ELC APPLICATION FORM – INFORMATION ASSURANCE QUESTIONS
The Ministry of Defence requires all Enhanced Learning Credit (ELC) Learning Providers to demonstrate their compliance to securely
safeguard all ELC scheme related data and activities by providing evidence to the following questions. Examples of good practice are
provided. It is a requirement for all ELC Learning Providers to continually review their Information Assurance arrangements on an annual
basis. All ELC Learning Providers are legally obliged to review and update this form during the intervening period should any changes impact
their Information Assurance arrangements. The Ministry of Defence reserves the right to review all supporting evidence and documents
anytime throughout a Learner Provider’s ELC Scheme membership.
HARDCOPY
Where personal data on students is stored in hard
copy, what controls are in place to safeguard this
information?
e.g. Secure Cabinets, Access restricted to limited staff,
Personal data not routinely carried in transit, A defined Data
Protection Act compliant document handling policy
Where is this data stored?
e.g. Secure Cabinets, Secure location (Guarding, Access
Control etc), Secure container when in transit i.e.
combination case
How long is this data retained for?
e.g. Policy which confirms personal data isn’t kept for
longer than necessary i.e. not retained indefinitely, A
disposal schedule policy is defined and is in place
ELC 007-12 11/12/15 01
Page 1 of 7
RESTRICTED – COMMERCIAL MOD DOCUMENT
ELC APPLICATION FORM – INFORMATION ASSURANCE QUESTIONS
How is this data disposed of when it is no longer
required?
e.g. On site secure shredding facilities, On site via
approved disposal contractors, Off site via approved
disposal contractors
Who has access to this data?
e.g. Evidence access is closely managed, Access limited to
restricted numbers i.e. only identified personnel involved in
the administration and delivery of ELCAS services
IT SYSTEMS
Where personal data on students is stored
electronically, what controls are in place to safeguard
this information?
e.g. Encryption facilities, Firewall and Anti Virus solution, IT
systems Independently verified i.e. ISO 27001, Account
based access (password & user name), Activity/audit
logging, Security Operating Procedures which users are
required to sign up to
ELC 007-12 11/12/15 01
Page 2 of 7
RESTRICTED – COMMERCIAL MOD DOCUMENT
ELC APPLICATION FORM – INFORMATION ASSURANCE QUESTIONS
Where is this data stored i.e. remote or local servers?
e.g. Stored locally (on site) on secure system (physical and
software/hardware), Stored remotely (off site) on secure
system via approved Hosting providers
How long is this data retained for?
e.g. Policy which confirms personal data isn’t kept for
longer than necessary i.e. not retained indefinitely, A
disposal schedule policy is defined and is in place
How is this data disposed of when it is no longer
required?
e.g. Details of the disposal process e.g. company
personnel, system administrators and/or evidence of
industry level disposal tools etc.
Evidence of the disposal process used for redundant IT
ELC 007-12 11/12/15 01
Page 3 of 7
RESTRICTED – COMMERCIAL MOD DOCUMENT
ELC APPLICATION FORM – INFORMATION ASSURANCE QUESTIONS
Does your organisation have policies in place covering
the control of removable media, which includes
laptops, removable disks, CDs, USB memory sticks,
PDAs and media card formats?
e.g. A policy is in place which defines the policy for the use
removable media including a procedure to ensure
personnel read, agree and comply (security operating
procedures), Only company approved devices are used i.e.
no personal devices, All removable media is encrypted
Is this data shared or accessible by any 3rd parties such
as sub-contractors?
e.g. Evidence of controls to manage subcontractors/supplier activity, Awareness/understanding of
access by sub-contractors/suppliers to ELCAS data,
Evidence checks are performed on subcontractors/suppliers and their personnel? Evidence subcontractors/suppliers are required to comply with company
policy, Non-disclosure agreements
ELC 007-12 11/12/15 01
Page 4 of 7
RESTRICTED – COMMERCIAL MOD DOCUMENT
ELC APPLICATION FORM – INFORMATION ASSURANCE QUESTIONS
PERSONNEL
What employment checks are performed on personnel
in your organisation who have access to student
personal data?
e.g. Criminal Record Checks, Employment
Checks/References
Is a process in place to ensure personnel within your
organisation who have access to student data, receive
the appropriate information risk/data protection
training?
e.g. A defined information risk/data protection programme
Does your company operate non-disclosure
agreements for personnel who have access to student
data?
e.g. Evidence of non disclosure agreements
ELC 007-12 11/12/15 01
Page 5 of 7
RESTRICTED – COMMERCIAL MOD DOCUMENT
ELC APPLICATION FORM – INFORMATION ASSURANCE QUESTIONS
Do you have any agents such as sub-contractors or
suppliers who are not directly employed by your
company who assist in the delivery of your product or
service who may access to student data?
e.g. Evidence of controls to manage subcontractors/supplier activity, Awareness/understanding of
access by sub-contractors/suppliers to ELCAS data,
Evidence checks are performed on subcontractors/suppliers and their personnel? Evidence subcontractors/suppliers are required to comply with company
policy, Non-disclosure agreements
How does your company gain assurance that these
agents such as sub-contractors or suppliers comply
with your risk and security policies?
e.g. Evidence of controls/safeguards which prevent
unauthorised access, A defined policy is in place to manage
sub-contractors/suppliers to ensure compliance with
company policy and procedures.
Does your company have an effective leaver’s process
which ensures on termination of their contract
personnel will no longer have access to student data,
IT systems and where applicable premises?
e.g. Evidence a process is in place and is routinely
undertaken
ELC 007-12 11/12/15 01
Page 6 of 7
RESTRICTED – COMMERCIAL MOD DOCUMENT
ELC APPLICATION FORM – INFORMATION ASSURANCE QUESTIONS
Organisation Name
_______________________________________________
Learning Provider ID
_______________________________________________
Position in Company
_______________________________________________
Print name
_______________________________________________
Signed
_______________________________________________
Date
_______________________________________________
PLEASE UPLOAD THIS COMPLETED FORM WITHIN THE ASSOCIATED DOCUMENTS AREA OF YOUR ONLINE PORTAL
ELC 007-12 11/12/15 01
Page 7 of 7
RESTRICTED – COMMERCIAL MOD DOCUMENT