Capita Education Software Solutions is a trading name of
Capita Business Services Ltd. Our Registered office is 30
Berners Street, London, W1T 3LR and our registered number
is 02299747. Further information about Capita plc can be
found in our legal statement.
How Consents may be used in SIMS 7 to record GDPR consent
GDPR - Use of Consents within SIMS7
The new GDPR data protection law offers a number of reasons as to why a data controller can hold and use data about individuals and these fall in to two main categories:
Data use without the need for consent
Data use both requiring and having consent granted
/node/31 offers a collection of other useful links for our partners with regards to GDPR and related issues.
It is envisaged that many typical MIS related activities will be covered by ‘Legitimate Interest’ or other exemption, however there are obvious extensions such as Alumni export where this might be clearly using data for a different purpose for which the data was collected and would almost certainly require consent from each and every data subject.
Ultimately partner’s customers (the data controller) will need to decide whether consent is needed prior to export to the partner’s systems. GDPR further constrains that if data is taken for one reason then it is not used for other purposes without the permission of the data controller and seeking further consent from the data subject where the legal basis for taking the data is Consent.
SIMS and the concept of consent.
SIMs contains functionality to manage consent based access to date. Consents are user defined and local to each school. School may spell PartnerX / Partner X / partner X,… and it would always be wise to allow the school to nominate the name of the consent.
The reporting engine would allow for filters as follows:
And the report output might look like…
This however does require more complex report management and may be different per school and may prevent the shipping of a generic report which works in all schools.
Alternatively, a report containing all the consents could be post filtered (before it leaves the school server) for example:
And the data exchange application would simply filter the list for appropriate consents.
Use of UDFS
It may be easier to use UDFs (User defined fields) in lieu of consents if API usage determines which records to export. Partner APIs allow UDF values to be pulled for all people in a single call for a single UDF value. Again, UDF names are school defined rather than generic and would need to be configurable for each school.
NB: UDF’s are available for wider person types for example parent/contact.
For both models above: take care with short names e.g. if the school created consents for:
> Photograph Student
> Photograph Student Internal Use Only
Then simply checking for ‘Photograph Student’ then may give false positives. A comma separator may offer uniqueness.
Cloud Systems vs On-Premise
If a partner application accesses data in SIMS Primary, SIMS Agora or other current or future cloud based products; the act of extracting a set of PII for everyone, pulling it across the web and deleting non-consenters within the external system would constitute data processing without consent.
In On-Premise (locally hosted) systems, data for export should be pre-processed to ensure that PII for non-consenters is not exported.
SIMS supports the concept of consent of consents as above; however, the concepts are generic. As such if a partner wants to extract data for product X and requires consent then:
The consent can be stored in SIMS (or elsewhere)
The consent can be accessed during the data exchange
The consent can be honoured when selecting the data to send to a partner system.
Please note that if the partner also has a product Y which also needs consent then partners must decide whether a single data exchange is appropriate or not and ensure that the data is only used within the granted consents.
Please note that consent is not always required; however, if unnecessary consent is sought and refused then it may be difficult to use legitimate interest to override the refusal.
Please note that this document does not offer guidance on compliance with GDPR, it is the data controller and data processors responsibility to ensure they comply with the regulation. The purpose of this document is to highlight functionality in the SIMS product portfolio that may help in handling data in a compliant way.