Most young adults around the UK will have recently received GCSE and A-level results. The new, tougher, GCSEs come with marks in the scaled 1 to 9, whilst other exams and A-levels retain the alphabetic coding. This can be a stressful time for young people, especially if they are depending on the results in order to go into University, and for some this will be a joyous time of great celebration, for others there may be questions about how the forecast mark was not achieved and why.

One of the questions that often comes up in families where the GCSE or A-level results have not met the grade expected is why that has happened. Obviously a conversation with the school or college is very important and will help to get some insight, but unless you see how the exam script was marked, and the comments of the markers, it can be difficult to get a great insight from meeting with the school. Ultimately it may be that something was missed in the marking, or even in a award appeal, and you may not know.

One way that can help with gaining greater understanding of the exam results is to make use of the new GDPR regulations that came into force in May 2018. GDPR has placed new obligations on organisations about how they handle personal data and in particular how it is managed and made available to data subjects and other parties. For many organisations this has led to changes about what data is kept and how it is retained, and for many individuals it has enabled access to information held by organisations that was previously unknown. For example, GDPR allows you to request all records kept about you and this can include information about your exam performance. This can include your mark, examiner comments, and minutes of examination appeals panels. In Universities these are often made available to students in any case, but this is not always true of GCSE and A-level exams when it may matter just as much, if not more so. This may be an additional burden for schools and exam boards that they may not be prepared for and need to take action on if they are in receipt of such requests as this information must be supplied free of charge. A Subject Access Request (as they are known) must be met within 40 days or there are legal consequences, so it is good practice to be familiar with what to do should one arrive.

So, if you are wanting to find out more about your exam results and the institution does not provided them routinely, you can now request them under GDPR and the institution is required to provide them within 40 days. Helpfully, the Information Commissioners Office has provided a useful guide on obtaining your detailed results and some guidance on how to make an appeal if you believe you have grounds. By using this approach you can gain real insight into the marking regime and also pick up if the examiner made a mistake, procedure was not followed, or even that there has been an unintentional bias introduced. This could make the difference between getting the grade that was expected or not and for some this could turn disappointment into a success!

Those of you going on holiday this week may have found the process a little less straight forward than usual, especially if you were travelling by air from Gatwick Airport on Monday 20th August 2018. Rather unfortunately for many travellers, the flight information screens at Gatwick failed requiring staff to resort to using white boards to keep passengers up to date with flight departures and arrivals.

On the face of it, especially given the twitter frenzy that subsequently broke out, this might seem like a major fail for the airport and the IT infrastructure that supports it. But, really just how critical for business was this issue and was the contingency planning and response appropriate given the public nature of the service?

When looking at services and considering them in the context of the criticality to the business you need to consider the risk, impact, possible mitigation and ultimately the cost of mitigated or unmitigated impact. In this case Gatwick could have quite easily mitigated this failure by having a redundant link to their flight information service provider. Certainly, in the University of Brighton case we have provisioned resilient links to all our sites and always connect to different exchanges to ensure that we are resilient against our downline supplier equipment failing. However, for a university internet connectivity is business critical when the core business is teaching, learning, and research which depends so much on access to information and data. For an airport, this may not be true so long as flight control systems and air traffic management can continue. But does that always apply?

Essentially it all comes down to risk and what value you place on it. When considering how much to spend on mitigation of risk, one must consider the probability of the risk and the impact if it came true and then weigh that against the cost. In the case of Gatwick they appear to have concluded that a suitable mitigation using white boards was cost effective and maintained core business without the need to invest in additional resilient data connections. Whilst travellers may be dissatisfied, departures and arrivals still took place on time and the core business of the airport is largely unaffected. In this case the damage to reputation may have a cost which must also be considered, but this could be short lived providing the mitigation is effective.

So, in conclusion, when looking at business critical services in your IT estate you need to consider the value of the service to the business and also have agreed service levels. Assess the risk and impact of the failure of the services individually, not forgetting any underpinning infrastructure, and devise a mitigation that meets the needs of the business and at a cost appropriate to the level of the risk.

The one final question for Gatwick, and anyone else considering Business Critical services, is do you have a sufficiently good understanding of the risk in the first place? This is not the first public failure of infrastructure at Gatwick, and the last time it happened it disrupted core functions including arrivals and departures in the peak Christmas holiday season.