Paul Strout, managing director of GDPR Assist, reminds schools of their obligations under UK GDPR to do their due diligence.
Schools have a vast array of technology available to them to support their pupils’ learning and development. Where that technology is provided as a cloud-based tool, schools should be mindful of the data sharing with external organisations that occurs and ensure that the sharing and processing by the school and the supplier does not introduce any unnecessary risk for their children or their staff.
As Claire Archibald of Derbyshire County Council’s Children’s Services Department says, “A school wouldn’t hand over printed details of all their pupils on request from a new supplier without first asking some serious questions, and yet schools often miss this important step when providing the data digitally to a new EdTech vendor”.
Under UK GDPR, schools have an obligation to conduct a Data Protection Impact Assessment (DPIA) when the processing is “likely to result in a high risk to the rights and freedoms [of people]”. The Information Commissioner’s Office (ICO) helps to clarify the meaning of this phrase by giving examples of activities which would indicate a “high risk”, and which would then require a DPIA. There are two examples which are of particular relevance to schools:
- Using systems or processes which are new to the organisation, and
- Processing personal data of vulnerable people
Given that children should always be considered as being vulnerable people, and that any proposed cloud system or process would be new to the school, it is clear that schools should be doing their due diligence and conducting a DPIA prior to implementing new technology which will be processing pupil data. The rise of cyber risks, including ransomware attacks and data thefts, also means that schools should be paying particular attention to these risks.
Claire Archibald says, “Not only does Data Protection law state that DPIAs must be conducted in advance of such new projects, but the UK Information Commissioner’s Office has reminded schools that they must consider their own and the Edtech vendor’s roles and responsibilities when procuring new services. The Department for Education has also made this obligation clear to schools in their Data Protection Toolkit for Schools. Schools cannot rely on ‘someone else’ to do the DPIA work for them. DPIAs are a helpful risk assessment to help schools to identify and mitigate risk and should be a routine part of new procurement processes”.
Speech Link Multimedia is committed to helping our schools with their obligations around DPIAs. Our Data Protection Officer (DPO), Paul Strout of GDPR Assist UK Ltd, says:
“We regularly receive questions from schools when they are looking at deploying our assessment products and we are very transparent about the processing involved with our products. As a processor acting under the instruction of the school, we ensure that our contractual terms include the protections a school should expect to see under UK GDPR, and we provide privacy information in plain language which describes what data will be processed on the school’s behalf and how we will do it. Any school is also welcome, indeed encouraged, to talk to us about any specific questions they might have”.
He says that common questions include:
- Do we have a Data Processing Agreement? – We do! Within our published terms
- Do we transfer data out of the UK? – No, all processing is within the UK
- Do we encrypt data? – We do–both when it is being moved between the school and us, and also when it is being stored by us
- Do we use any non-UK suppliers to process data? – No, we do not
- What security certifications do we have? – We hold Cyber Essentials Plus, and our UK hosting provider is certified to ISO 27001
Paul also says, “where an application is designed to be used directly by the pupils, then it will also need to comply with the Age-Appropriate Design Code. Our products are not specifically designed to be used in this way; however, we have assessed them against the code and can reassure schools that our products do comply”.
Schools in Derbyshire who utilise our Speech & Language Link products, have benefitted from the support of Claire and her colleagues to conduct a thorough DPIA. “I support 100’s of schools to carry out DPIAs for 100’s of Edtech vendors. It was refreshing to work with Speech Link as they were so prepared to engage with me in the process and explain their processing. They clearly understand the importance of schools conducting a DPIA and really did help us meet our obligations. I can see they have a commitment to integrating data protection principles throughout their involvement in any handling of pupil personal data”.
We are proud of the work we have done to demonstrate to schools that we are deserving of their trust. There is a huge variety of vendors and technologies out there and schools should not presume that all are safe for use. Instead, schools should engage their DPO and do their due diligence, conducting a DPIA and ensure that they are appropriately safeguarding children’s data.
—
For simple, clear GDPR help and advice contact Paul at: gdprassist.co.uk