Football and learning

The World cup has started and I am sure classrooms all over the world will be seeing football related themes, examples, etc. in use as teachers seek to engage students and contextualise learning.    As I sat watching the Spain vs. Portugal game I identified one particular opportunity where football could be used to share an important piece of learning.

It was the 88th minute when Ronaldo stepped up and stuck his free kick round the wall and into the top right corner of the goal.   The Independent described the goal as “sublime”.    I suspect throughout the tournament, and beyond, we will repeatedly see re-runs of the television footage of this goal.

The learning point for me lies in a fact which the commentator shared after the initial shock and awe which immediately followed the goal.    This attempt, this free kick in the world cup, a major tournament, was Ronaldo’s 45th attempt to score from a free kick in a major tournament.   Ronaldo had attempted and failed to score on 44 occasions.

I take two things away from this.

1) Never give up.    Ronaldo had made attempt after attempt and failed to score yet with 2 minutes left in the game which Portugal were losing, he still decided to try a difficult shot despite 44 failed attempts.   He could have gone with easier options such as crossing the ball.   He could have considered the likelihood of success having failed 44 times and judged a direct attempt on goal too risky or too unlikely to success however instead he went with the attempt and saw his 45th attempt sail into the net.

2) Beware of your memory.    We will remember the quality of this goal for time to come.  We will hail Ronaldo as one of the best players in the world if not the best but do we remember the 44 failed attempts?   I doubt it.   This is simply the availability bias at work, in that the goal was recent plus it had a positive outcome, hence it comes easier to mind than the 44 failed attempts.    Students need to be aware of this bias.    One test result or one piece of feedback, whether positive or negative, is not a measure of our ability, knowledge or skill, despite the fact it will come easily to memory.   We need to take care and avoid such strong memories influencing decision making or our perceptions of ourselves and our abilities.

I am sure the World Cup will continue to serve up opportunities for learning as well as providing entertainment.   For now I will get back to watching the Croatia vs. Servia game.

 

References:

FourFourTwo.com, June 2018,  Ronaldo finally scores major tournament set-piece at 45th attempt, https://www.fourfourtwo.com/news/ronaldo-finally-scores-major-tournament-set-piece-45th-attempt#z5avX1ERoRL6kFMc.99

Luke Brown, Independent, June 2018, Cristiano Ronaldo World Cup 2018 hat-trick goal: Portugal star makes history with stunning free kick against Spain, https://www.independent.co.uk/sport/football/world-cup/cristiano-ronaldo-goal-free-kick-hat-trick-video-watch-portugal-vs-spain-world-cup-2018-a8401436.html

Image link: http://www.goal.com/en/news/ronaldo-finally-has-a-world-cup-performance-to-sit-alongside-his-/qvhs25c6727q1qzz72mib4b4t

 

 

Thoughts from the Bryanston Education Summit

I attended the 2nd Bryanston Education Summit during the week just past, on 6th June.   I had gone to in the inaugural event last year and I must admit to having found both years to be interesting and useful.   The weather both years has been glorious which also helps to add to the event and the beautiful surroundings of the school.   Here’s hoping Bryanston keep it up, and run another event next year.

During the day I attended a number of different presentations on different topics so I thought I would share some of my thoughts from these sessions.

The first presentation of the day was from Daisy Christodoulou who was discussing assessment.    She drew a really useful analogy in comparing preparing students for their exams with preparing to run a marathon.    It isn’t something where you can jump straight into a marathon distance on day 1 of training.  You need to slowly build up your preparations, focusing on developing certain skills and approaches.   You need to have a plan and then work to this plan, although amending it as needed as you progress, should injury arise or due to weather conditions, etc.    I found myself wondering about how often we actually spend with our students in discussing this plan, the proposed goal of the subject or year and how we will all, teachers, students, support staff and others, work towards those goals.

