Please see below the information we currently have from CAPITA, the key points are that they are implementing subject access requests using a new Person Data Output report in the Autumn 2017 release.
Attached is a Powerpoint to show the PDO report and a link to a video - https://www.capita-sims.co.uk/resources/videos/how-sims-can-help-your-school-comply-gdpr.
General Data Protection Regulation (GDPR)
An update on the action Capita SIMS is taking to review the legislation and any impact of the changes.
The General Data Protection Regulation (GDPR) (Regulation (EU) 2016/679) is a Regulation by which the European Commission intends to strengthen and unify data protection laws for individuals within the European Union (EU). It also addresses export of personal data outside the EU. The Commission's primary objectives of the GDPR are to give citizens back the control of their personal data and to simplify the regulatory environment for international business by unifying the regulation within the EU. When the GDPR takes effect it will replace the data protection directive (officially Directive 95/46/EC)  from 1995. The regulation was adopted on 27 April 2016 and will take effect from 25 May 2018 after a two-year transition period. The result of the 23 June 2016 referendum on membership of the EU now means that the Government needs to consider the impact on the GDPR and confirm its adoption.
Capita SIMS takes its responsibility very seriously in supporting schools to ensure they meet their obligation to protecting data. We are reviewing the legislation and have already started a discussion on the impact of the changes with the ICO (Information Commissioners Office). The ICO will shortly be publishing guidance on the new regulation and the difference of the existing Data Protection act against the new GDPR which will allow us to further consider any changes we may need to make in our software.
Should we need to implement changes to SIMS or offer enhanced support services we would expect to do this as part of our 2017/18 Roadmap to ensure schools have the ability to be compliant before May 2018.
Supporting Subject Access Requests in SIMS for GDPR and DPA
How is SIMS supporting Subject Access Requests?
A Subject Access Request (SAR) made by an individual can involve a lot of work for a school. Data from many various sources need to be gathered, ranging from the paper filing cabinet to the core MIS. Currently in SIMS a user will need to design and run many custom reports to support existing outputs to form part of their SAR. Managing this number of reports can be a challenge.
In the Autumn 2017 release of SIMS .net, we are introducing a new routine called the Person Data Output. This has been designed specifically to reduce the number of separate reports required to fulfil a SAR. You can access this via Routines > Data Out > Person Data Output.
What do we believe the main concerns are that schools have around GDPR?
When discussing GDPR with schools, the main themes for concern in relation to the SIMS Suite of software are:
Right to access
Deletion of data
Taking each of these themes in turn, we will discuss how SIMS can help at the moment and what our plans are for future developments.
Right to Access
The right to access (https://ico.org.uk/for-organisations/data-protection-reform/overview-of-the-gdpr/individuals-rights/the-right-of-access/) is one of eight rules under the title of ‘Individual Rights’ and builds upon existing Data Protection Act legislation in the form of a Subject Access Request (SAR). When a school receives a SAR, there will be many separate reports in many different formats that a user in SIMS will need to produce to fulfil the request. This can be time consuming and a burden, to help address this, in the Autumn 2017 release of SIMS we are introducing some new functionality called the Person Data Output (PDO). Lots of information about this can be found here:
Video demonstrating the PDO functionality - https://www.capita-sims.co.uk/resources/videos/how-sims-can-help-your-school-comply-gdpr
Presentation on PDO enhancements - Attached
Initially the PDO will be available for Students with the export being introduced for Staff in the Spring 2018 release with options for outputs in a machine readable format (Data Portability).
Historically in SIMS it has been possible to record whether or not a parent has given their consent, for example, to allow the school to publish photographs of their son or daughter on a school website or newsletter. We allow schools to configure different consent options in SIMS and allow for this to be updated in bulk. This is where consent in GDPR has changed;
“Consent under the GDPR must be a freely given, specific, informed and unambiguous indication of the individual’s wishes. There must be some form of clear affirmative action – or in other words, a positive opt-in – consent cannot be inferred from silence, pre-ticked boxes or inactivity. Consent must also be separate from other terms and conditions, and you will need to provide simple ways for people to withdraw consent. Public authorities and employers will need to take particular care to ensure that consent is freely given.” (quote from the ICO).
This can imply that a school will now need to seek consent for a school to use their data for emailing or texting. However, direction from the ICO is that consent should be the last legal option for processing data. Many schools will have other avenues they can use to process an individual’s data, this will be mainly from a legal basis for statutory returns for example, or in a privacy notice. At this time, Capita see no basis or reason to evolve or enhance the current consent feature in SIMS.
Where a school has a data retention policy in place, we know that implementing this in SIMS is difficult. We know that while a user is able to delete data from a record, it is not possible to do this in bulk, something that customers have been requesting for a number of years. This particular process has been considered many times for SIMS, but other pressures on statutory requirements has led us not to develop this type of functionality.
While the requirements around data retention under GDPR is not significantly different from the Data Protection Act, we must address this and make a concerted effort to make improvements in 2018. This feature (as with deletion mentioned below) is very complicated and will require a significant amount of analysis and development as there are many things we need to consider. Our plan is to start work on this during the Summer construction phase of the software (this is initiated around the end of January 2018), but due to the complexities, it is likely that the functionality won’t be ready until the Autumn of 2018.
Deletion of Data
Where the data retention work is focused on deleting pockets of data, i.e. Achievements, from a selection of Students, i.e. those who left the school 10 years ago, for a date range, this deletion is the deletion (or where required, anonymisation) of an entire persons record, this is referred to under GDPR as ‘the right to be forgotten.’ (https://ico.org.uk/for-organisations/data-protection-reform/overview-of-the-gdpr/individuals-rights/the-right-to-erasure/)
Like data retention, this is not a simple task, we have to consider how SIMS copes with linked records, previously run statutory reports and such a like, care will be given to the analysis of this work and we would hope to deliver this functionality in the Autumn of 2018.
For more information on GDPR:
Here are some other useful links: