Tag: GDPR

Data protection and modelling

While at the School and Academies Show one of the discussions I had focussed on general EdTech and the need for teachers to model appropriate digital, including cyber security, behaviours for students. As the discussion progessed it then moved over to the topic of data protection, and I think this hit a chord with me.

Seeking solutions

The pandemic has required us to be agile in quickly finding solutions for issues, ways to engage learners and bring about the best learning experiences where students are either all online, away from the classroom, or where we have a hybrid situation, with some in the class and some not.   The issue is that the resulting search for solutions has led to tools, which may have pedagogical benefit being adopted which the due diligence as to data protection.

All staff need to appreciate that where signing up to an online service they are giving away some data.   It might seem as simple as an email address and password, but the reality is most services will also look at IP addresses, which gives away some rough geographical information, plus information on the device being used such as the browser, device type and operating system.   Then dependent on the nature of the service itself, they will then gather further data as provided by us, but also in relation to when we access a service and how often, and also which others in similar geographical areas, based on IP address, tend to access the service at the same time.

And this is all before, as a teacher, I then get students to sign up for the same service as it is useful in the teaching of my given subject or a specific topic.   So now, students are also giving away data but at my request.

Data Protection and GDPR

I think part of the issue here is that all staff are not IT experts or data protection experts.   But yet we all sign up to services which in effect gather the data we provide, and some data we don’t quite realise they are gathering.    For me the issue here is that, although we may not be experts, we need to exercise some care in relation to data protection.    Now this might be simply looking at the privacy policy for anything which seems out of place.   It might be seeking support from the IT team in a school, or seeking support of educators the world over via twitter or other forums.   The key thing is we cant simply sign up without given some consideration to the risks and implications of doing so.

Now those in the data protection world may see the above as not going far enough, they may state GDPR UK or other legislation however the reality, in my view, is most things boil down to risk based decision making.    The role of a school is not to be as secure in its data protection as a bank or other highly regulated industry, but to facilitate learning.   So there are some trade offs, where learning takes the priority and some risks are accepted, and hopefully, mitigated as much as is possible.

Conclusion

I think all schools need to spend some time discussing the implications of signing up for online services, and to data sharing with all staff.   We can’t hope to make them experts but we can hope to educate them enough to give some reasonable consideration to the implications of their actions in signing up for a service, or where getting students to sign up for an online service.  Its about doing all we can to reasonably facilitate good data protection based decision making and behaviours, in both staff and through modelling, in students.

Technology and efficiency

Technology can make things easier or more efficient however as with most things, there is usually an opposing drawback or disadvantage seeking to balance things out.    

Take for example the recent plans by some Scottish schools to introduce the use of biometrics, and in particular facial recognition, to try and speed up its lunch queues (You can read more about the plan here).   Using facial recognition means that the student can be recognised as they arrive at the till allowing lunch staff to quickly scan foods items and apply to their lunch account, where the lunch account is topped up with credit by parents via an online portal.   This will likely save a few seconds in lunch staff identifying the student on their system in order to apply the costs.   A few seconds doesn’t sound like much but if you consider 600 students going to lunch each day, even a single second grows to 10mins saved per lunch period or 50mins per week or even over 3hrs per month.   The potential benefit is pretty clear, but is this enough?

Cost

The first, and likely most obvious drawback in any technology implementation is cost.  The cost of hardware, the cost of software but also the cost of planning, implementation, training and support.   In almost every technology solution there will be an additional cost to be considered and it will be necessary to examine whether this cost is worth the proposed gain of the technology solution.    And we need to be careful to ensure we look beyond the initial financial costs and consider the more long-term support, maintenance and replacement cost, the total cost of ownership.   In the case of facial recognition in school canteens, it might be easy to compare this cost against the improvements in service or even a notional cost saving in terms of time saving.

Cyber Security

The other factor which is almost always guaranteed to act in balance is that of cyber security.    Adding addition systems or solutions will likely increase the schools cyber attack surface and risk, even where appropriate risk mitigation strategies have been put into place.   It will also add complexity which again increases risk.   As such, cyber security needs to be considered in establishing whether the proposed gains are sufficient to outweigh any risks or costs.

Data Protection

Data Protection, which is linked to cyber security, is yet another factor that needs to be considered.   It is likely more data or different types of data might be stored as the result of the proposed technology change.  We need to be sure that we have processes in place for managing this, and that we continue to comply with UK GDPR or other data protection legislation.   In the case of facial recognition this is particularly important and one of the stumbling blocks impacting on the Scottish schools proposal.    We need to ensure that data gathering is proportional and reasonable to the purpose for which it is being gathered.    In the case of gathering facial recognition data of children, below the age of 18, it is questionable whether this data gathering exercise, which means gathering sensitive biometric data, plus relates to children, is proportional when the aim is to reduce queuing and waiting times at lunch.    Simply put, technology can bring about the improvement in waiting times, however in the form of facial recognition technology, it is questionable as to whether it should.

Conclusion

I often bleat on about balance.   Seldom do we make gains through technology use without there being some sort of trade off, cost or other balancing factor.    Financial cost is the most obvious of the costs however we equally need to consider the longer-term costs of support and maintenance.   Additionally, the cyber security and data protection related risks also need to be considered in detail before proceeding.   Just because technology CAN be used isnt enough;  we also need to ask whether it is right to use it, and whether it SHOULD be used.