Daisy also spent some time discussing summative versus formative assessment suggesting that the use of grades should be kept to a minimum of only once or twice per year.   My first reaction to this was concern as it seemed to disregard the potential benefits of spaced retrieval testing which ultimately would result in a score representing the number of correct answers.   Following further thought my conclusion was that spaced retrieval is very focussed on knowledge plus just indicates where an answer is right or wrong as opposed to grading which is more a judgement of students ability.   As such it may be possible to reduce overall summative assessment grading while still making regular use of testing of student knowledge.   I think this also highlights the fact that assessment and testing are actually different things even although they are often generally used as two interchangeable terms referring to the same thing.

Mary Myatt was the second presenter who discussed how we might make learning high challenge but low threat.    As she discussed Sudoku I couldn’t help but draw parallels with computer gaming.  In both case we engage, of our own free will, in a form of testing.   In both cases the key is the low threat nature of the testing.    For me the question is therefore how do we make classroom learning and assessment low threat.    Mary suggested a path towards this in discussing with students our expectations such as setting reading outside their current ability level, which is therefore challenging, but telling them this and then promising to work through it with them in future lessons.   I think this links to building an appropriate classroom culture and climate such that students feel able to share the difficulties they face and work through them with the class.  It is very much about developing an open culture and positive or warm climate in which mistakes and difficulties are not seen as something to be feared or embarrassed by, but to be embraced, shared and worked through together.   Another thing I took away from Marys session was a list of books to read;  My bookshelf will be added to with some of her recommended books shortly.

The third of the sessions which I found most useful was the session by Andy Buck.    He discussed leadership drawing a number of concepts from the book Thinking Fast and Slow by Daniel Kahneman, a book which is one of my favourites.     I particularly enjoyed the practical demonstrations where he evidenced how we all show bias in our decision making.  This is a fact of being human and the way the brain works, we bring to decision making processes assumptions and viewpoints based on previous experiences, upbringing, etc.   He also, linked to this, demonstrated anchoring, managing to influence a whole room of educational professionals to get a question in relation to the number of Year 11 students in the UK wrong.   Statistics suggest that a percentage of the audience should have got this question correct based on a normal distribution of responses however using anchoring Andy influenced the audience away from the correct answer.   I have since used a very similar approach in a lesson with Lower 6 students to show how easily I can influence their answer and to suggest that Google, Amazon, Facebook, etc. with their huge amounts of data on individuals may therefore be able to influence individuals to a far greater extent.

There was also a presentation on VR in education which has opened my mind up a little to the possible applications of VR.   This might therefore be something we experiment with at school in the year ahead.

Microsoft’s Ian Fordham presented on the various things Microsoft are currently working on.   I continue to find the areas Microsoft are looking at such as using AI to help individuals with accessibility and in addressing SEN to be very interesting indeed.   I also was very interested by his mention of PowerBI as I see significant opportunities in using PowerBI within schools to build dashboards of data which are easy to interrogate and explore.    This removes the need for complex spreadsheets of data allowing teachers and school leaders to do more with the data available however with less effort or time required.    I believe this hits two key needs in relation to the data use in schools, being the need to do more with the vast amounts of data held with schools however the need to do it in a more efficient way such that teachers workload in relation to data can be reduced.

I also say a presentation by Crispin Weston on data use in school.    His suggestion that we need to use technology more to allow us to more easily analyse and use data is one I very much agree with.   This partly got me thinking about the Insights functionality in PowerBI as a possible way to make progress in this area.   He also talked about causation and correlation suggesting his belief that there is a link between the two and that the traditional call that “correlation is not causation” is in fact incorrect.   At first I was sceptical as to this however the key here lies in the type of data.    Where the data is simple and results in a simple linear trend line the resulting reliability of an argument that correlation equal causation is likely to be very low.   The world is seldom simple enough to present us with linear trends.    If, however the data over a period of time varies significantly and randomly and the second data element follows this however the reliability that correlation equals causation is likely to be significantly higher.     I think the main message I took away from Crispins session was to take data and findings with a pinch of salt and to ensure that context is taken into account.  If it looks simple and clear then there is something which hasn’t been considered.

Overall the day was a very useful one and the above is a summary of just some of the things I took away.   I must admit to taking 5 or 6 pages of tightly written notes, hastily scribbled on an iPad during the course of the day.

I hope that Bryanston decide to repeat the conference next year and is the quality of presenters and their sessions continues, that it becomes a reliable yearly event.   Here’s hoping the trend of good weather also continues should they decide to run the summit again next year.

