FOI Request - SEEMiS Pupil Database
Request 101002673853
I would be grateful if you could provide the following information in relation to the SEEMiS pupil database:
1. How many registered users have access to SEEMiS in total, and what are their professional roles (e.g. teachers, teaching assistants, clerical staff)?
2. How is individual user activity on SEEMiS logged and audited, including remote access?
3. How can data subjects obtain logs of processing activity by named SEEMiS users?
4. How many SEEMiS data loss incidents (e.g. via hacking, social engineering, user error or misuse) have been recorded in the past three years, and how many have been reported to the ICO?
4. How is consent of data subjects and third parties (such as parents and siblings) obtained and recorded in relation to the processing of their personal data and special category data on SEEMiS? If no consent is obtained, how are data subjects (including third parties) notified that their data is being processed so that they can object, select which information to provide and/or decline to disclose it?
5. Where the legal basis for processing is not consent, please indicate the alternative basis/bases in respect of each SEEMiS module, with reference to the specific statutory gateways currently in force that permits such processing. I am especially interested in the legal basis for processing 'wellbeing' data without consent, given that wellbeing has no precise legal definition and creates issues around accessibility and foreseeability for data subjects, and most especially associated third parties.
6. Please confirm when the SEEMiS wellbeing module became operational in this area, and how data subjects and associated third parties can object to the processing of subjective wellbeing data that is not necessary for the provision of education.
7. How many data subjects (including third parties) have sought erasure or rectification of SEEMiS records since GDPR came into force on 25 May 2018, and how many of these requests have been complied with?
8. Please provide copies of internal and external communications, reports and minutes relating to SEEMiS for the past three years, with specific reference to legal and security issues, including GDPR, audit logging and user training.
Response 19.02.21
1. How many registered users have access to SEEMiS in total, and what are their professional roles (e.g. teachers, teaching assistants, clerical staff)?
All school staff have a staff record on SEEMIS, which means they are allocated a user account. There are currently 4,253 registered users of the SEEMiS management information system, but this includes leavers whose user accounts have been disabled. As a safety measure if a log on isn’t used for 100 consecutive days the account is frozen which allows that staff member’s access to be re-evaluated. Access to pupil records is dependent on the job role. Job roles include head teachers, teachers, support staff, music instructors, school librarians, educational psychologists and administrative staff. All teaching and clerical staff in schools can access to SEEMIS as part of their professional role in updating records, etc.
2. How is individual user activity on SEEMiS logged and audited, including remote access?
This information is held by SEEMiS. The SEEMiS system has been developed over a number of years and, as such, the logging/auditing capabilities within each module/function varies depending on when they were developed. For further information, please contact letters@seemis.gov.scot
3. How can data subjects obtain logs of processing activity by named SEEMiS users?
In order to obtain personal data about themselves, data subjects would make a data subject access request ("DSAR") in accordance with data protection legislation. More information is available on our website at http://www.moray.gov.uk/moray_standard/page_119859.html.
4. How many SEEMiS data loss incidents (e.g. via hacking, social engineering, user error or misuse) have been recorded in the past three years, and how many have been reported to the ICO?
SEEMiS itself has not, to date, suffered any data loss incident.
4. How is consent of data subjects and third parties (such as parents and siblings) obtained and recorded in relation to the processing of their personal data and special category data on SEEMiS? If no consent is obtained, how are data subjects (including third parties) notified that their data is being processed so that they can object, select which information to provide and/or decline to disclose it?
Our school pupil data capture form contains a data protection statement, which is also on our website at http://www.moray.gov.uk/moray_standard/page_75569.html. A data check is made on an annual basis. Moray Council provides data protection information on our website at http://www.moray.gov.uk/moray_standard/page_119859.html. Further information is also available within our Notes for Parents booklet at http://www.moray.gov.uk/downloads/file110306.pdf and within individual school handbooks. Our schools have been provided with a standard privacy statement for their websites and handbooks.
5. Where the legal basis for processing is not consent, please indicate the alternative basis/bases in respect of each SEEMiS module, with reference to the specific statutory gateways currently in force that permits such processing. I am especially interested in the legal basis for processing 'wellbeing' data without consent, given that wellbeing has no precise legal definition and creates issues around accessibility and foreseeability for data subjects, and most especially associated third parties.
The personal data is processed in accordance with ‘public task’ legal basis as outlined in Article 6(1)(e) of the Data Protection Act, as processing this personal data is necessary in the performance of a public task, namely of providing an efficient and effective school pupil education service as required by the Education (Scotland) Act 1980.
6. Please confirm when the SEEMiS wellbeing module became operational in this area, and how data subjects and associated third parties can object to the processing of subjective wellbeing data that is not necessary for the provision of education.
The Wellbeing application was made available to SEEMiS members in October 2016. Each local authority decides itself what applications they use. Moray Council do not use the wellbeing module.
7. How many data subjects (including third parties) have sought erasure or rectification of SEEMiS records since GDPR came into force on 25 May 2018, and how many of these requests have been complied with?
No requests have been received.
8. Please provide copies of internal and external communications, reports and minutes relating to SEEMiS for the past three years, with specific reference to legal and security issues, including GDPR, audit logging and user training.
In accordance with section 12 of the Freedom of Information (Scotland) Act 2002, excessive cost, please be advised that we are unable to comply with this part of your request.