Answering all the questions you have asked us regarding GDPR and Capita's position on compliance
We recognise that our customers will have many questions regarding GDPR and their Capita products. To help you get the answers and the evidence you require, we have put together this GDPR FAQ page. We are being asked the same questions from many customers, so we hope you will review the questions presented here and read though the supporting documents to provide you with the reassurances that Capita are working towards being GDPR compliant.
If after reading the questions or reviewing the additional resources you still have unanswered questions, then please use the link at the bottom of the page to submit your specific question.
In relation to the SIMS Suite of Products and Services...
Dealing with your data when a case gets escalated with the Service Desk
For customers who have a service level agreement with Capita, there will be times when copies of your SIMS Database may be needed for further investigation to aid the resolution of a support incident. The Service desk follow and comply to the ESS policy ‘Customer Policy Summary – Data Usage’
This ensures that customer data is managed and stored by the Service desk according to company data retention guidelines, and are removed after the set retention period of 90 days after the support incident has been closed.
Data is only requested for the continuation of a support incident and is used for troubleshooting or testing purposes, as agreed within your contracts with Capita Education Software Services (ESS). When data is requested for a support incident the Service desk will provide all the required guidance and information by sending a quick reference guide on the original email requesting the required data. Please see the link ‘Instructions and Guidance for Uploading Data’ for further information and instructions.
Dealing with your data when you attend a UAT workshop
The UAT room is a locked down room which only UAT Team Members and some managers have access to. The UAT room is on a separate network locked down from the main capita network.
Before customers send data to SIMS UAT:
- We must receive an Agreement of Use form from the customer. This form includes information such as how long the data can be held by us, if it can be used for testing and gives us permission to prepare and hold the data for the workshop or other purposes.
- The school or LA name is added to the dataset library and noted as waiting for data to arrive.
- Once the agreement of use form arrives the expiry date of the dataset should be added to the dataset library and then the paper copy stored in the agreement of use form [AOU] UAT Folder which is locked in our cupboard.
- The UAT team must set up a user account for the customer to enable them to upload their data to us securely. This folder will only remain open for a set timeframe of 30 days to ensure that no unsolicited data can be sent via the SFTP. Once this has been created the UAT Analyst must send the log in credentials to the customer in an encrypted email to enable them to upload their data to the correct location securely.
Following Data Upload:
- Once the customer has confirmed the upload of their data the dataset library must be updated to read data received, in need of preparation for testing.
- The data must be moved to a secure location until the UAT Analyst is ready to process it. When ready the UAT analyst should contact the customer to obtain the password for their data.
- The data should then be prepared for download
Processing Customer Data:
Download the zipped and encrypted customer data from the SFTP site to a UAT PC (which is on the separate UAT network) to begin processing. If once extracted, the data is any other format other than the expected it is deleted immediately, as other file formats such as .exe could be or contain malware.
Data Storage. This is the process of recompressing and recording the schools data in a form of a CD or DVD:
- Encrypt the customer’s data. The data is now password protected which only members of the UAT team know and It is compressed into a ZIP file.
- The zip file is then burnt to disk. Add a disk label with its unique dataset library number to identify the CD. Record on the label, Date of preparation, SQL version of the data, UAT members Initials.
- Put disk in a sleeve and place in the UAT safe (safe keys are held in our Key lock safe which only UAT team members know the combination.
- Record the Unique Dataset Library number on the Data Agreement of Use form. This will assist when destroying the data after the agreement of use form expires.
When the agreement of use form reaches its expiry date the data is destroyed securely by placing it in the UAT disk friendly shred it bin within the UAT room. The date of destruction is recorded within the dataset library and the customer informed by email that the data has been destroyed. The Data Agreement of Use form is then moved to the expired folder which is locked in our cupboard where it will remain for 3 months.
When a customer wants to take part in a User Acceptance Testing Workshop and use their own data, we ask customers to complete the following form:
Dealing with your data with any satellite products
Many customers will use additional software and services such as Agora, Parent App or Options Online. We are currently carrying out data protection impact assessments (DPIA) on these products, the outcome of which may result in either a specific Privacy Notice for that product or guidance for schools to write their own. The status of these assessments can be seen below:
- SIMS Student (DPIA in progress)
- SIMS Parent (DPIA in progress)
- SIMS Activities (DPIA in progress)
- SIMS Agora (DPIA in progress)
- SIMS School View (DPIA in progress)
- SIMS Teacher App (DPIA in progress)
- SIMS InTouch (DPIA in progress)
- SIMS Parent Lite App (DPIA in progress)
- SIMS Options Online (DPIA in progress)
How is your Hosted SIMS service made secure and what reassurances can you provide?