 

 

 

GDPR for schools

GDPR is now in effect.   As such I thought I would share some thoughts and advice on how schools might tackle some common issues which might arise.

 

USBs

The issue with USB, or other removal storage device, use in schools is that they are easily lost or stolen, plus even when data is deleted it may be possible to recover it.    In a time now passed, USBs were a near essential piece of kit in allowing sharing of data, lesson materials, etc, however now we have Office 365 and the G-Suite for education there is no need.    Using OneDrive or GoogleDrive users can now easily share files all within the confines of the schools IT systems and control.  As such my prevailing advice would be to include reference to avoiding USBs use for personal data in your Acceptable Usage Policy and in awareness or cyber security training.  I stop short of preventing USB use simply because some resources are still provided on USBs and they are still so very common.    They also continue to be useful for sharing images or video footage or for other large files.

Personal devices

Before discussing personal devices of staff I think we need to be clear on what constitutes using a personal device for school purposes.   As far as I am concerned, simply setting up email on your phone constitutes its use for school purposes as it will store your emails and any included school data.    Some, at this point, would suggest personal devices should be banned however I think this is a little heavy handed.   The benefits of staff having their email on their phone are huge.   Banning personal devices also totally removes the potential benefits associated with a BYOD (Bring Your Own Device) environment including the personalisation benefits which arise where the device belongs to the user and therefore is set up by them to meet their needs and preferences.    My approach again, like with USBs, is to ensure coverage of personal device use is included in the schools Acceptable Usage Policy plus ensure it is also covered in any training provided to staff.     I would also make sure the appropriate policies indicate a need to ensure personal devices have appropriate security such as device encryption plus passcodes, passwords or biometrics enabled.    There should also be a requirement for staff to report a lost or stolen personal device where it was setup or used to access school data or systems.

Photography

I have discussed photography before; you have read the post here.    It continues to be a concern.   The issue for me is that we all now carry a camera with us in our smart phones so it is easy for us to capture images for sharing via social media, email, etc.    There are lots of benefits in this, particularly the potential to capture impromptu photos which can be used in teaching and learning.    Schools need to provide some guidance on what is acceptable around the taking of and using of photographs.  This could be contained in the acceptable Use Policy or in a separate Photography policy.    Where staff use their own phones for taking photos this should be covered by the use of Personal device in the AUP as mentioned above.

Third Party sites

This is most likely the biggest area of concern as far as I see it.   Schools must know where they are sharing data so a process must exist to ensure that any sharing of student data is logged.   Schools must also ensure that the sites to which data is shared are secure.    Generally this will take the form of a review of the sites privacy or data protection policies to ensure key points in relation to security and sharing of data are covered.    Thankfully in most cases the sharing of data will be limited to a pupil’s school email address and name for the purposes of providing them an account to login to a particular service.   As such the risk associated with a breach is low and therefore a simple check of the services policies should suffice.    Records of these checks should be retained.    Where more data is being shared, such as date of birth, age, SEN info, etc, more questions should be asked of a service including if they carry out penetration testing and/or external auditing around their security, what their breach notification policy is, etc.

There a couple of third parties which all schools are likely to have to share with such as examination boards, local authorities or councils, social services, etc.     For these I think consideration should be given as to how data is shared making sure student details are not emailed unencrypted to such bodies.    Where possible an online portal provided by the body should be used and where this doesn’t exist an encrypted email service such as Egress might be considered.    I think schools should also review the data protection policies or privacy notices of these bodies, as they would do for third party websites using in lessons, just to show that they have done some due diligence.

Risk Assessment

I think a very important activity for a school to undertake is a risk assessment.   This should indicate the risks that are perceived and also any mitigation which has been taken, or may be taken in future.    Having a risk assessment in place, which is regularly reviewed and updated, can go some way to show that the schools is aware of risks in relation to IT and school data and is actively seeking to minimize risk where it exists.   This helps to prove “privacy by design”.

Conclusion

There is now single blueprint for being GDPR compliant.  It depends very much on the school and its processes.   The key for schools is to able to show that every reasonable measure is being taken and that decisions around risk associated with data processing or sharing are carefully thought through with evidence retained of the decision making process.

