GDPR

Home Forums Data issues GDPR

This topic contains 80 replies, has 18 voices, and was last updated by  Martin West 5 months, 3 weeks ago.

Viewing 25 posts - 26 through 50 (of 81 total)
  • Author
    Posts

  • Alison_ITS
    Participant

    Hi Steve

    As suggested by Rob I have asked my CEO to contact the ESFA and AELP to push the issue.

    Thanks for the video link, although as you stated it is obviously aimed at schools and I can’t find the ‘follow up’ video either !

     
    #240768

    RobPearce
    Participant

    I’ve been copied into email from ESFA stating:

    Our data folk are attending the upcoming AOSEC and AOC conferences to talk about the ILR changes for 18/19, and the changes to the privacy notice which has been reworded and republished for 17/18 in regards to GDPR. The online ILR support manuals for both 2017/18 and 2018/19 provide some details. We are still working with our legal team to make sure the changes to the privacy notices are sufficient for GDPR – we know that in some circumstances we will be able to still use the consent obtained before 25th May if it meets the new requirements on valid consent, but please be reassured that we are still working on it and as soon as DfE are sure of our position we will be sharing our views with the sector.

    Hopefully some more definitive information will be issued after this has happened – fingers crossed!

     
    #240987

    steveh
    Participant

    Flipping heck, why *on earth* are they talking about consent??? What we really want to know is is our basis for collecting the information they demand from us a Legitimate Interest? I don’t really want to have to rely on Contract as I’m wary about 16 year olds being allowed to sign one…

    Also, it’s hardly rocket science to work out that NONE of the opt-out consent for ESFA contacting learners collected before 25th May is valid, that’s the easy bit!!!

     
    #241108

    Simon France
    Participant

    And data retention periods.. Is this the same as the document retention period?

     
    #241114

    Ibrahim Mayat
    Participant

    Interesting question Simon re: Data retention.

    We’re shortly moving to a new MI system and will only be migrating 3 years worth of learner records.

     
    #241183

    Jaymie Smith
    Participant

    We have been sending out GDPR updates for quite some months now and are well aware of how far through the process certain departments are. There is quite a lot of clarification still to come from the ESFA and some of that is coming in the drafts of the 2018/19 ILR Specification.

    We are querying changes as necessary to prepare our customers for May. Despite the situations still being fluid, we are currently sending out our GDPR Information Pack to help customers meet requirements under processing however we think it’s key for controllers(ESFA/DfE) to define processing conditions under contract.

    Kind Regards
    Jaymie Smith
    CogniSoft Ltd

     
    #241227

    CDC
    Participant

    Just bumping this thread up to page 1 as a reminder – 52 working days for GDPR – minus whatever time it will take you to re-print enrolment forms, update websites, online platforms, train staff etc etc.

    Really hope the Agency provide some information soon, really want to avoid the risk of having to re-do elements of it.

     
    #242086

    CDC
    Participant

    Sorry – make that 49 working days, forgot about Easter and May day Bank hols!

     
    #242088

    RobPearce
    Participant

    I agree! I’ve chased contacts I got from ESFA and also AELP but no reply from either. Don’t know if anyone else has had any more luck than me (or have friends in higher places!)
    Baffling why there is still no communication out on this.

     
    #242090

    Alison_ITS
    Participant

    We’ve had a reply today from a contact at AELP that states:

    “There is some pressure being applied on ESFA to come out with a statement on what they are doing on GDPR”

    We continue to wait !

     
    #242356

    RobPearce
    Participant

    Thanks Alison,
    I’ll avoid holding my breath I think! Positive though that AELP are on the case though. With any luck we’ll get some guidance to take any action needed before the legislation actually comes into force!

     
    #242578

    Alison_ITS
    Participant

    Hi Rob
    Are you going to to AELP Workshop in Leeds on 10th April, it’s a bit late in the day I know but I’m really hoping it’s a useful event?

     
    #242601

    RobPearce
    Participant

    Thought it would be useful to update those in this thread with the information I received today from a contact @education.gov.uk It contradicts the worrying story that we would have to go back to all existing learners and ask them to re-sign around data processing etc. From reading the below message, it seems providers would have to just make learners aware of the changes and give them the option to opt out.

    ….I attended a government summit on GDPR… where the question of how GDPR applies to existing data came up. The advice from the Government Legal Office was that the regulation will not automatically apply retrospectively. I don’t think we should worry about applying a blanket ban on using old data. What matters is that third parties have a legal basis for processing the data (i.e. contacting learners). Any existing consent will still be valid as long as data subjects are informed of the new terms, either through revised Privacy Notices, or revised consent forms. Previous consent can be withdrawn if the data subjects exercise their new rights to restrict processing.

     
    #242756

    RobPearce
    Participant

    Hi Alison, just seen your message.