As you may understand there is a lot of technical processes in place in delivering our Hosted SIMS Service. The hosting team have put together this comprehensive document that takes you through questions such as:
- Technical overview of our Hosted SIMS
- Guide to our Operating Model
- Our approach to Security
- Our approach to Resilience, Backup and Recoverability
- Connecting local software in your school to Hosted SIMS
- Hosted SIMS Guidance
Updates and enhancements to the SIMS Suite of Products
In recent releases of SIMS we have made improvements to help schools with their GDPR compliance, recent improvements have been:
- Introduction of the Person Data Output report to support schools with Subject Access Requests (Autumn 2017 saw this for students, Spring 2018 for Staff and Contacts)
- The Summer 2018 release of SIMS will introduce a bulk delete of data from student's records, this will support data retention policies.
Further information on these changes can be found at here.
In relation to personal data we hold on you...
What policies and procedures do you have in place to protect personal data?
ESS is required to be compliant to Capita Group Policies and Standards. Our Cyber and Information Security Policy is available upon request, however the accompanying standards are confidential internal documents.
The Group Policies and Standards include (but are not limited to):
- Cyber and information Security Policy
- IT Standard
- Data usage Standard
- Acceptable Use Standard
- Physical Security standard
ESS also has local security policies which all employees must be compliant to, these include (but are not limited to):
- Vetting and rechecking
- Supplier Security
- Clear desk
- Building security policy
- Change management policy
- Information Security incident reporting
- Data Usage Policy
What technical and organizational security measures do you have in place to protect personal data?
Technical and organisational controls protecting personal data include (but are not limited to):
- Employee training and awareness
- Access control measures across ESS systems involving authorisation, approval and review
- Threat assessments
- Risk assessment and treatment
- Change management
- Masking of data
- Appropriate removable media handling
- Back up processes
- Disaster recovery procedures
- Data Protection Impact Assessments (DPIAs)
- Penetration testing
- We hold a current ISO27001 certification
What data does your organisation hold in relation to our school?
As a customer of Capita and to enable us to provide software and services to you, we hold information such as school name, address and primary contact information, details which would have been provided to us by you when signing a contract. In addition to this information, customers at the school can sign up for services to access support and on-line help, this information is linked to the schools main record to enable us to track service level agreements, software licence and maintenance contracts. We use Microsoft Dynamics 365 to securely manage your personal contact information, account information and service desk case history. Dynamics 365 is a highly encrypted system hosted in Azure, with our data centres being in Dublin UK. You can find out more about Microsoft’s commitment to data security in the Microsoft Trust Centre.
Does your organisation provide training to staff on data protection or management?
Yes, all Capita staff are required to take regular training on:
- Information Security Awareness
- Data Protection Awareness and GDPR
- Financial crime
Are you registered with the Information Commissioners Office?
Yes we are registered and details can be found on the ICO’s Data Protection Public Register.
Does your organisation have differentiated access to data depending on the sensitivity level?
Yes, we have strict procedures and access arrangements for all our systems when dealing with personal data. Please see the information under the headings when dealing with your data.
Who is the person responsible for data management / protection in your organisation?
- Name: Jenny Coombs
- Position: Group Data Privacy Officer
- E-Mail: firstname.lastname@example.org
Does your insurance cover the costs related to data breaches?
GDPR sanctions exist as a deterrent against non-compliance. Our understanding at the moment, is that if financial penalties are indemnified by another, this would defeat the purpose of the fines and would therefore not be permitted. For this reason, ESS is not insured to cover the costs related to data breaches.
Other GDPR related activities
What action are you taking to prepare for the GDPR?
This is a question asked a lot and is very broad, the following may help to answer the underlying questions:
- Internal Security and GDPR Forum to monitor GDPR readiness, reports monthly to the Board
- Capita GDPR Training/Data Protection Mandatory Training
- GDPR blogs, videos and webinars for staff and customers on GDPR
- Internal GDPR lunchtime workshops
How secure are your systems?
As well as our ISO certification, employees undergo frequent and mandatory training on all matters relating to GDPR and security. Customer data is processed in a variety ways and as part of our GDPR readiness have undergone assessments with providers such as Microsoft Azure to seek reassurance that they too are GDPR ready and their systems are secure.
- GDPR Hot Topic from here there are lots of links to Notifications all relating to GDPR and SIMS, customers should be encouraged to Watch the notification so they are alerted to any updates
Capita SIMS Website
- Getting ready for GDPR
- GDPR Blog on getting ready for GDPR
- GDPR Blog on what schools need to know
- GDPR Video on How SIMS can help with GDPR
Other useful links
- Where the term ‘Capita’ is used, these FAQs are in relation to Capita ESS for the products and services we provide around the SIMS Suite of software.
- We will not be replying directly to questions or questionnaires sent to us, any un-answered questions submitted will be added to this notification as a direct FAQ or a new linked resource