GDPR should not be a panic activity to try and get things “right”.   GDPR is an ongoing process showing a focus on data privacy and security at the heart of a schools operation.    All schools need to show not just how they “have” complied with GDPR but how they will continue to ensure GDPR compliance and treat the data of their students and other stakeholders with the utmost care.

 

May reflections

It has been a few months since I last wrote a reflections post.   As such I thought it was about time I once again put things in writing for review by my future self.   In reviewing how things are going, I am going to make use of the titles from my pledges post to structure my thoughts.

Family Memories

It is apt that I write this reflection this week now the weather has been nice although I note that the current bank holiday weekend sees the predictable rain.   Last weekend, when it wasn’t raining, I spent time with the youngest playing football at the local football park.   A nice way to spend the day however am not as happy with the sunburn I ended up with.

Going forward we have also decided to book a family holiday.   It has been a number of years since we last did a family holiday so it is about time.  I am already looking forward to it as surely this will generate a whole range of family memories.

Professional Development (PD)

I think professional development is something which I am progressing well with.   On the IT side of things in particular this is driven by my CISSP and CISA certifications which both require a yearly amount of CPE (continual professional education) hours.   As such I am having to make sure that I get involved in some PD each month in order to meet the annual target and maintain the 2 certifications.

I have now decided to undertake a third certification in the ISACA’s Certified in Risk and Information Systems Control certification.   After some indecision I finally decided to move forward with this certification given my view that GDPR is best addressed through a risk based approach.   As such a certification which focussed on risk management seems like a logical choice.

I also continue to experiment and try new things including further developing my PowerBI skills, playing with a new MS Surface device on loan from Microsoft and also trying out new apps such as Microsoft Whiteboard.

Fitness

For those who may have read some of my past posts a need to work on fitness has been a long standing item; A long standing item but with very meagre, if any progress.   In the last couple of weeks I may have finally made some progress.    Basically I have started with getting up earlier on most mornings, and going for a 30min brisk walk.    The picture is from one such walk.   This is on top of my walk across campus each morning.  Looking at the data from my Fitbit device this change has meant that my average distance walked per day is steadily increasing as is my calories burned.    I have so far managed this for only three weeks so my challenge going forward is to turn the progress made into a sustained habit.    I suspect my next reflection blog will be telling as to my success or failure in this area.

Reading

I continue to be ahead of my book per month target for the year.   My hope is that the summer weather will make this something I can make significant progress in however I do note that my bookshelf is now lacking in books yet to read, so I will need to restock it at some point in the month ahead.

Journaling

I have made a reasonable habit of journaling now such that I am writing a weekly log of my thoughts and also the events of the week.    The habit is still relatively new so in some weeks I write on a Friday, on others a Saturday and occasionally on a Monday.    I need to ensure I keep journaling and I suspect I would benefit from being able to be consistent with when I do my journaling.

Work

The one thing I will say is that time seems to be rushing by.   We are now in the final term of the year and it feels like it has come around in a flash.   I feel things have been going well however it may be worth reflecting at the end of the academic year as to what has or has not been achieved.

May has seen a few tasks where I have had to overcome difficulties or obstacles.   This has been very frustrating at times however perseverance has brought about progress albeit slower than I would have liked.    The key thing I note is that the obstacles and frustrations come quickly to mind.  I need to take care that these predominant memories do not distort my perception of events.   There were some key wins and progress was made; this is the key factor.

I recently, also, conducted a little leadership survey.   I originally conducted a survey two years ago, after being in post for around 6 months.   It has been interesting to compare the results from them with now, 2 years further on.   The results show a slight positive improvement which is good however more important is the identification of a couple of areas to examine to try and bring about improvement.

As I reach half term I feel I have a large number of tasks which need to be addressed over the half term.  This has left me feeling a little overwhelmed at times.   I think the last week of May, the half term break, will be an opportunity to stop and reflect and re-establish which tasks truly are important and need to be prioritised as well as those tasks which either need to be delegated on simply not undertaken.

