Government Data Requests
In light of the 2020 Schrems ll CJEU ruling where Privacy Shield as an EU-US data transfer mechanism was deemed inadequate, additional safeguarding measures have been recommended by the EDPB – this includes how to respond to government data requests.
As with most organisations, we may receive requests from governments exercising their legal right to seek information about you. We want to be clear with you that whilst we have never received such a subpoena or a warrant to date, we believe it is important that we are transparent with you about what steps we will take and what we will share in the event such a request is received.
While Elucidat Group is a UK registered entity, your core course content data, along with data associated with the authoring and completion of courses, is all stored within the EU. As a global business we’ll apply the same level of protection to all of our customer’s data no matter where you reside. Similarly any government data requests will be treated the same irrespective of where they originate.
So, what will we do?
We will implement our 5 step plan to any government data request:
- Legitimacy. We will always assess the legitimacy of any request including the identity of the sender - this may mean we take steps such as requesting identification.
- Relevance and specificity. We won’t be a party to blanket requests and are aware that requests should be focussed on specific individuals or specific investigations. We will not be obstructive to government requests; we just won’t provide any more of your data than is required!
- Balance. We will always balance our response to any request of this nature with our commitment to uphold your privacy rights. We will narrow the scope of requests or refuse to respond to requests where we deem them inappropriate.
- Notice. Unless restricted by the request itself we will notify you where you are affected. If we are legally prohibited from notifying you about a request at the time, we will do so when that prohibition ends.
- Protection. All of our data is encrypted in storage and in transit already. In addition, our customers have control over their data at all times because our authoring app gives customers the choice over what content they create, publish and who they give access to.
As a SaaS provider we already have robust operational and technical security procedures in place to ensure there is no unauthorised disclosures of data. Full details can be found in our Security Policy.
We will be monitoring any further recommendations and compliance measures in relation to transfers of personal data, particularly where data flows intersect between the EU and any third countries.
If you have any questions about this policy please do email us at: firstname.lastname@example.org.