You can access the presentation used on recent webinars here
Capita Statements on GDPR
Capita SIMS takes its responsibility very seriously in supporting schools to ensure they meet their obligation to protecting data. We are reviewing the legislation and have already started a discussion on the impact of the changes with the ICO (Information Commissioners Office). The ICO will shortly be publishing guidance on the new regulation and the difference of the existing Data Protection act against the new GDPR which will allow us to further consider any changes we may need to make in our software.
What do we believe the main concerns are that schools have around GDPR?
When discussing GDPR with schools, the main themes for concern in relation to the SIMS Suite of software are:
- Right to access
- Consent
- Data retention
- Deletion of data
Right to Access
The right to access is one of eight rules under the title of ‘Individual Rights’ and builds upon existing Data Protection Act legislation in the form of a Subject Access Request (SAR). When a school receives a SAR, there will be many separate reports in many different formats that a user in SIMS will need to produce to fulfil the request. To help to address requirements, SIMS introduced a Pupil Data Output with the Autumn release. This first release relates to pupil SARs and staff and contact reports will be added around Easter.
- Initially the PDO will be available for Students with the export being introduced for Staff in the Spring 2018 release with options for outputs in a machine readable format (Data Portability).
Consent
Historically in SIMS it has been possible to record whether or not a parent has given their consent, for example, to allow the school to publish photographs of their son or daughter on a school website or newsletter. We allow schools to configure different consent options in SIMS and allow for this to be updated in bulk. This is where consent in GDPR has changed;
“Consent under the GDPR must be a freely given, specific, informed and unambiguous indication of the individual’s wishes. There must be some form of clear affirmative action – or in other words, a positive opt-in – consent cannot be inferred from silence, pre-ticked boxes or inactivity. Consent must also be separate from other terms and conditions, and you will need to provide simple ways for people to withdraw consent. Public authorities and employers will need to take particular care to ensure that consent is freely given.” (quote from the ICO).
This can imply that a school will now need to seek consent for a school to use their data for emailing or texting. However, direction from the ICO is that consent should be the last legal option for processing data. Many schools will have other avenues they can use to process an individual’s data, this will be mainly from a legal basis for statutory returns for example, or in a privacy notice. At this time, Capita see no basis or reason to evolve or enhance the current consent feature in SIMS.
Data retention
Where a school has a data retention policy in place, we know that implementing this in SIMS is difficult. We know that while a user is able to delete data from a record, it is not possible to do this in bulk, something that customers have been requesting for a number of years. This particular process has been considered many times for SIMS, but other pressures on statutory requirements has led us not to develop this type of functionality.
While the requirements around data retention under GDPR is not significantly different from the Data Protection Act, we must address this and make a concerted effort to make improvements in 2018. This feature (as with deletion mentioned below) is very complicated and will require a significant amount of analysis and development as there are many things we need to consider. Our plan is to start work on this during the Summer construction phase of the software (this is initiated around the end of January 2018), but due to the complexities, it is likely that the functionality won’t be ready until the Autumn of 2018.
Deletion of Data
Where the data retention work is focused on deleting pockets of data, i.e. Achievements, from a selection of Students, i.e. those who left the school 10 years ago, for a date range, this deletion is the deletion (or where required, anonymisation) of an entire persons record, this is referred to under GDPR as ‘the right to be forgotten.’
Like data retention, this is not a simple task, we have to consider how SIMS copes with linked records, previously run statutory reports and such a like, care will be given to the analysis of this work and we would hope to deliver this functionality in the Autumn of 2018.
For more information on GDPR…
Here are some other useful links: