Sys IQ Ltd has not complied with Principle 7 of the Data Protection Act.

So it’s been confirmed by the ICO that one part of my problem with my data being withheld by Baby’s Days has been resolved at least.  Despite knowing we wanted the data back, Baby’s Days went ahead and deleted the data anyway.  The ICO have found that because this child’s data has been deleted by Baby’s Days / Sys IQ Ltd, they have not complied with Principle 7 of the Data Protection Act.

There are Eight Principles to The Data Protection Act and from my understanding Principle 7 – which is labelled “security”, is about, you guessed it – security.  How ironic that a company plugging itself as “100% secure” has not complied with the part of the DPA relating to Security!

The ICO website says Pinciple 7:

means you must have appropriate security to prevent the personal data you hold being accidentally or deliberately compromised

So which was it do you think blog readers?  Was my co-minders daughters data accidentally compromised, in which case, how can you be sure this won’t happen to any data you have stored with the company?

Or do you think my co-minders daughters data was deliberately compromised, in which case, again, how can you be sure this won’t happen to any data you have stored with the company?

Either option doesn’t exactly scream 100% secure to me.  What this now means is that under the DPA I have the right to take this matter to court, which obviously I intend to do.  If anyone reading this might know someone who would like to take the case get in touch via the contact option on the blog or through Facebook.

Has Baby’s Days lied to the ICO?

I’ve exchanged some very bizarre emails with the ICO and Baby’s Days over the past few weeks regarding my subject Access Requests.  It seems to me that Baby’s Days are getting confused about how to handle the requests, and getting the requests mixed up and at one point have continually referred to my son by some other name?!

Slightly alarming when they are handling so much data.  But never the less, I’ve tried to make sense of this info, but it seems to me that Baby’s Days are either deliberately muddying the waters so to speak or they are getting themselves in a right muddle.

Can anyone make sense of the following?  It seems to me that on the 17th Feb, the ICO told my co-minder that Sys IQ Ltd had confirmed to them that her daughters data had been deleted.  Here is the email from the ICO so you can see it for yourself.

ico say AA data has gone

But then on the 18th Feb, a day after the email from the ICO my co-minder was contacted by Sys IQ Ltd directly, who stated, “your subject data request is now closed and we will be unable to provide you with any data for *childs name*”. Email below.  Surely they couldn’t continue with the request because they had already deleted the data?  So why have they sent this confusing email?

BDs close AA request

Baby’s Days seem to be fast becoming confused by the situation, despite it being very simple.  The cancelled the subscription, they with held the data, we would like it back.

What do these emails look like to everyone else?  Would you ever have imagined it would be this hard to retrieve work that most minders believe to be “theirs”?

PS.  You may have missed the last few posts as the email sent to subscribers doesn’t seem to have been working.  You can check them out here, one about Baby’s Days not being ISO Accredited, and another about the ICO.

Surely the ICO will prorect my data? Part 2.

So, this is the second post about the Information Commissioner’s Office, the first you can find by clicking here.  In a nutshell the first post said it’s not a simple process to retrieve my data back via the ICO; lots of blog readers say, “make a subject access request – it’s your data”, but it has now been confirmed that this isn’t the case by the ICO.

The data is the child’s, not the minders in the eyes of the law.  So if a minder would like to request it they need parental permission to do so and the minder would also need to supply their ID to Sys IQ Ltd to prove they are the person they are claiming to be.

Alternatively the parent can make the Subject Access Request themselves, they will need to provide proof of ID and also proof that they are the parent of the child.  Seems a bit weird to me when a few weeks ago I could access all the data with a simple password and Sys IQ Ltd could easily reinstate the system knowing only authorised users could access the system with the password.  But anyway I did as instructed by the ICO and sent Sys IQ Ltd 47 subject access requests for all the children ever entered onto the system, I also made a request for any data relating to me and my 3 colleagues.  So 50 Subject Access Requests for data that a few weeks ago I accessed easily and also gathered and compiled myself.  How absurd.

Baby’s Days have 40 days to respond to the requests, so I will update then.  But given how my co-minders request has gone for her daughters data and that Baby’s Days / Sys IQ Ltd have flatly and illegally refused to process my subject access request for my sons data, I’m not holding my breath.


Baby’s Days / Sys IQ Ltd is seemingly unaccountable for it’s actions and apparently entirely unregulated?!  (If anyone knows who they are regulated by please comment because I will be blogging on this topic later in the week).  As such it is extremely important that data is saved by the childmidner which in my opinion then makes a complete farce of the companies 100% security claims.  All the data could be taken from the childminders own laptop!

On their Website Baby’s Days say,

“There would be very little point in using a 3rd party company to store your paperwork in digital format if…. [it] cannot be recovered under any circumstances”

I couldn’t agree more, what is the point in my co-minder having paid Sys IQ Ltd almost £500 over the years if they are unable to return our data?!

Tomorrow I will be posting the information sent to me from Baby’s Days and the ICO regarding my co-minders daughters data and how Baby’s Days seem to have misled the ICO; so make sure you check back for more proof of how underhand this company can be tomorrow.

Baby’s Days isn’t ISO27001 Accredited.

