Lead_IT_logo

L.E.A.D. IT Services GDPR Compliance, Data Protection & Security Measures

 

 

  1. Statement of Capability

L.E.A.D. IT Services confirms that it has in place the necessary human, organisational and technical resources to deliver the contract in full compliance with the UK General Data Protection Regulation (UK GDPR) and associated legislation.

As outlined within our existing security model, our approach is based on a defence-in-depth and zero trust security architecture, embedded across all connectivity, cloud, safeguarding and support services.

We operate as a Data Processor on behalf of the Trust and are fully committed to protecting the rights and freedoms of all data subjects through secure, transparent and auditable processing practices.

  1. Technical Measures

2.1 Encryption and Protection of Personal Data

  • All personal data is protected in transit and at rest using industry-standard encryption protocols
  • Secure technologies include:
    • Encrypted VPN tunnels (IPsec) across the Trust WAN
    • Secure HTTPS/TLS communications for cloud services
    • Encrypted backups and storage within UK-based data centres
  • Logical data separation ensures Trust data is isolated from other environments

2.2 Access Control Mechanisms

  • Role-Based Access Control (RBAC) implemented across all systems
  • Least privilege principles enforced for all user and administrative access
  • Segregation of duties between technical, safeguarding and administrative roles
  • Full audit logging of all privileged access and configuration changes

2.3 Multi-Factor Authentication (MFA)

  • MFA is mandated across all critical systems, including:
    • Microsoft 365 and Azure environments
    • Remote access and administrative systems
    • All engineer and privileged accounts
  • Conditional access policies further strengthen identity protection

2.4 Network and System Security Controls

  • Multi-layered security architecture including:
    • Next-generation firewalls with intrusion prevention and threat detection
    • Network segmentation to limit lateral movement
    • Secure cloud architecture hosted in UK Microsoft Azure regions
  • Continuous monitoring across:
    • School networks
    • Trust WAN
    • Cloud environments
  • Alignment with:
    • DfE Digital & Technology Standards
    • Keeping Children Safe in Education (KCSIE)
    • Cyber Essentials Plus controls

2.5 Testing, Monitoring and Vulnerability Management

  • Continuous system and security monitoring (24/7/365)
  • Regular vulnerability scanning and patch management
  • Proactive alerting for suspicious or anomalous activity
  • Annual cyber security reviews and ongoing configuration validation
  • Security logs retained and reviewed to support investigation and compliance

2.6 Systems Resilience and Disaster Recovery

  • High availability architecture including:
    • Dual connectivity with automatic failover at each site
    • Redundant firewalls and infrastructure
    • Azure Availability Zones for resilience
  • Backup and recovery:
    • Encrypted backups with defined RPO/RTO
    • Regularly tested restoration processes
  • Documented disaster recovery runbooks maintained and reviewed

2.7 Independent Assurance and Certifications

  • Cyber Essentials Plus certified
  • ISO 27001 – currently in progress (formal accreditation pathway underway)
  • Full alignment with recognised cyber security frameworks and DfE standards
  • Security documentation (including testing and assurance artefacts) available under NDA
  1. Organisational Measures

3.1 Data Protection Leadership

  • Named GDPR Lead:
    Lee Jepson – Director of IT
    Email: leejepson@leaditservices.co.uk

3.2 ICO Registration

  • Registered with the Information Commissioner’s Office (ICO):
    Registration Number: ZB027294

3.3 Regulatory Compliance Record

  • L.E.A.D. IT Services confirms:
    • No history of ICO fines, enforcement actions or reprimands

3.4 Transparency and Privacy Information

  • Clear privacy notices and data handling statements are maintained
  • Data processing activities are documented and aligned to lawful processing principles

3.5 Policies and Procedures

Documented and actively maintained policies include:

  • Data Protection Policy
  • Information Security Policy
  • Acceptable Use and Access Control Policies
  • Data Retention and Secure Disposal Policy
  • Incident Response and Data Breach Management Policy

These policies are reviewed regularly and embedded into operational practice.

3.6 Staff Confidentiality and Training

  • All staff and contractors are:
    • Subject to contractual confidentiality obligations
    • Enhanced DBS checked (education sector requirement)
  • Mandatory training includes:
    • Annual GDPR and data protection training
    • Cyber security awareness
    • Safeguarding and KCSIE alignment

3.7 Sub-Processor Management

  • Where third-party platforms are used (e.g. cloud hosting or security tooling), L.E.A.D. IT Services ensures:
    • All providers act under appropriate data processing terms
    • Equivalent UK GDPR obligations are contractually enforced
  • We commit to:
    • Obtaining prior written consent before appointing or changing sub-processors
    • Maintaining full transparency of sub-processor usage

3.8 Data Subject Rights Support

We implement processes and system capabilities to support:

  • Subject Access Requests (SARs)
  • Data rectification, erasure and restriction requests
  • Data portability where applicable

We work in partnership with the Trust to ensure responses are delivered within statutory timescales.

3.9 Audit and Inspection Rights

  • We fully support:
    • Customer audits and inspections
    • Provision of relevant documentation and evidence
  • Security artefacts (e.g. policies, reports, testing outputs) available under NDA

3.10 Personal Data Breach Management

  • Documented breach response process aligned to UK GDPR
  • Commitment to:
    • Notify the Trust without undue delay following any breach
    • Provide full investigation support and reporting
    • Assist with ICO notification and data subject communication where required

3.11 Data Return and Secure Deletion

  • At contract termination, we will:
    • Return or securely delete all personal data (as instructed by the Trust)
  • Secure deletion methods are applied in line with recognised standards

3.12 Support for Controller Obligations

We actively support the Trust in meeting its legal obligations, including:

  • Article 32 – Security of processing
  • Articles 33 & 34 – Personal data breach management
  • Article 35 – Data Protection Impact Assessments (DPIAs)
  • Article 36 – Consultation with the ICO

This includes provision of technical information, risk assessments, and compliance input as required

  1. Continuous Compliance and Partnership Approach

Our GDPR compliance model is not static. As detailed in our submission, we operate a continuous improvement and governance-led approach, including:

  • Regular compliance reviews with the Trust
  • Ongoing monitoring of regulatory and legislative changes
  • Integration of data protection into service governance and reporting
  • Continuous staff training and awareness

This ensures compliance remains current, auditable and aligned to evolving best practice.

  1. Supporting Documentation

L.E.A.D. IT Services confirms that supporting documentation is available and will be provided upon request, including:

  • Policies and procedures
  • Certification evidence (Cyber Essentials Plus)
  • Data Processing Agreements
  • Security and incident response documentation
  • Training records and governance artefacts

Conclusion

L.E.A.D. IT Services provides a mature, secure and fully compliant data protection framework, combining robust technical controls with strong governance and accountability.

Our approach ensures that the Trust can operate with confidence that:

  • Personal data is secure, protected and lawfully processed
  • Data subject rights are fully upheld
  • Compliance with UK GDPR is demonstrable, auditable and continuously maintained