Over the last 12 months, schools have had to act fast to respond to the need to provide more technological solutions to facilitate working and learning, both in the classroom and for those who were at home. This has led to a large increase in the use of educational apps, platforms and other products to facilitate this newer way of working.
There is a plethora of useful products available to help schools communicate with students, parents and staff in a more efficient and easier way, whether it’s through email messaging systems, online classrooms and even setting up and delivering parents evening meetings! There are also lots of great interactive online learning resources available to help students learn in more fun, interesting and informative ways.
The continued use of these products is to be encouraged, however schools do need to ensure they carry out the appropriate checks on the companies and their products before they sign up, or the school may be in breach of its obligations under the data protection legislation (UK GDPR and the Data Protection Act 2018).
Before the school sends student or employee data to a company or supplier whose products or services they want to use, the GDPR requires that the school satisfies itself that the company can provide sufficient ‘technical’ and ‘organisational’ measures to comply with the GDPR, eg by ensuring the school’s data is kept secure and people’s rights can be upheld.
This means the school needs to carry out checks with the company and seek confirmation of how they will achieve this. This is sometimes called carrying out ‘due diligence’ checks. The school is required to keep a record of these checks and the decision making, so they can demonstrate to the Information Commissioner, that they have taken reasonable steps to protect their data.
If there are potentially high risks associated with using a particular product or carrying out a certain activity using personal data (eg where a data breach could result in risks to the physical health or safety of individuals), then the school must also carry out a ‘Data Protection Impact Assessment’ (DPIA). This is when the school identifies, analyses, documents and takes steps to minimise any data protection risks associated with the activity.
Schools should therefore consider carrying out a DPIA where confidential or sensitive information about students or employees will be collected and stored in a new platform or App, such as SEND data, health data or safeguarding information.
Other types of personal data may also be considered high risk if it were compromised as a result of a data breach, such as support being received from family intervention services, Child in Care or Adoption status and even full names and addresses combined with other important data such as National Insurance Numbers or Passport numbers.
As well as carrying out due diligence checks and DPIAs, the GDPR requires that when the school uses a supplier to process personal data on its behalf (a data processor), there must be a written contract in place which contains the specific clauses set out in the GDPR There are additional rules to follow and specific contracts to have in place if the supplier will be storing the school’s data outside the UK and EU.