As of 25th May 2018, the General Data Protection Regulation will come into force throughout the EU. "The EU General Data Protection Regulation (GDPR) replaces the Data Protection Directive 95/46/EC ... "
The GDPR requires that organisations have a legal basis for processing personal data of individuals (referred to as Data Subjects). There are several bases for processing the personal data of Data Subjects, including the unambiguous consent of the Data Subject to do so. Organisations must prove that they have a legal basis for processing personal data, or otherwise face fines.
The Data Protection report in Insight is designed as an aid for schools to prove they have a legal basis to process personal data about staff, students and students' contacts (hereafter referred to as parents, although the contacts may not actually be parents). Each type of data stored by Insight is listed on the Data Protection report. The Data Controller(s) of the school can select any of the GDPR legal bases for processing that data, using the Data Protection report.
The Data Protection Report
The Data Protection report in Insight lists each item of data stored by Insight, regarding various stakeholders. The Domain lists the type of person whose data is stored/process and the Field explains exactly what data is stored/processed.
At the top of the page is the Data Controller field. This is used to select the email address of any of the Staff or Admin accounts within the Insight system. More than one account can be selected for this purpose and only Admin accounts can populate this field. Any accounts that have been specified as Data Controllers can specify the basis for processing data, as described below.
Any Insight accounts that have been listed as a Data Controller will see a button with a pencil icon next to each of the fields of personal data which Insight processes. These buttons are used to select one or more of the legal bases given by the GDPR in order to lawfully process personal data.
Clicking one of these buttons will open a window listed all of the GDPR legal bases. One or more of these can be selected, and any selections/changes are saved using the button at the bottom right of the window. It is the responsibility of the school to decide which bases are relevant for each type of data processed by Insight.
Note that some data can only be processed by using additional modules of Insight. In these cases, the Field of data will only be shown on the Data Protection report where the school has a licence for the relevant module.