CELCAT Timetabler and GDPR Compliance
Pretty much everybody knows that General Data Protection Regulation (GDPR) comes into force on 25th May 2018. Many sectors and industries will feel its impact, especially the Higher and Further Education sectors.
The fact that GDPR was adopted two years ago and yet is only now coming into force suggests that there are a lot of requirements for organisations to consider - far too many to go into detail now. However, they broadly encompass “data subjects” (where an individual’s personal data is held) being able to:
- request data access
- request data correction
- request data removal
- restrict data processing
GDPR also mentions pseudonymisation, a process to alter personal data in a way that the resulting data cannot be ascribed to a specific data subject without the use of additional information. This upholds the subject’s right to erasure - a more limited requirement than the right to be forgotten.
These new requirements have implications for all institutions, both colleges and universities, using CELCAT Timetabler software.
Whilst CELCAT is not normally the master source of personal data held by an institution, which typically is the Student Records System (SRS), Management Information System (MIS) or Human Resource System (HR)*, it is recognised that the CELCAT database may contain personal information regarding staff and students, and as such, the data needs to be made accessible and editable.
CELCAT Timetabler is GDPR Compliant!
To that end a new addition to CELCAT’s Self-Service Portal (SSP) will be available shortly. Using SSP, students and staff (the data subject) will be able to access their personal information stored in the Timetabler database on a mobile device. This feature is configured by an administrator (possibly your institutions Data Protection Officer (DPO)) to show appropriate data and configure the fields that the subject can review, edit and even delete.
This will clearly need careful thought and consideration before putting into operation. For example, a student’s email address may be stored to fulfil institutional requirements such as notifying students of critical timetable changes or providing a personalised student timetable. It’s storing and using the student’s email address that facilitates these functions within the CELCAT Timetabler suite.
Institutions will also need to consider whether it is operationally necessary to retain certain information about staff and students. For example, is it necessary to store the gender of students? You’ll be pleased to know that Name and Unique Name are the only mandatory fields required within the staff and student records.
When Timetabler is synchronised with a master database using CELCAT’s integration tools, administrators and DPOs can elect to import only the data essential for producing timetables and using the CELCAT solutions to meet institution requirements.
GDPR and Legacy Databases
We’ve seen how GDPR compliance works in a production environment, but what about those legacy databases that aren’t accessible to the data subject? Whilst there may be good, even legal reasons why an institution needs to store historic databases, a procedure should be established to obfuscate the data as soon as permissible. CELCAT Timetabler’s Resource Wizard allows administrators to alter records en mass particularly where the data held may be viewed as sensitive. Simply identify the primary key for your staff and students, this is either the Name or Unique Name field and configure the Resource Wizard to edit all other fields by inserting blank. This will remove the sensitive data whilst retaining perhaps a staff or student code.
It is also possible to create and run SQL scripts to pseudonymise historic data.
* Where institutions are using integration tools it is important to check that any changes made in CELCAT Timetabler are also made in the master database. If not, any alterations and deletions may be overwritten.