Data Protection & Management

Q: Who owns the data that is uploaded into the database?

Answer

CBs owns the data on Certified Entities. Data on Certified Entities will never be sold or transferred to any third parties. IAF will own the data analysis derived from the aggregation and anonymization of data from Certified Entities. IAF Database LLC will utilize this aggregated and anonymized data to provide paid-for analytical services to CBs and ABs. These services will be strictly governed by the DMC. Confidential aggregation information on CB market share will not be sold to other CBs.

Q: Where is the data held?

Answer

The data is held on an Amazon Web Services Server in Frankfurt, Germany.

Q: What are the data protection arrangements?

Answer

One of the most pressing issues that has thwarted the upload of certification data by CBs has been concerns over data ownership, privacy, data management, and liability. The DMC has already implemented several changes to address these including precluding the upload of personal data (i.e., IAF CertSearch does not include personal contact details of any certified entities). IAF CertSearch also has continuous user monitoring to regulate certification verifications and to block any attempted data mining activities.

All data uploaded by CBs into IAF CertSearch including details of certified entities data shall remain the property of CBs. Therefore, IAF Database LLC has stipulated the highest level of data security that is commercially viable, and QualityTrade is required to secure cyber security insurance with primacy to IAF Database LLC in the event of any claims.

Q: Have the data security arrangements been evaluated by a third party?

Answer

Yes, UKAS commissioned a data security review, by an Independent Cyber Security Assessment from GridCert. The conclusion of this review was: “Existing security measures are appropriate to provide a high level of assurance that Quality Trade, in the operation of the IAF CertSearch database, are using reasonable and proportionate measures to ensure that users’ data is secure, as evidenced through the security review.”

Q: Will other ABs or CBs be able to see our data?

Answer

CBs will not be able to see the data of other CBs or see the market share of other CBs. In addition, ABs will not be able to access the data related to their accredited CBs, unless they have uploaded the data themselves or received consent from the CB.

Q: Can confidential entities or certificates be excluded from the external website?

Answer

Certification Bodies can tag individual certificates or organisations as confidential within the IAF Certsearch dashboard or within a special field in the data upload. When an external user searches for these organisations the certification details will not be shown. Users seeking to verify these certificates will be directed to make direct contact with the certification body for further information via a form.

Last updated