In the current climate, it is important that schools do not use data protection regulations to discourage remote working or data sharing data, but instead, sensibly evaluate the impact of these processing activities, taking into account the risks to the school, staff, pupils and parents of pupils.
9ine have created some simple steps to help you identify the risks and mitigating actions of remote working and data sharing. We would recommend that you consider these in conjunction with any guidance you have received from your Government/Public Health and Education Authority.
Record of Processing (Data Mapping)
- Create a unique COVID-19 record of processing. This will act as a single source of reference to show what personal data is being processed in response to the threat of COVID-19 and how it is being processed. When these measures are no longer required you can easily see which processing is no longer required and take any appropriate action.
- Within your Record of Processing, you should ensure you detail:-
- The type of personal data being processed,
- The lawful basis for processing,
- The platforms you will be using to work remotely, and
- The personnel/parties who will have access to data and how that access will be affected
- Consider undertaking a Data Protection Impact Assessment to assess the risk of any high-risk processing to the school.
Technical and Organisational Measures
- Check the applications you are considering using, or those that are already in use, have appropriate security measures in place (e.g. encryption, 2FA) and put this information in the Record of Processing. Consider:-
- Where and how will data be stored? E.g. secure school network
- Who has access?
- Who can view the application? E.g. is it just the teacher or is it the year group? Can you restrict access?
- Are there backups in place?
- Consider undertaking a controller to processor assessment for any supplier contracts.
9ine are supporting schools around the world in the eventuality that they're required to provide school services remotely as a result of COVID-19. Download the Remote Learning Readiness Worksheet now.
Being Open and Transparent
- Consider your Privacy Notices which inform your staff, pupils and parents about how their personal data will be processed during the threat of COVID-19.
- Make sure it is clear and easy to understand
- Let them know the security measures you have taken to protect their personal data.
Evidencing Your School's Accountability
- Make sure you evidence all your decision-making processes involving personal data so that you can demonstrate compliance with the data protection principles.
We hope that this, together with our previous blog on Remote Learning Readiness, will help you to continue to educate and work with students and staff whilst keeping their personal data safe and secure.
ABOUT THE AUTHOR:
Judith Downing, Senior Data Protection Consultant, has almost 20 years of experience working in the field of data protection and has a BCS Practitioner Certificate in Data Protection and is also a certified GDPR practitioner. She currently advises schools in the UK, Europe and internationally on all aspects of data protection compliance either through our service desk or on-site audits.