General Data Protection Regulations (GDPR) and the AoC MiDES Shared Benchmarking Service
MiDES is a well-established and valuable member benefit that we deliver in collaboration with our data partner RCU Ltd . The service provides colleges with a regularly updated suite of in-year benchmarked intelligence reports on key topics such as retention, recruitment, English & Maths, Value Added, deprivation, progression and apprenticeships. The service also provides a vital source of in-year information about the college sector as a whole, helping the AoC team to promote its importance and value to external stakeholders.
Confidentiality has always been an important principle of MiDES. Data is collected for the benefit of members and data about individual colleges or learners will never be shared with other colleges or third parties, without the express permission of that college.
GDPR, which comes into force on 25th May 2018, builds upon the Data Protection Act 1998, and includes increased accountability for data controllers and data processors and enhanced rights for data subjects. This letter provides information about how MiDES is compliant with GDPR and how the AoC and RCU have taken all necessary steps to safeguard personal data.
AoC’s lawful basis for processing personal data for MiDES reports is “necessary for the performance of a task carried out in the public interest or in the exercise of official authority vested in the controller in accordance with GDPR Article 6(1)(e).” The public interest is for helping member colleges to understand, review and improve performance through a shared benchmarking service, ensuring that they meet their obligations under the Education Act (2011) to review the educational character of the institution and its mission and to have oversight of its activities.
MiDES reports also include the following special categories of data (personal sensitive); - ethnicity and learning difficulty and/or disability (LLDD) and great care is taken to ensure that this information is only presented at an aggregate level in the reports and during the transfer or analysis learner records are anonymised and/or encrypted. AoC’s lawful basis for processing this information is “necessary for archiving purposes in the public interest, or scientific and historical research purposes or statistical purposes in accordance with Article 89(1) of GDPR”. The purpose in this instance is to provide information that will help member colleges meet their obligations under the Equality Act (2010) and to promote social mobility.
The MiDES service has taken into account the rights of data subjects (learners) at all stages in the design and development. Wherever possible data is anonymised and encrypted in order to ensure that the use of personal data is minimised. Comprehensive data security arrangements are in place, accredited under ISO 27001, the international information security management standard.
An Information Notice related to the MiDES service is available on the AoC website. This provides information for your learners on the service, reasons for processing the data and their rights in relation to the processing. You may wish to use this Information Notice alongside other notices that you provide for your learners about the processing of learner data.
Further technical details of the MiDES service in relation to information security are provided below.
Details of MiDES and Information Security
Participating colleges upload their ILR to a central server and in return download benchmarked reports created by RCU Ltd. Downloaded reports contain only the college’s own data and aggregated sector benchmarks. The chart below illustrates the data flows within MiDES.
Key steps within the MiDES data flows are:
1. Participating colleges upload their Individualised Learner Record (ILR) via a secure encrypted SSL link from the MiDES website (mides.rcu.co.uk). Colleges are advised to anonymise their ILR in order to remove personal identifiers including learner name, address, email address, national insurance number and Unique Learner Number (ULN). A number of tools are available for doing this.
2. Uploaded ILRs are temporarily stored on a cloud-based server hosted by UKFast until the data from all participating colleges has been received. The data is fully encrypted.
3. When all ILRs have been received they are downloaded via an encrypted SSL link to the RCU data server. At this stage RCU loads key fields from the ILRs, none of which contain personal data, into an SQL server (RCU Data server) to create an over-arching MiDES database used for producing individual reports. RCU then deletes the individual ILR files supplied by the college. SQL databases are deleted when the need for producing reports or analysis is no longer required (there is a specified deletion date for each database).
RCU holds ISO 27001 accreditation, the international standard for information security management as well as Cyber Essentials certification. Data is held securely on dedicated servers located behind managed firewalls with rigorous user access controls. Further details of RCU data security procedures can be made available on request.
4. RCU creates individual college benchmarked reports from the SQL database. These reports do not contain personal data. They are uploaded to the MiDES server where they can be downloaded by an individual college. All data transfer is via secure encrypted SSL links.