Conclusion

May has come and gone quickly as seems to be the way of things for a while now.   I feel I continue to make progress and after much procrastination, I am particularly pleased with my progress on personal fitness.   I feel that as I move towards the end of the 2017/18 academic year I need to re-establish that which is truly important particularly in my work, focusing on these areas.   I wonder if the reason that time seems to be passing so quickly is simply due to not prioritising.   May has seen some frustrations, some difficulties but ultimately seen positive progress.

Onwards and upwards……….

Am I checking my phone too often?

A couple of weeks ago I installed an app called Checky on both my Android tablet and my Android phone.   The reason for installing the app was to try to get a handle on how often I checked my devices during the day.   I had a sense that I was possibly checking my devices too often and that as a result I was less focused than I could be, however I was also conscious of the fact that this might be simply an incorrect perception without grounding in reality.   The only way to determine whether my sense of over checking my devices was true was to gather some quantitative data and this is where Checky comes in.    The app is simple – It just logs the number of times you access your device, reporting this daily.

The results;  Well over the last couple of weeks the combined totals from the apps across both the mobile devices I use, a phone and a tablet, suggest I access my mobile devices on average 34 times a day.    This represents checking my devices almost every 28 minutes if we assume 8 hours of sleep per day and therefore only 16 possible hours each day when I could access my device.

Taken in the context of the piece in the Independent (Barr, S. 2017) in relation to the average Brit who  accesses their devices 28 times per day, my personal access over the last couple of weeks of 34 times seems a little high.    It is certainly nothing compared to some teens who apparently check social media 100 times per day (Wallace, K, CNN, 2015).   That said, I cannot see why I should need to be accessing my devices every 28 minutes.

On reflection I must acknowledge that I have slightly different apps sets across both devices.   This may lead me to check both devices at the same time which could be doubling up my statistics.    This is something I may need to look at, either having the same apps on both devices, or having clears sets of apps on each devices, thereby avoiding the need to check each device separately throughout the day.  This may reduce the time taken when I have the urge to check my various apps, as I would only need to check a single device.   I also note that recently I have taken to exercising in the morning which involves using my phone for music as I run, making changes to my music as I go and also reviewing my distance traveled, etc, which all require me to access my phone.   Another factor is I use a tablet device in meetings and in my general work day which again would show up in my access statistics.

I have also put the data into Excel and looked at my usage by day.   It turns out my greatest usage is on a Sunday, then on a Friday and Saturday respectively.    For me this is a little concerning as shouldn’t I be focusing on enjoying the weekend as opposed to checking my devices on a Saturday or Sunday.   I quite often engage in twitter chats on both Saturday and Sunday which may account for some of the statistics.  The question is: Is this the best use of my weekend?

I think the key thing I draw from the activity of gathering some data on my access habits is one simply of conscious awareness.  All too often people are using their devices but not conscious of the frequency or time spent.   They are not conscious of the impact it may be having within their lives.   They do not see how much of their day is spent on social media consumption.    We easily succumb to social media and our mobile devices stealing away valuable time which could be better spent on other activities.    I at least had a feeling that something was wrong and have now gathered data which I can now use to decide on actions and then measure the success of any actions I may take.

Maybe this is something we should all be doing with students in our classrooms?   Ask them to install Checky for a period of time and record their device usage, followed by reviewing it after a couple of weeks as a class activity.   I am sure this would make for some very interesting discussions.

 

 

Distracted by Mobile Devices

I have noticed a self-perception over the last week or so that I have tended towards becoming distracted by my need to check my various devices for messages, tweets, updates, etc.   Now it may be that my perception of the issue is tainted.    Due to a busy workload at the moment I have taken to keeping lists of tasks to be undertaken and, as is the way, as soon as I score one task off, I add three more on.   This means that my perception of progress may be that I am not making any headway which may lead me to under appreciate what I have achieved.   This under appreciation may be making me feel that I am wasting time when I am checking my devices, thus leading to over accounting for the amount of time I am using up in this checking.

Another alternative is that in my growing frustration at my inability to reduce the list of tasks in front of me I am seeking solace in checking my updates for that brief moment of pleasure associated with a new message or new update.   In this case my perception of distraction may actually be true.

