes
Yes
Yes
Yes
Data subject rights
1. The right of rectification
Yes. Access to customer data is highly restricted. However, all employees undergo employment screening and are DBS checked on joining the business.
2. The right to erasure
Holiday Activities can delete data if required. Contact will be made with the school and/or local authority prior to doing so.
3. The right to restrict processing
Holiday Activities provides schools the ability to block specific individual data sets on the application.
4. The right to be informed
We will provide all users with an accessible privacy policy and data agreements where applicable.
5. The right of access
If a data subject contacts Holiday Activities directly, we will contact the school to confirm data can be provided. Requests can be made to support@holidayactivities.com.
6. The right to data portability
Data can be extracted in the form of a CSV file to be used elsewhere.
7. The right to object
At the request of the school, or the data subject via the school, Holiday Activities can block an individual’s data from being processed.
Section 7
Network security
This section explores how secure your network is and the software it runs.
More frequently than annually
Yes
Yes
Yes
Section 8
Risk Management
Accidental or unlawful destruction, unauthorised disclosure and unauthorised access
Yes
Yes
Yes
Yes
Yes