ELC APPLICATION FORM – INFORMATION ASSURANCE QUESTIONS

The Ministry of Defence requires all Enhanced Learning Credit (ELC) Learning Providers to demonstrate their compliance to securely safeguard all ELC scheme related data and activities by providing evidence to the following questions. Examples of good practice are provided. It is a requirement for all ELC Learning Providers to continually review their Information Assurance arrangements on an annual basis. All ELC Learning Providers are legally obliged to review and update this form during the intervening period should any changes impact their Information Assurance arrangements.The Ministry of Defence reserves the right to review all supporting evidence and documents anytime throughout a Learner Provider’s ELC Scheme membership.

HARDCOPY
Where personal data on students is stored in hard copy, what controls are in place to safeguard this information?
e.g. Secure Cabinets, Access restricted to limited staff, Personal data not routinely carried in transit, A defined Data Protection Act compliant document handling policy
Where is this data stored?
e.g. Secure Cabinets, Secure location (Guarding, Access Control etc), Secure container when in transit i.e. combination case
How long is this data retained for?
e.g.Policy which confirms personal data isn’t kept for longer than necessary i.e. not retained indefinitely, A disposal schedule policy is defined and is in place
How is this data disposed of when it is no longer required?
e.g. On site secure shredding facilities, On site via approved disposal contractors, Off site via approved disposal contractors
Who has access to this data?
e.g. Evidence access is closely managed, Access limited to restricted numbers i.e. only identified personnel involved in the administration and delivery of ELCAS services
IT SYSTEMS
Where personal data on students is stored electronically, what controls are in place to safeguard this information?
e.g. Encryption facilities, Firewall and Anti Virus solution, IT systems Independently verified i.e. ISO 27001, Account based access (password & user name), Activity/audit logging, Security Operating Procedures which users are required to sign up to
Where is this data stored i.e. remote or local servers?
e.g. Stored locally (on site) on secure system (physical and software/hardware), Stored remotely (off site) on secure system via approved Hosting providers
How long is this data retained for?
e.g. Policy which confirms personal data isn’t kept for longer than necessary i.e. not retained indefinitely, A disposal schedule policy is defined and is in place
How is this data disposed of when it is no longer required?
e.g. Details of the disposal process e.g. company personnel, system administrators and/or evidence of industry level disposal tools etc.
Evidence of the disposal process used for redundant IT
Does your organisation have policies in place covering the control of removable media, which includes laptops, removable disks, CDs, USB memory sticks, PDAs and media card formats?
e.g. A policy is in place which defines the policy for the use removable media including a procedure to ensure personnel read, agree and comply (security operating procedures), Only company approved devices are used i.e. no personal devices, All removable media is encrypted
Is this data shared or accessible by any 3rd parties such as sub-contractors?
e.g. Evidence of controls to manage sub-contractors/supplier activity, Awareness/understanding of access by sub-contractors/suppliers to ELCAS data, Evidence checks are performed on sub-contractors/suppliers and their personnel? Evidence sub-contractors/suppliers are required to comply with company policy, Non-disclosure agreements
PERSONNEL
What employment checks are performed on personnel in your organisation who have access to student personal data?
e.g. Criminal Record Checks, Employment Checks/References
Is a process in place to ensure personnel within your organisation who have access to student data, receive the appropriate information risk/data protection training?
e.g. A defined information risk/data protection programme
Does your company operate non-disclosure agreements for personnel who have access to student data?
e.g. Evidence of non disclosure agreements
Do you have any agents such as sub-contractors or suppliers who are not directly employed by your company who assist in the delivery of your product or service who may access to student data?
e.g. Evidence of controls to manage sub-contractors/supplier activity, Awareness/understanding of access by sub-contractors/suppliers to ELCAS data, Evidence checks are performed on sub-contractors/suppliers and their personnel? Evidence sub-contractors/suppliers are required to comply with company policy, Non-disclosure agreements
How does your company gain assurance that these agents such as sub-contractors or suppliers comply with your risk and security policies?
e.g. Evidence of controls/safeguards which prevent unauthorised access, A defined policy is in place to manage sub-contractors/suppliers to ensure compliance with company policy and procedures.
Does your company have an effective leaver’s process which ensures on termination of their contract personnel will no longer have access to student data, IT systems and where applicable premises?
e.g. Evidence a process is in place and is routinely undertaken

Organisation Name______

Learning Provider ID______

Position in Company______

Print name ______

Signed______

Date______

PLEASE UPLOAD THIS COMPLETED FORM WITHIN THE ASSOCIATED DOCUMENTS AREA OF YOUR ONLINE PORTAL

ELC 007-12 05/04/16 02

Page 1 of 7

RESTRICTED – COMMERCIAL MOD DOCUMENT