Yet another possible interpretation is that my perception is correct and I am actually suffering from distraction brought about by my mobile devices.  Maybe I am checking my devices repeatedly during the day and as a result interrupting activities that I might otherwise focus on and complete.

To help answer the question I have downloaded an app, “Checky” to my mobile devices to provide me with some quantitative data to compare with and either confirm or refute my perception.   The app basically keeps a log and reports on my daily device usage.   I will share further in a few weeks’ time once I have sufficient data to at least draw some initial conclusions.

In the meantime, do you give thought to your personal use of Tech, to how long you use it for, to the frequency you check your devices or to what you use it for?     How do you confirm or validate your perceptions?

PowerBI and School Data

Ever since I started playing around with PowerBI I have found it to be very useful indeed and I must admit that I am most likely only scratching the surface.

I came to experiment with PowerBI to try and address some issues I see with data management.    School data is often presented in colour coded spreadsheets showing student performance against baselines for example.   Different sheets are used to present different views on the data such as showing the performance by subject, by gender or the performance of students by SEN status or by EAL status.   Each additional view on the data, of which there are very many, presents us with another sheet of data.  The data is often presented as flat tables of figures however in some cases may involve pages upon pages of different graphs and charts each showing different views on the available of data.   The logic here being that each additional view on the data gives us more data that we can interpret and therefore a greater opportunity to draw insightful conclusions and from there develop actions.   I believe the reality is the reverse of this.

My belief is that teachers and heads of department don’t have a lot of time to analyse and interpret data, and therefore presenting them with so much data is counterproductive.  Having so many different views on the data presented at once also is difficult to process and to understand.   This in turn leads to either ignoring the data altogether or to giving it only a very cursory glance.   For those that love data it may lead to excessive amounts of time spent poring of the data, to data overload, where time spent planning actions, as opposed to analysing data, would be more productive.    As such I subscribe to the belief that “less is more”.

This is where PowerBI comes in.    PowerBI allows me to take my mountains of spreadsheet data and present it in a very easy to digest graphical format where each of these graphs and charts are interactive.    In PowerBI rather than one sheet by subject and another sheet for gender based data, you have just one set of graphs and charts.   You would just click on a gender or select a gender and all the graphs will change to show the results for that gender.   You might then click an SEN status to see how students who are male with SEN needs are doing compared to students on average.    This means we can combine all our different views which are normally represented by different sheets on a spreadsheet into a single set of graphs and charts.   The user then accesses the various views of the data by clicking on and through these graphs and charts.

The benefit of PowerBI is the ability to dynamically manipulate and explore the data by clicking through various graphs and filters.   You develop an almost tangible feeling for the data as you explore through it.   This is something that flat spreadsheets, even if graphs are included, lack.   Also, as you have less to look at, in one set of graphs rather than pages and pages of them, you have more time to explore and engage with the data.

The one current drawback to PowerBI is simply cost.   It is free to use as an individual both web based or via a desktop application, and you can share via sharing desktop app developed BI files however if you want to share via the web platform or if you wish to publish internally via SharePoint you will need a Pro license for each user.    Where you are sharing with a large number of users, even at educational pricing, this can become expensive.   Hopefully this is something Microsoft will be looking at and can resolve in the near future.

Schools continue to be sat on mountains of data.    PowerBI is a tool which allows us to present this data in a more user-friendly form which then allows it to be easily explored and manipulated, allowing more time to plan actions and bring about continuous improvement.  If you haven’t already done so I definitely recommend putting some of your school data in PowerBI and having a play with its capabilities.

GDPR and photos around school

Recently a member of staff popped in to discuss how she would like to share photos of a school sporting event with the various schools which were involved.   This got me thinking about GDPR and the implications for events and photography at such events.

Firstly, let’s consider the photos themselves.   They might show groups of students involved in a sport or gathered at the start or end.   They might also include spectators who attended the event including parents or visitors to the school.   My first piece of advice here is simply to ensure that it is clear to people that photography will be taking place and that such photos may be used by the school for various purposes including newsletters and other marketing or publicity materials plus that they may be shared with other organisations involved in the event such as other schools.    This notification can either be put on programmes or event marketing materials, or can be made clear at the event itself via posters or other displays.   I believe this should be sufficient as gathering specific consent from all in attendance would be impractical plus where consent is not provided, avoiding including individuals in action event photography would be very difficult indeed.    Taking a risk based view, given that no names are attributed to the photos, and therefore individuals are not clearly identifiable I see the risk of taking photos as events to be low.   As such I see the provision of notices of the intention to take and use photos as sufficient.

Once we start identifying individuals in photos, possibly by naming them, or given that the photo is of a small group of individuals who therefore are more identifiable, then I think we would need to look to have consent or some other basis for processing the data.    Schools usually have such a permission form or other method to gather permission from parents to use photos of children in their materials.  Key here is to ensure that a permission form makes clear the purposes for which photos might be used. E.g. marketing purposes, around school for display purposes, etc.

When the staff member popped in, the issue of event photography highlighted the inaccuracy of the frequently used term “GDPR Compliance”.    The term “compliance” to me conveys a sense of a binary outcome, either we comply or we don’t.    The issues in hand when looking at GDPR are not so clear.   Does compliance mean seeking permission from every individual in a photo, including members of the public?    I would think not.    As such I continue to believe in the need to take a measured risk based view on how we manage data and on our preparations for GDPR.   Where a risk exists, we need to decide whether we accept the risk.   If we do not we must seek to mitigate the risk through permission forms and notices in the case of school photography, to the point that we are then happy to accept, either this or we stop taking photos.

GDPR continues to result in confusion and contradictions of interpretation.   We seek the way, the one way, the best way to achieve compliance yet every school is different plus interpretations and attitude to risk vary.    For me the key is simply to consider your own environment, the risks and your schools appetite for risk, and to act from there.

 

 

GDPR: Third parties and training

As GDPR approaches I thought I would share some thoughts.   Now I must admit to not being a GDPR expect, instead the below represents my thoughts taken from the perspective of managing the prevailing risks around GDPR.

Two issues which currently occupy my thinking in relation to GDPR are managing the use of third parties which either supply software which is used in school or which provide a service where they store school data outside of the school.    Another issue which is currently at the front of my mind is the issue of awareness training and how we ensure staff are suitably informed and aware of GDPR, its implications and particularly what it means for them.

Third Party solutions

Schools may make use of third party software within the school, some of which is locally hosted and stored in the school and some are cloud hosted.

Locally hosted

Locally hosted solutions might include the school management system.    In these cases, we are relying on the third-party vendor ensuring that the software they have created has adequate security measures in place to protect any data held within it.    From a GDPR point of view schools need to show their efforts to comply and in this case, I would suggest the easiest way is to ask third party software vendors to provide details of how they have ensured the security of their product either through their policies or through independent reviews such as audits, vulnerability or penetrations testing.    Although the school is responsible for the security of the infrastructure on which the solution resides, it is the vendors responsibility to ensure the security of the platform itself, independent of where it is hosted.

Cloud hosted

Where cloud hosting is used we have the same issues as for local hosting, in that the vendor must have ensured the security of the platform, however we have the added issue of the vendor supplying the hosting and the infrastructure on which the platforms sits.  My first port of call in examining third parties is their policy documents looking specifically at any GDPR, Data protection, privacy, data privacy or information security policies they may have.    In the best cases this will address issues around security of data, sharing of data, deletion and retention of data.      In my experience, most vendors will quote the security compliance of their hosting service somewhere in their documentation or in response to questions on security.   This usually addresses physical security concerns in that the larger data centres must have tight security to comply with the relevant standards.   This still leaves a requirement to ask questions around business continuity and disaster recovery, in what processes the vendor has in place in the event of a serious incident.    It also leaves questions around ensuring the security of the network on which the service is hosted.   Like with local hosting we can address this by asking questions around any penetration testing or external auditing which has been conducted.

Breach, security incident or vulnerability notification processes are also an important thing to look for across both local and cloud hosted solutions.   If a service is handling student data it is important to know that they have a process in place for notifying service users if an incident occurs or if a vulnerability is identified plus that they have a clear timeline and method of notifying users.

