GDPR is not just about technology systems
22/03/2018 10:54:24 | Mark Maybury, Academic Product Manager
Since our blog back in October we have made it a priority to provide our customers with information about GDPR. In addition to blogs we have hosted Academic and Financial user group events where expert speakers have provided input, as well as webinars and product updates. The deadline of 25th May 2018 is fast approaching, and no doubt you are preparing in earnest now, as are we as an organisation. For example, all our staff are receiving GDPR training and we have looked at specific functionality within our products that will help you to comply with the law.
There has been a misconception that Data Protection is about technology systems only – it isn’t. Data is held all over the school and every person in the school is responsible. Examples include student information kept in filing cabinets, archive storage, paper forms completed for school trips, invoices etc. A breach can be leaving this paper on a desk and not covered up, or on a photo copier and forgotten – if people get access to personal data that they do not have permission to view, it is a data breach. Any breach like this must be reported and therefore all staff must receive GDPR training. All staff need to be fully aware of their responsibilities whether they have access to data on paper-based systems or devices such as a laptop, smartphone or a USB memory stick. Our partners Wonde and Groupcall have two excellent GDPR products that you can purchase to support your school in this process and these are detailed at the end of this blog.
With regards to our software, some schools have already passed GDPR audits and we have started to make further enhancements to our software to aid compliance and benefit you in these processes. These enhancements will include a range of updates from changing default settings, to enabling records to be edited and the automation of removing personal data.
Many GDPR obligations are not new but an extension of the existing Data Protection Act 1998. The primary focus is around ensuring that you have the right policies and processes in place and you should be reviewing these. The key changes coming into force in May are:
- New regulations for obtaining consent to collect personal data.
- The requirement to delete data that is not being used for its original purpose.
- The ability for people to revoke their consent for data processing.
- A requirement to notify the ICO (Information Commissioner’s Office) within 72 hours of a data breach.
- Large data Controllers must appoint a Data Protection Officer (DPO).
- Fines for data breaches that can amount up to €20m or 4% of global group annual turnover (whichever is the highest.
- The definitions of personal data and sensitive data have been expanded with the latter, including genetic and biometric data.
- Enhanced rights – for example the individual has the right to request to be forgotten and object to automated decision making.
- People still have the right to make a subject access report, but the time limit has been reduced to 30 calendar days and there will no longer be a £10 charge.
As mentioned above we have been enhancing our software to benefit customers. Starting with the 5.4 update just before Christmas we began a programme of adding new functionality that will help schools speed up their processes and comply with their responsibilities to the individual. To keep you up to speed with what has been already done and will be coming in future releases, here is a guide to all things GDPR from WCBS. This is linked to the associated GDPR compliance above.
Version 5.4 Release December 2017
- New functionality for authorised users to delete pastoral records and associated notes that are no longer required. (2 and 8)
- The ability to edit a pastoral record and notes together with an associated audit trail of the edits made. (2 and 8)
- Change the default setting (ticked to unticked) for mail in the School Development module. (1 and 3)
Version 5.5 Release March 2018
- Enhance Pastoral Record ‘permanent delete’ feature to include data held within the audit log (2 and 8)
Version 5.6 Release May 2018
- Ability for 3sysACADEMIC to time out following a period of non-use. To prevent a data breach by people accessing personal data if a device is left unattended 3sysACADEMIC will time out after a specific period decided by the school. (4 and 6)
- Functionality to anonymise personal data and delete associated documentation if a person exercises their right to be forgotten. (2 and 8)
- Anonymise bank details on system generated reports. (2 and 8)
- A new tool to delete old admissions records in bulk. (2)
- The ability for schools to indicate that parents have given permission to share data with third party applications. A new ‘consent’ tick is being added to each individual record type to indicate that explicit consent has been granted for their details to be shared, including those third-party applications that are connected to the MIS via the WCBS API. Explicit consent will need to be gained by the school outside of the system. (1 and 3)
- Delete documents from a student record by any authorised user. (2 and 8)
Version 5.7 release August 2018
- Subject right to access reporting. A new tool will be added so that when an individual makes this request automated reports will be generated from each module. (9)
Where to go for advice
- The ICO website is the main source for GDPR updates, it includes some helpful articles such as 12 steps to take now!
- Eversheds Sutherland law firm has a wealth of information on GDPR available on their website and also have a useful GDPR tracker.
- As mentioned in previous blogs, solicitors, Harrison Clark Rickerbys, have come up with a helpful guide on 10 Steps for Schools.
- Our integration partner Wonde has just launched a GDPR tool that helps you to manage your school’s processes.
- Similarly, third party integrator Groupcall is offering a cloud-based GDPR tool to aid data protection management throughout your school.
No current comments