Data Protection. Two words that pack a punch
There is no ‘one-size fits all’.
What and Why - and for how long?
Define the scope of a subject access request
You don’t need to re-invent the wheel
Auditing frameworks and resources
Resources for teaching students
Training courses and specialists
Strategic bodies for standardising processes
Data Protection: Two words that pack a punch
The guidelines that have arisen from this growing industry are no doubt important and aligned with international schools' shared mission to keep students safe. Where our digital world is increasingly becoming analogous with our daily lived experience, data protection keeps students safe and prompts the practice to be more explicit on the relevant procedures.
However, gaining confidence in this burgeoning field of Data Protection can seem like an overwhelming task. Given the pitfalls of having to communicate on data breaches, responding to personal data requests, and ensuring staff are appropriately trained, it is worth building a shared understanding of how to approach the problem.
Equals Student Protection
If the perspective is adjusted to see data protection as just student protection, it invigorates our commitment to students' wellbeing. Conversely, the responsibility of our colleagues and the extended community is unmistakable. Accrediting organisations such as CIS have also strived to make the connection between data protection and student safeguarding explicit.
Whether a teacher, accountant, sports coach or bus driver, we all have a duty of care to the school community. To that end, this article will signpost many practical resources to give your school the tools for a robust approach.
Exposure
We are no doubt aware of the possible consequences of non-compliance and exorbitant fines, depending on the realities of legal entanglements in our respective regions. What resources help us keep it in perspective?
The CMS.Law GDPR Enforcement Tracker is an overview of fines and penalties which data protection authorities within the EU have imposed under the EU General Data Protection Regulation (GDPR, DSGVO). This useful database shows the types of individuals or companies that have been fined recently, how much, and what they were fined for. It appears that the focus is to guide companies towards compliance, rather than being excessively punitive. https://www.enforcementtracker.com/
To find further information consult the relevant authority for the region as found in this list of National data protection authorities: https://en.wikipedia.org/wiki/National_data_protection_authority
There is no ‘one-size fits all’.
What’s right for one school won’t always be right for the next school. Take a sensible approach to assessing how your school manages data. You have different systems with a different set of expectations; having a willingness to learn and reach out to others for support is the best way to fulfil your obligations to keep your data - and your organisation - safe.
What and Why - and for how long?
The hardest part is knowing where to start. No doubt your school will already have some procedures or documentation in place. Is it centralised, up-to-date and accessible to the right people? If not, it's time for an audit. And if it is, great! Get the next audit scheduled to keep it that way!
You must be able to justify the information you are storing, it has to have a purpose. The purpose for collecting the data is the legal basis for which an organisation complies with data protection guidelines. All the data sources you access and create must be risk assessed periodically. Keep asking yourself why you need it and whether the data could be stored more securely. Set an expiry date on data you do not need any more and make sure you stick to it.
Each data category has its own legal basis in order to prove the collection is done purposefully. You must be able to justify the collection by the purpose limitation.
Purpose Limitation: Personal data should only be collected for specified, explicit, and legitimate purposes and not further processed in a manner that is incompatible with those purposes
One of the biggest cultural challenges you will face is convincing your colleagues to change old habits. It is not enough to say you are keeping data “just in case” or “that’s how we’ve always done it”. If somebody is reluctant to change the way they do things, remember to find out why.
For example, is there a technology or training problem that’s causing your colleagues to stick to a less secure way of storing data on paper? Do they need help using VPN for the fifth time so that they can work at home without printing out sensitive data? Have patience and empathy, give your colleagues the same support and information they need to get on board with changes as you would a student - more even, because the students have been trained to take in much more information quickly!
Conversely, has a teacher found a new app that they want to use? Discuss it with them and consider their reasons. If you dismiss suggestions arbitrarily and don’t consider the teacher’s needs you might find they go ahead anyway because you haven’t offered them a good alternative, or explained the dangers of putting school data in an unauthorised application. Ask them how they like unsolicited sales calls and they’ll see the reasons. Data is a powerful commodity and there are many levels of negative consequences if it is not safeguarded well. From unwanted phone calls to salary cuts as your school gets a hefty fine, to even worse outcomes. Again, the best thing to do is make sure your school culture is inclusive, communication is free and encouraged, and your colleagues will see that you are trying to make their lives easier.
Define the scope of a subject access request (SAR)
One of the most common fears schools share with us is about where to start with a Subject Access Request and how you can possibly get all data about a subject. A SAR is a request made by or on behalf of an individual for the information which they are entitled to ask for under Article 15 of the UK GDPR, although they do not have to refer to this when requesting their personal data. Some data protection guidelines may initially provide 30 days to comply with a request, but extensions can likely be arranged. Common reasons for an extension to be given is due to the need to redact or protect other subjects’ data in your effort to comply with the original request.
Always start by understanding why the request was made; parents usually have genuine concerns for their children and would be open to discussing what information they are looking for. They may be able to limit their request to particular interactions, or even specify the system(s) they would like data from. As part of your community, parents are not trying to cause you a great deal of trouble or work, they want to be listened to and see that the school is taking appropriate steps to protect their children’s wellbeing. Exemptions may apply if documents are labelled as confidential. Schools need to be aware that they should verify the identity of the requester, that they, or their legal guardian, have scope to request the data.