Awareness Training

I think a key aspect of GDPR is making sure the overall school community is aware of the new legislation and what it means for them.   As such training is a key feature of preparations.    I know many companies and individuals are offering training ahead of the introduction of GDPR however I think it is important to establish the purpose of training.   If the purpose is simply compliance then an annual presentation to all staff will suffice as it will provide that all staff have received training.  The issue here is that staff in schools are very busy and therefore the content presented to them is unlikely to stick.   Equally an online resource in my opinion has the same limitation.   The staff will complete the materials however little will stick.    For me the key is a multi-honed approach using various delivery methods including whole school sessions, sessions where discussions and materials are disseminated to department level, broadcast communications such as email campaigns and online training materials.    An awareness of GDPR and more importantly an awareness of the risks associated with processing data needs to form part of the culture, “the way we do things around here”.

Conclusions

GDPR is now fast approaching and the above are just two issues out of a myriad of issues.   Not mentioned above are the implications around developing appropriate privacy notices, the issue of establishing data retention plans, dealing with subject access requests or requests for limitation of processing, handling requests to be forgotten, handling services where data is stored outside the EU and the issue of identifying the legitimate reason or justification for possessing.   The GDPR rules are complex to implement and my advice on this continues to be to take a risk based approach.   For me, currently, the two items above in third parties and awareness training, represent to of the big risks.

 

 

 

Balance…or not?

I have found myself discussing balance on a number of occasions.  Recently I mentioned it in reference to whether education should go through incremental improvement or a process of disruptive innovation.   In each case my reference to balance has been in highlighting some of the binary discussions which seem to arise on the Edu blog sphere and Twittersphere slightly more than they do in real life discussions.    Things are generally not binary in nature as the world is seldom that simple.    Balance therefore allows for an element of two opposing concepts or views with agreement to establish a point of agreement somewhere between the two opposite points.    Balance to me presents a continuum between two points, with the ability to select somewhere in between.    Up until recently I have been happy with this concept of balance.

The other day on the way home though I came to think about balance and I realised that my viewpoint maybe wasn’t as acceptable as I had thought it was.    The issue which came to me as I drove home was the fact that my view of balance puts two concepts at opposite ends.   For example, incremental improvement and disruptive innovation.    The two concepts are not opposites so why would they be at opposite ends of a continuum?    The reason I suspect is that in a discussion between two parties each will adopt a position, or end, and the negotiation that follows will either lead to an agreed disagreement or to a compromise or point in between.  As such from the point of view of a discussion between two people with differing viewpoints the model of a continuum and balance makes sense but maybe it doesn’t make sense as much when looking at the concepts themselves or their implementation.

In the case of incremental improvement and disruptive innovation, does more of one result in less of the other?     Maybe from the point of view of time available to undertake the process of change, it might be a case of more of one and less of the other.    Other than this could we not seek to be both incremental and disruptive?    If we were half way between incremental and disruptive what does this mean?   Does it mean spending half of our time being incremental and half of our time being disruptive and if so, how do we transition from one to the other?    Or if not related to time, what would being half way disruptive look like?     Can I be incremental but also also introduce a disruptive innovation, or could a disruptive innovation by incremental?   Are all increments necessarily equal and in which case is a disruptive innovation possible just a large incremental change?

I realise now that my use of balance hadn’t really advanced me away from the idea of binary concepts.   Having a continuum between two points isn’t that much better than having two points, especially where the concepts or points of view aren’t clearly opposites.    This all stems out of our looking for the “right” answer and as Ken Robinson said in his famous Changing Paradigms speech, “there can only be one and its at the back of the book”.   De Bono makes a similar observation in his book which is aptly titled “I’m right, you’re wrong”.    The reality is that we can actually all be right (or wrong come to think about it).    We could be iterative in our change however also be disruptively innovating as well.   There is no requirement to do one or the other, beyond the requirement which we imply in our discussions of differing viewpoints.   This extends for most binary discussions (or arguments) both online and offline.

I feel we all need to take more care in pitting viewpoints against each other.    Maybe the biggest benefit might come from accepting that differing viewpoints may all be correct, from looking for commonalities as opposed to stressing the differences.