Covid-19 and Schools
From both an educationalist’s point of view and as someone working in data protection and privacy, the drive on remote learning that has been generated by Covid-19 (coronavirus) has been interesting to watch. Whether you view the offers from many companies to provide or enhance tools free of charge to organisations as real evidence that the tech community wants to do its part or the cynical approach that this is a fantastic opportunity to get as many organisations as possible to try out tools, no-one can deny that there is a wealth of offerings now available.
Schools have a strong history of dealing with critical incidents, due to weather, illness or environmental factors (e.g. asbestos). Every school will have a Critical Incident Plan. Some may call it a Business Continuity/Disaster Recovery (BCDR) plan or slight variations, but it amounts to the same. This can be extremely specific or can be more general and flexible, but the DfE has some core guidance on approaches to take.
From a data protection and privacy stance, there are some key areas that all staff need to think about and follow, and these should also be within a home working policy. We have produced a helpful and accessible video to talk through the areas staff should be aware of and this is openly available for all schools to use with their staff.
The educational drive to find the right tools to support home learning during a school shut down has led to some risky actions by some schools. Whilst some schools already have tools and learning solutions in place that have undergone a rigorous procurement process including risk assessments (DPIAs), a thorough adoption programme with staff, learners and parents… many have not. As a result, insufficient due diligence is being carried out on many of the offerings from EdTech providers. We have put together some simple actions that schools and trusts should take, and that EdTech providers should be aware of and support.
- Make sure that you can access and have reviewed your suppliers’ Privacy Notices and any associated policies / T&Cs. We know it can take time but you wouldn’t walk into a science lab and just chuck in any liquids from different bottles into the same beaker, surely you would want to know what they are, how they react with one another and the risks associated?
- Where the service is delivered through the school (i.e. not directly to the parents/children) ensure the relationship is clear that you are the Data Controller (i.e. you make the decision about the purpose and the means) and the provider is the Data Processor. Where the provider is making some decisions, this could make them a Joint Data Controller and agreements need to reflect this.
- Ensure you know the lawful basis for processing. Where you are the data controller, this will be more easily established. The DfE Data Protection Toolkit for Schools states that Public Task is a possible lawful basis after Legal Obligations. Some providers will tell you that you must get parental consent. This is based on approaches in the US to comply with their legislation and not appropriate for most educational activities that are part of your official duties.
- Where the provider is also a data controller, you need to ensure that they are transparent about what they are doing with the data and that you are happy with that. If you are making it so that children have to use this tool, then consent cannot be appropriate, even if the provider insists on Parental Consent.
- Make sure you know how long the data is kept for. It may be that you are only trialling this tool. You need to make sure that any data will be removed and destroyed when it is no longer needed by you and that you can show evidence of this.
- There should also be a clear explanation of how any data breaches a provider (or their sub-processors) experience will be reported to you, the Data Controller. Remember that where a breach is reportable, there are 72 hours to report it. Make sure you are being told when a breach occurs.
- You are likely to need to undertake a risk assessment / DPIA. These are a crucial requirement on new services/types of processing and are often insightful even for legacy services. https://www.educationdatamatters.org.uk has some example templates for DPIAs to help you with what questions you must ask yourself.
- Where you already have access to tools through your Local Authority, your MAT, your broadband/services provider or other groups you are part of, a significant amount of checks will already have been done and it is more about how you use the tools that are important. Speak to these providers to see how you get the most out of tools you already have.
Whilst the above seems quite a lot to take in, these are all things that you should be doing anyway when reviewing any agreements and arrangements with providers. Without this, you cannot update your Privacy Notice or any relevant policies and procedures.
We are asking any organisations pulling together lists of tools that can be used for remote learning to make sure that they ask the following of anyone being added to that list.
“Where you provide a service that makes use of personal data, please ensure that you include a link to your Privacy Notice(s). These should follow ICO guidance and where the service is delivered through the school (i.e. not directly to the parents/children) then the relationship as a data processor of the school or joint data controller should be clear including purpose, lawful basis, security, retention and breach management.”
It is no guarantee of compliance by any particular provider, no relevant Code of Conduct or certification exists for that, yet. However, it is a good starting point.
You can find additional information and examples of good practice around the use of technology from the following links: