Schools have a vast array of technology available to them to support their pupils’ learning and development. Where that technology is provided as a cloud-based tool, schools should be mindful of the data sharing with external organisations which occurs and ensure that the sharing and processing by the school and the supplier doesn’t introduce any unnecessary risk for their children or their staff.
Under UK GDPR, schools have an obligation to conduct a Data Protection Impact Assessment (DPIA) when the processing is “likely to result in a high risk to the rights and freedoms [of people]”. The Information Commissioner’s Office (ICO) helps to clarify the meaning of this phrase by giving examples of activities which would indicate a “high risk”, and which would then require a DPIA. There are two examples which are of particular relevance to schools:
- Using systems or processes which are new to the organisation, and
- Processing personal data of vulnerable people
Given that children should always be considered as being vulnerable people, and that any proposed cloud system or process would be new to the school, it is clear that schools should be doing their due diligence and conducting a DPIA prior to implementing new technology which will be processing pupil data. The rise of cyber risks including ransomware attacks and data thefts also means that schools should be paying particular attention to these risks.
Annette Henry provides Data Protection Officer support to schools in the South West on behalf of Devon County Council. Annette says, “The benefits of conducting a DPIA and engaging your school’s DPO for advice and support from the outset will help with early identification of any potential problems. The DPIA process helps to identify and reduce privacy risks to safeguard personal data, reducing the potential for damage or distress as well as reducing the risks of reputational damage to a school in the event of a data breach. Some providers make the DPIA process a challenge, but Speech Link Multimedia Ltd knew exactly what information I was looking for when I approached them. This enabled me to provide the school with the assurances needed”.
Speech Link Multimedia Ltd is committed to helping our schools with their obligations around DPIAs. Our DPO, Paul Strout, says “we regularly receive questions from schools when they are looking at deploying our assessment products and we are very transparent about the processing involved with our products. As a processor acting under the instruction of the school, we ensure that our contractual terms include the protections a school should expect to see under UK GDPR, and we provide privacy information in plain language which describes what data will be processed on the school’s behalf and how we will do it. Any school is also welcome, indeed encouraged, to talk to us about any specific questions they might have”. He says that common questions include:
- Do we have a Data Processing Agreement? (Yes, we do – within our published terms)
- Do we transfer data out of the UK? (No, all processing is within the UK)
- Do we encrypt data? (Yes, we do – both when it is being moved between the school and us, and also when it is being stored by us)
- Do we use any non-UK suppliers to process data? (No, we don’t)
- What security certifications do we have? (We hold Cyber Essentials Plus, and our UK hosting provider is certified to ISO 27001)
Paul also says, “Where an application is designed to be used directly by the pupils then it will also need to comply with the Age-Appropriate Design Code. Our products aren’t specifically designed to be used in this way; however, we have assessed them against the code and can reassure schools that our products do comply”.
“GDPR Assist provides data protection support and outsourced DPO services to commercial organisations and charities.”
When schools within Devon were recently implementing our products Annette Henry contacted us as part of their DPIA process.
“I was impressed with the enthusiasm Speech Link Multimedia Ltd showed for engaging in this process and the way they were able to transparently describe the processing involved. They clearly understand the importance of schools conducting a DPIA and really did help us meet our obligations.”
We’re proud of the work we have done to demonstrate to schools that we are deserving of their trust. There is a huge variety of vendors and technologies out there and schools should not presume that all are safe for use, instead schools should engage their DPO and do their due diligence, conducting a DPIA and ensure that they are appropriately safeguarding children’s data.
For simple, clear GDPR help and advice get in touch with Paul at: gdprassist.co.uk
Please login to view this content
Login