With the rush to implement video platforms that profess to offer safe and secure remote learning, we have compiled a list of frequently asked questions that we've received from schools worldwide, to help guide your decision making and governance.
Will we need a lawful basis to carry out remote learning or video conferencing?
Yes, you will need a lawful basis to use personal data for this purpose but your organisation will likely already have a lawful basis as it will have a contractual obligation to provide education and care for its students. Remote learning is likely to help you fulfil this contractual obligation as it facilitates the continuity of education and care. Therefore, we consider that remote learning would be considered necessary for the performance of the parental contract. This means that you can dispense with the need for consent and apply a uniform practice for online learning across your organisation.
The video conferencing platform we are considering says we need to obtain consent for students under 13 years old, what does this mean?
There are a number of platforms, particularly in the US, that are not permitted to offer their services to children under the age of 13 without parental consent. This is due to their local law. Whilst this law may not apply to your organisation, you will still need to be content that you can process the personal data of these children lawfully (for example, because it is necessary to process the personal data for the performance of the parental contract, see above).
Does my organisation need to update its Privacy Notice?
It would be beneficial to make sure your organisation’s Privacy Notices stay up to date to cover the use of any virtual learning platform. We recommend that you also advise parents of the controls you are implementing via school policies to protect personal data and to bring any updated policies to the attention of the teachers that are signing up to use any new online facilities. These actions will help make it clear that your organisation is taking appropriate organisational measures to control the use of personal data being used on these sites.
Can I use my personal account to set up virtual meetings or video calls?
It is important that school email accounts are used to register for online facilities as the school still needs to be regarded as the Data Controller of any personal data. Wherever possible, teachers should be accessing virtual meetings and video calls via school owned devices, particularly if meetings are to be recorded as the recordings may be saved on the device itself.
I can’t find much privacy information about the learning platform, can I still use the provider?
You need to dig deep to find information about some companies offering online services. Where limited information is available, try to establish what personal data is being collected by the provider and how it is being used. To evidence your research, complete our Data Processing Assessment, recording the information you find about a particular provider and to identify the risks associated with their use. This may help you make a decision about whether those risks are acceptable to your organisation.
How will I keep track of the assessments I’ve completed?
The Data Processor Assessment contains a Directory of the processors you have assessed so it serves as a useful tracker for all your completed assessments.
Do I need to carry out a Data Protection Impact Assessment (DPIA)?
This will depend on several factors including the type of personal data being used, the volume of data involved etc. It is unlikely that you will need a DPIA if your data processor is only using basic personal information for registration and logging in, such as name and school email address, but you might find it helpful to complete the screening section of the DPIA to make sure.
How can I keep track of any new processes we have implemented to support the COVID-19 situation?
We would recommend that you keep a record of any specific COVID 19 processing activities in your record of processing/data mapping so that, when everything returns to normal, you can review these and stop any unnecessary personal data being processed. This is important if you have used new processors or altered or adapted any current processing to enable remote working to cover the period of any school closures as a result of the virus (e.g. amended user privileges or shared access with parties that wouldn’t, in usual circumstances, receive this access level).
Will I need to check our retention periods?
As the expected length of time for business closures is currently unknown, you may wish to consider extending some retention periods so that you can still access any key documents that may be subject to a challenge when businesses reopen.
You can use your COVID-19 record of processing/data map as a record of the retention period also. Remember you can’t keep data indefinitely so you will need to make some practical decisions about the length of time you keep data for and record those decisions (and the justifications behind them) for future reference.
Can I record virtual learning and meetings?
We understand that the majority of online platforms have a facility to record meetings and we recommend that you give careful consideration to whether this is appropriate for your organisation. You need to consider whether your organisation would record such meetings if they were not being held remotely and what the purpose of this recording might be. You also should consider where the recordings are being stored, who has access to them, how they will be kept secure and how long they will be retained for.
ABOUT THE AUTHOR:
Judith Downing, Senior Data Protection Consultant, has almost 20 years of experience working in the field of data protection and has a BCS Practitioner Certificate in Data Protection and is also a certified GDPR practitioner. She currently advises schools in the UK, Europe and internationally on all aspects of data protection compliance either through our service desk or on-site audits.