    I’ve been trying to find out from AELP exactly what will be covered. I don’t want to go or send one of my team if it’s just going through what the legislation is. I’ve been to a number of those now. I’m after, as I’m sure others are, some specific advice on what we should do with new/existing learners and ideally the type of wording we should be using on learner forms etc. I strongly feel that there should be consistency across the sector and this could be a really good way of that happening.
    Unfortunately I’m still waiting for a reply from AELP so don’t know whether I will be going yet.

     
    #242758

    CDC
    Participant

    Mmmmm definitely going to need some ESFA guidance in light of this development. Scope for confusion I think.

    If we’re now saying that ‘old’ consent is still ok to use so long as data subjects are informed and have the opportunity to withdrawn their consent. (avoiding, for now, the issue of how we prove all data subjects have been informed)

    If a returning learner (consent previously given on auto opt in) re-enrols onto another course post 25th May and doesn’t positively give consent – then does that mean it’s still ok to use the previous consent or does it mean they have withdrawn their consent (even though they haven’t actually positively stated they’ve withdrawn consent).

    Or am I over thinking it!

     
    #242762

    RobPearce
    Participant

    I agree, more info is needed but this is certainly a start.
    My view would be that existing learners as at 25th May (?) just need to be made aware of the changes. Any new learner signed up on/after 25th May has to give the explicit consent regardless as to whether they have been on programme before.

    It’s a minefield – I’ll get my tin hat ready I think!

     
    #242772

    Martin West
    Participant

    I would assume that all Providers would have already prepared for the implementation of the GDPR from 25th May 2018 for all other purposes apart from the ESFA/DoE data collection requirements which form only a small part.

    The ESFA have revised the 17-18 and 18-19 Appendix F – Privacy Notice’s and the draft ILR specifications for 18-19 with revised contact preference codes with Valid To dates of 25/5/2018 for the opt-out codes although this is incorrect and should be 24/5/2018 but to date they have not amended the same change in the current 17-18 ILR Specifications.

    I am assuming that software suppliers (like Cognisoft) will have anticipated and be prepared for this oversight by the ESFA and will have updates to their systems ready for us all to use by the required date.

     
    #242807

    GaynorLF
    Participant

    I’ve tried to book on the Aelp workshop at Leeds but unfortunately it is fully booked, again. So little information out there it is rather worrying.

     
    #243483

    Paul
    Participant

    Hi all, as my GDPR file continues to bloat with research i’ve come across something that may be of use in making sense of it all. I was considering just biting the bullet and doing a GDPR/DPO certified course, but have now decided against this having come across this chap > http://www.davidfroud.com/there-is-no-such-thing-as-gdpr-certification-yet/

    This linked me onto another article by him, “The GDPR in plain English”, particularly the spreadsheet that is free to download at the bottom of this article. http://www.davidfroud.com/free-resource-the-gdpr-in-plain-english/

    Cheers Paul

     
    #243497

    Jaymie Smith
    Participant

    Martin, you are right to assume that we have anticipated and prepared for this.

    I’d just like to add that many providers focus specifically on learners, however GDPR also includes other individuals that need to be considered under the principles of processing. These are business contacts, next of kin details and other personal and identifying information they store.

     
    #243507

    yazz1992
    Participant

    Hi

    If we have paper records archived with a firm, eg. Iron Mountain, who would under GDPR be responsible, if things go wrong, eg. records going missing during a break in?

    Many thanks

     
    #244036

    RobPearce
    Participant

    Has anyone heard anything about how we’d handle right to be forgotten/erasure requests for learners submitted to the ESFA?
    I’m not sure if the fact that the contractual basis of collecting learner data for ESFA/AO processing would be enough for us to be able to reject this?

    If not, how do we/ESFA/AO’s cope with learners that have been in a claim at some point then just disappear?

    I’m hoping the legal basis of the collection of the data in the first place trumps the right to be forgotten.

    I’ve raised a call with the ICO but don’t know how long it will take to get a reply.

     
    #244231

    Martin West
    Participant

    Hi Rob,
    This does not apply where consent to process personal data is for a lawful purpose as in ‘A public task: for example, to complete official functions or tasks in the public interest. This will typically cover public authorities such as government departments, schools and other educational institutions; hospitals; and the police’.
    HTH

     
    #244263

    RobPearce
    Participant

    Thank you Martin.

     
    #244279

    Paul
    Participant

    Hi all, Information Life Cycle Audit complete (tick), but more questions than answers popped out 🙁 Action plan as thick as my arm, life is good.

    Just a very quick question, views on digital archiving? I’ve had a look through old forum posts and external sources but cant get a definitive answer. The best i’ve found was ‘evidence must be supplied in an acceptable format for audit’. Across the business i’m suggesting holding paper records for current year / past year, and high quality scan and digitally store the last 5 years.

    Any view appreciated, Paul

     
    #245499
Viewing 25 posts - 26 through 50 (of 81 total)

You must be logged in to reply to this topic.