Governance & Compliance

Data Governance & Compliance

Designed for national trust, regulatory alignment, and secure multi-agency coordination.

Built with privacy, accountability, and sovereignty at its core.

Request Compliance Briefing

Core Principle

Governed by Design — Not Added Later

Governance is built into the system architecture from the ground up. It is not a compliance layer applied after development — it is the foundation upon which the entire system operates.

Data access is permissioned at source — enforced at the database layer

Every action is logged and traceable with immutable audit records

No uncontrolled duplication of records across systems or roles

Trust is not assumed — it is enforced through system design.

Ownership

Clear Data Ownership & Access Control

Child data is centrally structured within a Single Source of Truth. No stakeholder owns the full dataset independently. Access is determined by role, consent, and statutory authority.

Parents retain full visibility and involvement in their child's data

Institutions access only what they are authorised to see for their statutory function

Permissions are enforced at the system level — not managed through manual processes

Permissions

Granular Role-Based Access

Different stakeholders see different views of the same child. Data is not copied between roles — it is filtered at the point of access.

Parent

Full child overview — needs, provisions, outcomes, timeline, and care network

School

Education-related data — EHCP/ISP sections, provision delivery, attendance, compliance

Council

EHCP pipeline, statutory compliance, provision gaps, cross-school analytics

NHS / GP

Health-related inputs — clinical observations, referrals, therapy records, FHIR data

Social Care

Safeguarding signals, care coordination, multi-agency escalation history

Government

Anonymised aggregates — national compliance, ISP transition rates, policy impact

Accountability

Full Audit Trail & Accountability

Every action is logged with actor, timestamp, and context

Every change to a child's record is traceable to its source

Historical records are preserved — no silent overwrites

Complete timeline of decisions available for review, tribunal, or inspection

Accountability is embedded into every interaction.

Security

Secure by Design

  • Role-based access control (RBAC) enforced at database and application layers

  • Secure authentication with session management and token refresh

  • Encrypted data handling — AES-256 at rest, TLS 1.3 in transit

  • Controlled access environments with tenant-scoped data isolation

Security is enforced at every layer of the system.

Sovereignty

UK Data Sovereignty

All data hosted within UK infrastructure (eu-west-2 London region)

No data transfer outside UK jurisdiction under any operational condition

Designed for UK regulatory compliance — DPA 2018, UK GDPR, Children and Families Act 2014

All sensitive data remains under UK governance.

Regulation

GDPR-Aligned Architecture

Lawful Basis

Article 6(1)(e) — public task processing for SEND statutory duties under the Children and Families Act 2014. Article 9(2)(g) — substantial public interest.

Data Minimisation

Only data necessary for statutory SEND coordination is processed. Each role sees only what is required for their function.

Right of Access

Parents and data subjects can view all data held about their child through the platform at any time.

Transparency

Processing purposes, data flows, third parties, and retention policies are documented in a maintained DPIA with versioned records.

Compliance is built into system logic — not managed manually.

Certification

Compliance & Certification Path

Cyber Essentials Plus

In progress

ISO 27001 Readiness

Architecture aligned

ICO Registration

Aligned

G-Cloud / Digital Marketplace

Procurement ready

Data Flow

Controlled Data Flow Across Systems

Data does not freely move between systems. It is governed, permissioned, and logged at every transition point.

1

Parent updates child record

Input

2

System validates and structures data

Validation

3

School notified of relevant changes

Propagation

4

Council visibility updated for compliance

Oversight

5

Full audit trail recorded

Accountability

Risk

Reducing Systemic Risk

Eliminates duplicate records that create conflicting information across agencies

Prevents data inconsistencies through single-source validation

Reduces miscommunication between agencies through automated, role-scoped notifications

Improves safeguarding visibility through real-time escalation cascades with audit trails

Built for Trust at National Scale

Trisende is designed to meet the expectations of national infrastructure — where data must be secure, accountable, and governed at every level.

Request Compliance BriefingDownload Governance PackPartner With Us