As suggested by Rob I have asked my CEO to contact the ESFA and AELP to push the issue.
Thanks for the video link, although as you stated it is obviously aimed at schools and I can’t find the ‘follow up’ video either !March 6, 2018 at 4:22 pm #240768
I’ve been copied into email from ESFA stating:
Our data folk are attending the upcoming AOSEC and AOC conferences to talk about the ILR changes for 18/19, and the changes to the privacy notice which has been reworded and republished for 17/18 in regards to GDPR. The online ILR support manuals for both 2017/18 and 2018/19 provide some details. We are still working with our legal team to make sure the changes to the privacy notices are sufficient for GDPR – we know that in some circumstances we will be able to still use the consent obtained before 25th May if it meets the new requirements on valid consent, but please be reassured that we are still working on it and as soon as DfE are sure of our position we will be sharing our views with the sector.
Hopefully some more definitive information will be issued after this has happened – fingers crossed!March 7, 2018 at 3:52 pm #240987
Flipping heck, why *on earth* are they talking about consent??? What we really want to know is is our basis for collecting the information they demand from us a Legitimate Interest? I don’t really want to have to rely on Contract as I’m wary about 16 year olds being allowed to sign one…
Also, it’s hardly rocket science to work out that NONE of the opt-out consent for ESFA contacting learners collected before 25th May is valid, that’s the easy bit!!!March 8, 2018 at 9:49 am #241108
And data retention periods.. Is this the same as the document retention period?March 8, 2018 at 10:00 am #241114
Interesting question Simon re: Data retention.
We’re shortly moving to a new MI system and will only be migrating 3 years worth of learner records.March 8, 2018 at 2:48 pm #241183
We have been sending out GDPR updates for quite some months now and are well aware of how far through the process certain departments are. There is quite a lot of clarification still to come from the ESFA and some of that is coming in the drafts of the 2018/19 ILR Specification.
We are querying changes as necessary to prepare our customers for May. Despite the situations still being fluid, we are currently sending out our GDPR Information Pack to help customers meet requirements under processing however we think it’s key for controllers(ESFA/DfE) to define processing conditions under contract.
CogniSoft LtdMarch 8, 2018 at 4:52 pm #241227
Just bumping this thread up to page 1 as a reminder – 52 working days for GDPR – minus whatever time it will take you to re-print enrolment forms, update websites, online platforms, train staff etc etc.
Really hope the Agency provide some information soon, really want to avoid the risk of having to re-do elements of it.March 13, 2018 at 1:24 pm #242086
Sorry – make that 49 working days, forgot about Easter and May day Bank hols!March 13, 2018 at 1:25 pm #242088
I agree! I’ve chased contacts I got from ESFA and also AELP but no reply from either. Don’t know if anyone else has had any more luck than me (or have friends in higher places!)
Baffling why there is still no communication out on this.March 13, 2018 at 1:29 pm #242090
We’ve had a reply today from a contact at AELP that states:
“There is some pressure being applied on ESFA to come out with a statement on what they are doing on GDPR”
We continue to wait !March 14, 2018 at 4:34 pm #242356
I’ll avoid holding my breath I think! Positive though that AELP are on the case though. With any luck we’ll get some guidance to take any action needed before the legislation actually comes into force!March 15, 2018 at 3:07 pm #242578
Are you going to to AELP Workshop in Leeds on 10th April, it’s a bit late in the day I know but I’m really hoping it’s a useful event?March 15, 2018 at 4:14 pm #242601
Thought it would be useful to update those in this thread with the information I received today from a contact @education.gov.uk It contradicts the worrying story that we would have to go back to all existing learners and ask them to re-sign around data processing etc. From reading the below message, it seems providers would have to just make learners aware of the changes and give them the option to opt out.
….I attended a government summit on GDPR… where the question of how GDPR applies to existing data came up. The advice from the Government Legal Office was that the regulation will not automatically apply retrospectively. I don’t think we should worry about applying a blanket ban on using old data. What matters is that third parties have a legal basis for processing the data (i.e. contacting learners). Any existing consent will still be valid as long as data subjects are informed of the new terms, either through revised Privacy Notices, or revised consent forms. Previous consent can be withdrawn if the data subjects exercise their new rights to restrict processing.March 16, 2018 at 11:13 am #242756
Hi Alison, just seen your message.
I’ve been trying to find out from AELP exactly what will be covered. I don’t want to go or send one of my team if it’s just going through what the legislation is. I’ve been to a number of those now. I’m after, as I’m sure others are, some specific advice on what we should do with new/existing learners and ideally the type of wording we should be using on learner forms etc. I strongly feel that there should be consistency across the sector and this could be a really good way of that happening.
