Meeting GDPR compliance with RM Integris
In May 2018 the Data Protection Act will be replaced by the GDPR (General Data Protection Regulation).
RM acts as the data controller for its employee data and acts as a data processor for many of its customers. It has a range of measures in place to achieve compliance with current legislation and is reviewing these in order to ensure compliance with the GDPR before it becomes law. The ICO (Information Commissioner's Office) has issued guidance documents on GDPR transition, including “Preparing for the General Data Protection Regulation (GDPR) – 12 steps to take now.” RM is using this guidance to review its legal and contractual obligations, and where necessary, make the appropriate amendments to policy or practice.
RM has established a GDPR Working Group, with membership drawn from across the RM Group, to oversee the transition work. This group reports to the Group Security & Business Continuity Committee, which acts on behalf of the Executive on all matters relating to security and data protection governance. Find out more here
Does RM Integris process data
in compliance with GDPR?
RM Integris’ approach to data protection management is designed to be compliant with data protection legislation, including both the Data Protection Act and GDPR when it comes into force in May 2018.
You can find out more information about how we process data on our Cloud Services Framework here.
How can RM Integris help
with my GDPR compliance?
RM Integris has a range of functionality that can help you with your GDPR compliance, such as:
You should document what personal data you hold.
To help you with your information audit, we have provided a list of all the personal information that is held within RM Integris.
More on Information Audit here.
Don’t forget, you may have other information on an individual held elsewhere in your school or with other software providers that you should also include in your audit.
RM Integris Datashare
An important aspect of GDPR is that the data controller knows where their data is held and with whom they have shared it. RM Integris Datashare puts you in control of what you want to share from RM Integris with other third-party software providers. It supports you with your responsibilities as a data controller by giving you visibility of what data is shared with specific parties in an easily accessible, user-friendly format.
It provides you with greater control, enabling you to grant and withdraw permissions and giving you the ability to manage third parties accessing your data; so you can see who can access your data and the purpose of their access.
More on RM Integris Datashare here
You must decide under which lawful reason you are processing data, most of your data processing will be carried out under a legal obligation or public interest. There may, however, be some data processing where consent is required from the parent or child.
In the RM Integris Parental Consent module, you can record, manage and report on consent.
More on Parental Consent here.
Personal data must be kept accurate and up-to-date.
The Student Update Form (or Staff Update Form) within RM Integris allows you to easily and regularly check that the data you hold on an individual is accurate and up-to-date. The Document Storage module allows you to assign these forms electronically against each student or staff member. The Audit Log shows who has made changes to your data and when.
More on the Student Update Form in Introducing Student Reports here.
Subject Access Requests (available now)
Individuals have the right to request all or any information you hold on them.
The Subject Access Request Report in RM Integris enables you to report on all the data (or specific groups of data) you hold within RM Integris on any individual.
Don’t forget, you may have other information on an individual held elsewhere in your school or with other software providers, which you should also provide.
Read more on Subject Access Requests for Students here and for Staff here.
Data Deletion (available now)
The data you hold should only be kept for as long as is necessary, in accordance with your retention policies. RM Integris enables you to delete data when required in accordance with your retention policies.
In certain circumstances, individuals have the right to erasure. This means that the data subject has the right to request that their data be deleted or removed where there is no completing reason for its continued storage.
RM Integris enables you to process a 'right to be forgotten' request.
The Data Deletion functionality enables you to select an individual or groups of individuals, and delete all of their personal data stored in RM Integris.
Don’t forget, you may have other information on an individual held elsewhere in your school or with other software providers, which you should also delete. You should process these requests in line with your privacy policies and your retention policies.
More on Data Deletion for Students here and for Staff here
Can I delete data within RM Integris?
Yes. You now have more control to do your own erasures within RM Integris on student and staff data held in the former roll.
How long should we retain personal data?
Records should be kept for the amount of time stated in your retention policies. Unfortunately, we cannot advise how long you should keep certain records. The DfE does reference the IRMS toolkit for schools for suggested data-retention timeframes.
What do you do with the data recorded in RM Integris?
We store it for your use only and process it in accordance with your instructions.
Where is the data stored?
In a secure UK datacentre.
Do you share the data with any third parties?
The data is only shared with third parties that you have agreed to; either through Datashare, or consent with your local authority.
What would you do if there were a data breach?
We would close the breach where possible by disabling access to the affected system, until a correction could be made. The suspected breach would be reported to the data controller.
Does your contract clearly state that RM Integris complies with GDPR, and show how data is stored?
Yes, all relevant policies, procedures and documents are being reviewed, and where appropriate revised as part of our GDPR Transition Programme. The review and revision of these documents will be completed by the time GDPR comes into force in May 2018.
Where can I find guidance on Privacy Notices?
GOV.UK provides guidance Privacy Notices here
What happens if the data included in the relevant category is in excess of the data needed by the third party to provide the services?
The ICO recognises that data protection practices must take account of technical constraints. Legally, as long as the customer has agreed, for example by agreeing to the relevant Ts & Cs, it is possible to allow access by third parties to the entire MIS database.
RM does NOT do this.
RM Integris Datashare has separated your data into categories – rather than allowing access to the entire dataset. At this time it is not possible to separate out the data into more granular categories. Although, we are continually reviewing our service and exploring ways to improve.
RM goes the extra mile to assist you in ensuring your data is treated lawfully and in accordance with data protection legislation. We do this four ways:
Transparency and control. RM Integris Datashare provides user-friendly screens which allow authorised users in your school to manage your data sharing. This gives you greater control and visibility of what you are sharing and with whom;
Agreements with providers. We have an agreement in place with all providers on RM Integris Datashare. This requires providers to process data lawfully and in compliance with the customer’s instructions;
Additional security diligence. Rather than relying on just a signed contract, RM also requests that all providers complete a security questionnaire, which gives RM confidence that the appropriate technical and organisational measures are in place; and
Verification of compliance. To give our customers additional confidence (if any was needed) that the GDPR is being fully complied with, our providers sign a verification of compliance document.
You will have an agreement with the provider, allowing them to process your data. You should satisfy yourself that this contains clear instructions about what data you are allowing to be processed, and for what purpose.
How does the contractual relationship with the third parties work to transfer Personal Data?
When you use RM Integris Datashare, you are authorising RM to share certain categories of data with your authorised third parties.
It is important that the terms and conditions entered into with third parties reflect the nature of the relationship. The terms should be GDPR compliant and contain an adequate indemnity regarding the data security.
As Controller, schools should be aware of, and the third parties should be able to confirm upon request: the subject matter of the processing; the duration of the processing; the nature and purposes of the processing; the types of data being processed; the categories of data subject being processed; and the plan for destruction at contract expiry.
How does the process of a third party exporting data work?