Data Protection and Security

System: Employee Attendance Cloud (EAC) cloud-based time and attendance system

Home | EAC data protection and security statement

Our commitment to data protection

In common with all UK businesses, we aim to comply with current data protection legislation and any changes to that legislation. The protection of data provided by our customers for their own use on an EAC system is considered to be as important as the protection of Chronologic’s own customer data. Both are critical to the operation of our business. We take our common responsibility to protect shared data very seriously and regularly review what we can do to mitigate the risk of data loss.

Data protection is a common responsibility

Time and attendance systems are designed to contain personal data obtained by an employer as part of the employer / employee relationship. Access to that data must be restricted and all parties with access to it must comply with data protection legislation, which includes the (UK) Data Protection Act 2018 and the EU General Data Protection Regulations (GDPR) effective from 25 May 2018.

All parties that have access to an EAC account share a common responsibility for security and compliance with data protection legislation. This includes the input of data into the system, processing and storage of data and outputs such as reports.

This Data Protection Statement sets out our understanding of the data flows and access between our organisation and a customer’s organisation, and the responsibilities for the protection of that data that are put in place.

The EAC system

The EAC system is owned by Chronologic and developed by HR Industries Ltd, a UK company. Chronologic is a business partner of HR Industries Ltd. and is responsible for sales, marketing, system configuration, training and support for our customers in the UK and Europe.

The EAC time and attendance system software is installed on servers in the Amazon Web Services (AWS) data centre. Each customer, once set up, controls access to their EAC online account, populates it with employee information and manages that information.

It is the responsibility of Chronologic’s customers to maintain the security of access to their EAC account system. Password protection is built into the system. System administrators need to observe password security disciplines. Customers need to apply the data protection measures they already have in place for their own IT systems to the EAC account system.

Personal data held on an EAC account system

Data input

The range of personal employee data held is determined by our customers. Standard information includes first and last names, email address, phone number, payroll number and base pay hourly rate, more information can be added if required by the customer.

Clocking-in data can be input into the system using a wide range of options including:

  • Fingerprint and facial recognition terminals; RFID proximity fob terminals. Terminal connections can be wired i.e., plugged into your network or WiFi.
  • Self-service web clocking for PC, Mac, tablet or smartphone. Using a PIN (personal identification number) and geolocation.
  • Smartphone clocking using an Android or IOS app.

Clocking terminals located on customer or third-party premises collect clocking data. The terminals synchronise with the server every time there is a clocking event. This clocking data is associated with a personal identifier corresponding to an individual employee and is transmitted in an encrypted format.

The smartphone clocking apps comply with the relevant Google security standards. The risk of interception of data packets and data loss for individual clocking instances is considered to be negligible

Data output

The output of personal data from an EAC online account is controlled and managed by the customer. Access to the system is managed by the customer’s administrator/s and is password protected.

Chronologic access to customer data

Chronologic is a business partner of HR Industries Ltd. and is responsible for sales, marketing, system configuration, training and support for our customers in the UK and Europe. As the development partner for the system, HR Industries may need to access the EAC database to ensure functionality is working correctly and that reports access and manipulate the data accurately. Databases shared with HR Industries, have all personal data removed other than the data required to ensure it is functioning correctly

Chronologic has access to:

  • EAC online accounts via an administration and AWS portals.
  • A monitored desktop sharing program called ISL.

Trained employees in Chronologic’s Customer Support team have access to customer’s employee data for support purposes only, (Chronologic does not use outside contractors). Chronologic does not allow system access to customers’ sub-contractors when they are employed to provide installation services; all system configuration is carried out remotely by Chronologic staff.

Chronologic maintains strict IT procedures and security methods to protect its own IT infrastructure.

AWS access to customer data

AWS could in theory access EAC accounts, although they have no reason to do so. AWS are GDPR compliant effective on 25 May 2018 and continues to update their compliance in line with new legislation as it is introduced.

System resilience

Database backups

EAC accounts are backed up daily, these files are stored in an encrypted AWS S3 storage container. Backups are stored for 15 days and then deleted.

System accessibility

System accessibility issues can be divided into two main areas:

  1. Connectivity issues

    An outage of internet access within the customer environment, as shown the in schematic below.

  2. Application server

    The application server is constantly monitored and has alerts set if thresholds are exceeded. If the application server is unavailable, clocking events will be held in the clocking machine(s) / smartphone app until the server is available to receive.

Risk of data loss

Risk of data loss can be divided into three main areas:

  1. Unauthorised AWS access

    The EAC system is hosted in the AWS data centre, it is secured with restricted IP address access, and security rules within the firewall closing all unrequired ports and MFA access.

  2. Human error resulting in unauthorised access to system credentials or unauthorised disclosure of data or reports containing data.

    a. Unauthorised access to or use of the system by personnel due to lack of password control/security.
    b. Lack of data security for reports and data exports distributed within the customer environment.

  3. Any vulnerability of the system to incursions by third parties to capture data.

    The risk of loss of personal data by incursions into the EAC account resulting in a data breach are considered to be extremely low because of the way in which the system is implemented and operated.

Schematic showing Chronologic and customer data flows and responsibilities for GDPR

GDPR server config

Customers

Access to an EAC account is locked with a Username and Password. The self-management of the system enables customer administrators to create and manage their own access levels within the system. This process needs to be managed through the customer’s own IT policies and procedures.

Reports can be generated by the system detailing a range of information from an employee’s hours, to their personal data. Reports that are generated and/or printed by customers are subject to their own IT, security and data protection policies and procedures.

Chronologic

Chronologic relies on its operating procedures, and the experience and training of its staff to ensure that account credentials and other information are not inadvertently released to unauthorised parties.

Chronologic system development and support staff have access to a customer’s system and access it when required to provide support to customers.

Chronologic may on occasion run a report as part of support activity. If these reports need to be retained, storage is strictly controlled and subject to Chronologic’s IT, security and data protection policies and procedures. If these reports need to be destroyed, they are shredded on-site using a heavy-duty cross-cut shredder.

More information

If you would like further information about the security aspects of your EAC account or need help setting up access levels please get in touch.

For general information about Data Protection and GDPR visit the Information Commissioner's Office (ICO) website.