GDPR - Don't panic!
Posted 8th February 2018
With a raft of companies and people throwing scare tactics at you about the upcoming GDPR, SIMS is now able to help you take some of the worry away.In relation to SIMS there are 4 key areas that are directly compatible.
Right to AccessThe right to access is one of eight rules under the title of 'Individual Rights' and builds upon existing Data Protection Act legislation in the form of a Subject Access Request (SAR). When a school receives a SAR, there will be many separate reports in many different formats that a user in SIMS will need to produce to fulfil the request. This can be time consuming and a burden, to help address this, in the Autumn 2017 release of SIMS there is new functionality called the Person Data Output (PDO). This allows an assigned user the ability to produce a report with all information relating to a person at the school. Be aware this will be a large document, and would need to be checked over to remove any information not related to the person.
ConsentHistorically in SIMS it has been possible to record whether or not a parent has given their consent, for example, to allow the school to publish photographs of their son or daughter on a school website or newsletter. Schools can configure different consent options in SIMS and update in bulk. This is where consent in GDPR has changed; "Consent under the GDPR must be a freely given, specific, informed and unambiguous indication of the individual's wishes. There must be some form of clear affirmative action - or in other words, a positive opt-in - consent cannot be inferred from silence, pre-ticked boxes or inactivity. Consent must also be separate from other terms and conditions, and you will need to provide simple ways for people to withdraw consent. Public authorities and employers will need to take particular care to ensure that consent is freely given." Quote from the ICO This can imply that a school will now need to seek consent for a school to use their data for emailing or texting. However, direction from the ICO is that consent should be the last legal option for processing data. Many schools will have other avenues they can use to process an individual's data, this will be mainly from a legal basis for statutory returns for example, or in a privacy notice. At this time, Capita see no basis or reason to evolve or enhance the current consent feature in SIMS.
Data RetentionWhere a school has a data retention policy in place, we know that implementing this in SIMS is difficult. We know that while a user is able to delete data from a record, it is not possible to do this in bulk, something that customers have been requesting for a number of years. This feature (as with deletion mentioned below) is very complicated and will require a significant amount of analysis and development as there are many things Capita need to consider. They plan to start work on this during the Summer construction phase of the software (this is initiated around the end of January 2018), but due to the complexities, it is likely that the functionality won't be ready until the Autumn of 2018.
Deletion of DataWhere the data retention work is focused on deleting pockets of data, i.e. Achievements, from a selection of Students, i.e. those who left the school 10 years ago, for a date range, this deletion is the deletion (or where required, anonymisation) of an entire persons record, this is referred to under GDPR as 'the right to be forgotten.' Like data retention, this is not a simple task, and Capita have to consider how SIMS copes with linked records, previously run statutory reports etc., care will be given to the analysis of this work and they would hope to deliver this functionality in the Autumn of 2018.
For more information on GDPR…Here are some other useful links: https://ico.org.uk/ https://teaching.blog.gov.uk/2017/10/24/general-data-protection-regulation-evolution-or-revolution-for-schools/
If you would like any help with the current functionality in Capita SIMS then please contact us on 0345 222 1551 • Option 3 or email firstname.lastname@example.org