Unfortunately I’m still waiting for a reply from AELP so don’t know whether I will be going yet.March 16, 2018 at 11:27 am #242758
Mmmmm definitely going to need some ESFA guidance in light of this development. Scope for confusion I think.
If we’re now saying that ‘old’ consent is still ok to use so long as data subjects are informed and have the opportunity to withdrawn their consent. (avoiding, for now, the issue of how we prove all data subjects have been informed)
If a returning learner (consent previously given on auto opt in) re-enrols onto another course post 25th May and doesn’t positively give consent – then does that mean it’s still ok to use the previous consent or does it mean they have withdrawn their consent (even though they haven’t actually positively stated they’ve withdrawn consent).
Or am I over thinking it!March 16, 2018 at 11:54 am #242762
I agree, more info is needed but this is certainly a start.
My view would be that existing learners as at 25th May (?) just need to be made aware of the changes. Any new learner signed up on/after 25th May has to give the explicit consent regardless as to whether they have been on programme before.
It’s a minefield – I’ll get my tin hat ready I think!March 16, 2018 at 12:06 pm #242772
I would assume that all Providers would have already prepared for the implementation of the GDPR from 25th May 2018 for all other purposes apart from the ESFA/DoE data collection requirements which form only a small part.
The ESFA have revised the 17-18 and 18-19 Appendix F – Privacy Notice’s and the draft ILR specifications for 18-19 with revised contact preference codes with Valid To dates of 25/5/2018 for the opt-out codes although this is incorrect and should be 24/5/2018 but to date they have not amended the same change in the current 17-18 ILR Specifications.
I am assuming that software suppliers (like Cognisoft) will have anticipated and be prepared for this oversight by the ESFA and will have updates to their systems ready for us all to use by the required date.March 16, 2018 at 2:21 pm #242807
I’ve tried to book on the Aelp workshop at Leeds but unfortunately it is fully booked, again. So little information out there it is rather worrying.March 19, 2018 at 9:34 am #243483
Hi all, as my GDPR file continues to bloat with research i’ve come across something that may be of use in making sense of it all. I was considering just biting the bullet and doing a GDPR/DPO certified course, but have now decided against this having come across this chap > http://www.davidfroud.com/there-is-no-such-thing-as-gdpr-certification-yet/
This linked me onto another article by him, “The GDPR in plain English”, particularly the spreadsheet that is free to download at the bottom of this article. http://www.davidfroud.com/free-resource-the-gdpr-in-plain-english/
Cheers PaulMarch 19, 2018 at 11:52 am #243497
Martin, you are right to assume that we have anticipated and prepared for this.
I’d just like to add that many providers focus specifically on learners, however GDPR also includes other individuals that need to be considered under the principles of processing. These are business contacts, next of kin details and other personal and identifying information they store.March 19, 2018 at 12:21 pm #243507
If we have paper records archived with a firm, eg. Iron Mountain, who would under GDPR be responsible, if things go wrong, eg. records going missing during a break in?
Many thanksMarch 21, 2018 at 2:25 pm #244036
Has anyone heard anything about how we’d handle right to be forgotten/erasure requests for learners submitted to the ESFA?
I’m not sure if the fact that the contractual basis of collecting learner data for ESFA/AO processing would be enough for us to be able to reject this?
If not, how do we/ESFA/AO’s cope with learners that have been in a claim at some point then just disappear?
I’m hoping the legal basis of the collection of the data in the first place trumps the right to be forgotten.
I’ve raised a call with the ICO but don’t know how long it will take to get a reply.March 22, 2018 at 12:15 pm #244231
This does not apply where consent to process personal data is for a lawful purpose as in ‘A public task: for example, to complete official functions or tasks in the public interest. This will typically cover public authorities such as government departments, schools and other educational institutions; hospitals; and the police’.
HTHMarch 22, 2018 at 1:14 pm #244263
Thank you Martin.March 22, 2018 at 2:25 pm #244279
Hi all, Information Life Cycle Audit complete (tick), but more questions than answers popped out 🙁 Action plan as thick as my arm, life is good.
Just a very quick question, views on digital archiving? I’ve had a look through old forum posts and external sources but cant get a definitive answer. The best i’ve found was ‘evidence must be supplied in an acceptable format for audit’. Across the business i’m suggesting holding paper records for current year / past year, and high quality scan and digitally store the last 5 years.
Any view appreciated, PaulMarch 27, 2018 at 2:27 pm #245499
You must be logged in to reply to this topic.