A reader has sent me a message through the blog asking me if Baby’s Days are ISO27001 accredited as it seems to suggest they are on their webpage.  Here is the message I was sent:

“You’ll notice on the babydays website they show the ISO 27001 accreditation logo. I’m pretty sure (from my brief checks) that they don’t have accreditation – and are falsely claiming so by use of the logo. I don’t have time but hope you might be able to look into this?”

So are Baby’s Days ISO27001 Accredited is the question?  No is the answer.  Read on if you want to hear the long version…

For those that don’t know, ISO27001 is a certificate given to companies to add credibility to their data handling and demonstrates that a product or service meets the expectations of customers.  It essentially shows that a company has information security risks under control.  The Data Centre that Baby’s Days use has this accreditation, but Baby’s Days / Sys IQ itself do not even though the logo appears on their website.

Baby’s Days software ie. your actual person Baby’s Days domain, is not ISO accredited, so where the Baby’s Days website says,

“This certification means that you can rest easy, knowing your system and confidential data is being managed to a rigorous set of standards, processes and industry best-practices which are regularly reviewed to ensure ongoing compliance and improvement.”Source

it’s not totally accurate.  What is should say is that your system and confidential data is being managed by the data centre to a rigorous set of standards.  It’s no confirmation or guarantee it’s being handled using best practices by Sys IQ Ltd / Baby’s Days themselves, so it’s a bit misleading to feel like you can, “rest easy” in my opinion.

It is also important for people to be aware that the actual system itself, or how Sys IQ Ltd store and process your data is not covered by the data centres ISO certification or nor is it offered by any other guarantee or certificate for that matter.  The actual data could be in the safest place on the planet (and in fairness they do use a very secure storage site, just like many other EYFS software companies do), but if data is accessed via your system (as I showed last week photos could be accessed without a password) itself then where the data is being stored is irrelevant.

So, to summarise, am I saying the system is unsafe?  No.  Am I saying they should be accredited?  No.

I am clarifying the (in my opinion vague) information from Baby’s Days website so that readers are aware of how unregulated this area is and I’m saying that SYS IQ / Baby’s Days are not accredited and do not necessarily follow best practice guidelines regarding security risks as set out in ISO27001.  I am also saying that this is no certificate/accreditation to ensure your actual system is 100% secure as the website claims.

You can check a companies accreditation certificates by clicking here.


Are Baby’s Days denying that photos could be accessed without a password?

The short answer to this is that yes they are denying it, even though many people commented on the blog and messaged me on Facebook to say they could see photos without needing a password.

I’ve frequently contacted Baby’s Days to ask if they want to comment on any blog posts and they always ignore me.  They know how to contact me if they do want to clear up any possible discrepancy I may have posted.  Yet they have never contacted me to clarify the content of anything I have posted.

This is because everything posted is 100% accurate. 

Some of his supporters believe that I am able to make up “lies” under free speech rights, but free speech doesn’t give you the right to lie. The reason I can continue to post these things that reflect badly on Baby’s Days is because they are all true and I can prove they are.

So as I say, until Wednesday there has been radio silence from Mark Kahl director of Baby’d Days regarding the factual content of this blog.  During my recent posts I’ve pointed out that photos could be accessed without a password.  Did Mark Kahl contact me to clarify issues on my latest post? No.  Did he issue a statement detailing how safe and secure his system is? No.

Instead he chose to post in the Facebook support group essentially calling me a liar.  Bear in mind a good portion of his customers have been banned from this group run by Kel Thomas so for their benefit here is what Mark Kahl, director of Sys IQ Ltd had to say about my latest blog post and how he has gone about reassuring you all that your data is “100% secure”.

1 2 3 4I’ve edited the post so you can just see the posts made by Mark Kahl, but if you would like to read the entire conversation between group members then click here.

The latest blog post was brought to my attention by a parent via the comments section of this blog, you can see the comment here.  After checking with some technical friends, I was informed that other parents could in theory access data in the way described by the parent, if the system was set up in the same way as it was at this nursery.  I then asked some blog readers that still use Baby’s Days to send me links to their photos so I could see if I could view them without their passwords.  Only after checking this information did I publish what the parent had mentioned.

It is 100% accurate to say that individual photos were able to be viewed without any authentication by the person attempting to view them. Anyone with the right information, and time, could have been able to determine and view anyone’s images on the system without ever needing to log in to babysdays.

How they can publicly deny this happened and call me a liar when everything points to the contrary is beyond me.  They are obviously just counting on their customers blind faith and assumptions that this company wouldn’t put their data at risk.  Obviously I am seeking legal advice as both Kel Thomas and Mark Kahl are publicly defaming me.

Given that Baby’s Days refused to update my system after advertising monthly updates, then terminated my account with no legal justification and then (maybe?  They wont confirm) deleted parts/all of my data illegally and in direct contradiction of the Data Protection Act and the advice of the Information Commissioners Office is surprises me enormously that anyone can believe a word that comes out of Mark Kahl’s keyboard!?

My message is clear.  Make sure ALL of your data is backed up, your documents, your notes, you dairies, registers, photos, the lot.  Use this company with your eyes wide open or you may find yourself in the same position as me unfortunately.