In an emotionally charged situation where a teacher-parent relationship is at risk of breaking down, having an independent DPO to speak to may help you to negotiate an agreeable outcome with the parent.
Another essential tool you can use in your compliance is your Privacy Policy and your compliance journey. If you’ve already set out what data you store and how you use it, use that as a map to start gathering the information you need to provide. You can only provide what you store, so setting your own retention or obsolescence policies is very important, to ensure you are not creating too great a task for yourself.
You don’t need to re-invent the wheel
There are many free (and some paid) resources available to help in your Data Protection journey.
Faria group resources
Faria Education Group’s own Security and Data Protection notices can be found at: http://www.faria.org/secure The page includes a link to a useful country comparison tool for Data Protection Laws of the world: https://www.dlapiperdataprotection.com/
MiniPD is a Professional Learning Hub created by and for educators around the globe. You can find a variety of topics including Digital Rights Management and Digital Citizenship to learn in a personalised coaching session. https://app.minipd.com
The below resources were kindly recommended by a speaker at one of the Faria Professional Learning Community events, Tony Sheppard from Net Support Software. Faria Education Group cannot advise on the suitability of these resources for your school, but share them for your own assessment. You can also watch the recording of our event with Tony here.
Auditing frameworks and resources
Find out where you're at using the ICO Accountability Framework. This site provides a free tracker and self-assessment tool to get you thinking about the areas you need to address. https://ico.org.uk/for-organisations/accountability-framework
GDPRiS provide free resources like posters and videos you can use to grow a culture of awareness in your school as well as some great mind maps to start you asking the right questions. https://www.gdpris.co.uk
The Information Management Toolkit for schools has been created to assist schools to manage their information in line with the current legislative frameworks. https://irms.org.uk/page/SchoolsToolkit
Publish what you’re doing to keep data safe. Tell your school community how you work with data in an easily digestible format with free Open Source Privacy Notice Design Patterns (by https://juro.com and https://stefaniapassera.com/)
Resources for teaching students
Guidance for teaching students to develop into safe, responsible digital citizens. This resource, from the UK Council for Internet Safety gives a good grounding on where the expectations are for children in their digital life. This can be key when looking at the different apps and tools that will be used within your schools, giving you some useful benchmarks for any assessment of suitability. https://www.gov.uk/government/publications/education-for-a-connected-world
For those looking at curriculum materials to further support this, see the work of South West Grid for Learning - https://projectevolve.co.uk
For self-support materials for children and parents, the ICO funded a young person’s toolkit featuring videos and games from the London School of Economics and Political Science: https://www.lse.ac.uk/my-privacy-uk
Training courses and specialists
For specialist areas of training, such as working on DSARs, breaches, record management... all areas of responsibility that may be delegated out to various staff in your schools, there are a number of UK-based training providers, most of whom run their sessions online:
Tim Turner at 2040 Training runs some very specific, and very amusing, courses. https://2040training.co.uk/
Emily Overton is pretty much the Records Management guru, and she can be found at https://rmgirl.co.uk/
BCS run courses on Data Protection - https://www.bcs.org/qualifications-and-certifications/certifications-for-professionals/gdpr-and-data-protection-certifications/bcs-foundation-certificate-in-data-protection/ and https://www.bcs.org/qualifications-and-certifications/certifications-for-professionals/gdpr-and-data-protection-certifications/bcs-practitioner-certificate-in-data-protection/ ... there are a range of providers for these courses. The team at Data Protection Advisory Service are brilliant for these - https://www.dataprivacyadvisory.com/dpas-training/ and they pull in experts from different sectors to add to the experience too.
The International Association of Privacy Professionals (IAPP) - https://iapp.org/ have CIPP/X courses that look at privacy and data protection legislation on a regional basis, but they also have courses on privacy tech and privacy management, CIPT and CIPM respectively. They also have a wealth of information about the changes that go on around the world, but most of it is not sector-specific so you have to do a lot of reading between the lines about certain things.
9ine provide software and solutions for enabling safe and secure technology use in schools including independent consultancy and professional development services. https://www.9ine.com.
Strategic bodies for standardising processes
Useful templates for when signing contracts with third-party data processing agreements.
The Access 4 Learning Community is also doing a lot of work to help standardise approaches to privacy, data protection and interoperability. They have a lot of experience (they were formerly the SIF Association, specialising in the global standard for school data interoperability), and are focusing on a Global Education Security Standard (heavily NIST based), and a Global Education Privacy Standard. These will fit in the National Data Privacy Agreement that they have written as a template approach for vendors. https://www.a4l.org/default.aspx
This is balanced with the work in the UK of the Digital Futures Commission - https://digitalfuturescommission.org.uk/. Whilst a lot of what they look at is digital life in general, they do have a strong workstream around education.
This links into work by EDDS - https://www.edds-education.org/ - working on the IEEE standard on the Age Appropriate Digital Services Framework ... which, coincidentally, feeds into the work of A4L.
So, there will be standards coming along to help with looking at various digital tech, even some certification at some point. The work on plain English and readable data processing agreements will also feed into this, so hopefully you will see more DPAs like this - https://classroom.cloud/data-processing-agreement/
Contributions to this article are thanks to:
Ioanna Karariga
Adam Morris
Sally Marshall