Ensuring Data Protection in Remote Education
Schools must consider data protection when implementing remote learning plans. This involves choosing the right platforms, handling data securely, and conducting Data Protection Impact Assessments (DPIAs) to mitigate risks. A DPIA helps in assessing necessity, risks, and supporting individuals' rights in data processing activities.
Download Presentation
Please find below an Image/Link to download the presentation.
The content on the website is provided AS IS for your information and personal use only. It may not be sold, licensed, or shared on other websites without obtaining consent from the author. Download presentation by click this link. If you encounter any issues during the download, it is possible that the publisher has removed the file from their server.
E N D
Presentation Transcript
Data Protection and Remote Education
Data Protection and Remote Learning What should schools consider? Schools have an obligation to have a contingency plan for the continuity of education. Data Protection will probably not be your main priority right now however, it is important to ensure that you are considering your obligations under data protection laws as a data controller, Schools are responsible for what happens to the data you hold, process and share. What do you need to consider when implementing your plans for remote learning?
Data Protection Considerations What platform are you going to use? Will there be more than one? Is this new to the school or are you utilising what you already have in place? Once you have established what platform you are going to use, check for GDPR compliance. Make sure you seek advice from your DPO. What data will you need to share in order for this platform to work? you should only share the data that is necessary. What is your lawful basis for processing? Will you need consent from parents?(not likely from a GDPR perspective but it may be required for safeguarding purposes) What are the risks? Are we sharing data in a secure way? What could go wrong?
Data Protection Impact Assessments (DPIAs) All of the answers to the questions raised on the previous slide can be captured in your DPIA. What is a DPIA? A DPIA is type of risk assessment. There is certain types of processing where a DPIA is required by law. You should also ensure you screen for a DPIA for all of your data processing activities. It is highly likely that a DPIA would be required for the provision of remote education. Potentially engaging with a new third party processor Vulnerable data subjects (children) Processing data in a new way for a new purpose Using new technologies Engaging with children online
How to carry out a DPIA Aims The aims of a DPIA include; Assessment of the necessity and proportionality of the processing. Assessment of the associated risks to the data processing, are there any risks to the rights and freedoms of individuals? How will you support individuals rights (right to object, right to restrict, rights of access etc.) What are the mitigating measures that will reduce the risks? Do you need to implement anything to mitigate the risk further? It sounds complicated and we empathise that this process can appear to be overwhelming.
How do we complete your assessment? Your purpose is clear; you have an obligation to ensure the continuity of education in the even children cannot attend school due to Covid-19. To implement this, schools will be required to share data with their chosen learning platform. However, you need to ask, is this a proportionate way to achieve the purpose? Purpose Describe the processing in detail. Detail Will you be able to support individuals rights? e.g. if you are recording live lessons, how will you manage any subject access request for a copy of the recording? have you considered how you will inform individuals to ensure you are supporting the right to be informed? what will you do if you receive an objection? Risks How will you share the data? will this be shared manually or will the processor require access to your MIS? what data will they have access to? and is this justified? What are the potential data breaches? e.g. loss of data or data used outside the scope for which it is intended. What would the consequences be if a data breach occurred? Will the third party use a sub processor? How can you mitigate those risks? What security measures are in place? Does the overall purpose outweigh any identified risk to the individuals?
Support.. Most of the DPIA will have been covered in the considerations carried out when designing your contingency plan. Seek the advice of your IT support record the assurances you have regarding secure systems within the DPIA. Seek advice from your DPO what assurances do you have to demonstrate the GDPR compliance of your chosen platform? Are the school complying with their data protection obligations? Consult your safeguarding lead Data protection and safeguarding often go hand in hand. The overall aim is to ensure staff and pupils, and their data, are kept safe.