UK GDPR: Showing compliance

One of the few things which I felt was different between the old Data Protection Act 1998 and GDPR when it was introduced, was the need to be able to evidence compliance as part of the compliance process.   So, to be compliant you have to be able to provide evidence of compliance. 

So how to show compliance?

As we start a new academic year, I think it is therefore important to give some consideration as to how you can provide compliance with UK GDPR so I thought I would list some of the key evidence you should have.   

Data Record Summaries

One of the key things about GDPR and personal data is knowing where the person data is stored and/or processes so one of the key methods of showing compliance is to have records of which data is where, along with appropriate classification of the data, who has access to it, its purpose and how it is processed.  Now I know from personal experience this can be a very arduous job, however it is important to understand it can be carried out at different levels of details, from full details down to the individual data fields, which is likely to be too details and time-consuming, to higher-level records focussing more on record types.   It is therefore important to decide what level of detail how need.   It may be acceptable to have a high-level central record which individual departments then may keep more detailed records at a more local, department level.

Retention periods

We also need to be able to show we have considered our retention period of different record types.   Now the Department for Education provide minimum retention periods for some record types however for others’ schools will need to make this decision for themselves.    As such the evidence of compliance is then the retention policy or process plus the fact the current data stored matches this.

Policies

We can also evidence our compliance by having the appropriate policies in place, although really, it is less the policies that matter, and more that the school follows and complies with their own policies.  So, this can include a privacy policy, data protection policy, acceptable usage policy, data retention policy and information security policy.    I think, also there needs to be evidence in the form of policies or documented processes in relation to incident management and in relation to managing subject access requests or other data issues.

Is Data Protection and GDPR discussed

This to me is the most important evidence.   We can create our policies and other documents as a one-off task however data protection and compliance with UK GDPR is an ongoing process, as processes and systems change, as additional data is gathered, as the operating environment changes, etc.    As such one of the key pieces of evidence is that data protection is often discussed.   This can easily be seen in minutes of meetings, briefing documents, emails, incident and near miss logs, etc.    Simply asking random staff some basic data protection questions, such as who they would report a suspected breach to, or what to look out for in phishing emails, will help you easily identify is data protection is taken seriously and therefore, how likely that UK GDPR is complied with.

Conclusion

The above is not meant to be exhaustive detail as the reality of UK GDPR is that your approach should be appropriate for your organisation and for the data you store and process, and the methods you use to process such data.    As such I suspect no two schools will ever be the same, although they will certainly have many similarities.

If I was to make one suggestion it would be to ensure that you can show that data protection is part of the normal day to day processes.   There should be evidence of its general and regular discussion as if this is the case, if it is regularly raised and discussed, it is likely you are already well on your way to compliance.

GDPR; 2 Years on

Back in 2017 I wrote a post for UkEdChat in relation to GDPR (See the post here), prior to the introduction of the GDPR regulations in May 2018.   It is just over 3 years since that post, and almost 2 ½ years since GDPR came into force so I thought it would be a good time to revisit the post and share some of the things I have learned in relation to data protection and GDPR since then.

Subject Access Request

One of the key things I expected when I wrote my post in 2017 was a significant increase in Subject Access Requests.   For me this never really materialised.    What did materialise however, for the limited number of SARs received, was a more difficult and time-consuming process in trying to fully respond to requests.    Thankfully new tools such as the eDiscovery tools in Office 365 made this reasonably easy and convenient from an IT point of view but this didn’t alleviate the administrative challenges around the need to review and also redact data from that identified by the eDiscovery tool.

Evidencing compliance

One of the key things I have learned in relation to GDPR is the importance of evidencing compliance with the regulations.   Things will not always go to plan and when they don’t there is a need to prove that you have done all that is reasonably possible.   This means documenting processes, documenting incidents, even minor ones, and documenting discussions regarding the perceived risks and mitigation measures including the mitigation measures which have not been applied due to cost or operational impact.   You need to be able to prove that you have fully engaged with the legislation and made every reasonable attempt to comply.

Interpreting the rules

It is clear that the GDPR rules are not as clear as some people, and especially those selling GDPR goods and services, would make out;   There is a need for interpretation within the context of your own school and any such interpretation needs to be documented.    There is also an opportunity here to reach out to other schools similar to yours to see how they have dealt with certain situations, and how they have interpreted GDPR.   Again, a key issue is the need to document any decisions or conclusions reached in your interpretation of GDPR.

Third Party Management

I mentioned Third Party management in my 2017 post and I believe my concerns have been proven.   Third parties have shown themselves to be a source of cyber risk, with cyber criminals breaching third parties and then moving laterally into an associated school or other organisation.    Third parties have also shown themselves as a risk where they themselves are used to process or store your school data as a breach of the third party storing your data is your responsibility; you are the data controller.     The key here is the need for due diligence and a privacy impact assessment before engaging with a third party, plus the routine review of these assessments and of third parties’ approach to data protection and to cyber security.   We cant truly control the third parties we engage or the criminals who may seek to breach them, but we can try and ensure they are as prepared as possible, and can ensure we can evidence that we have taken all reasonable measures should something go wrong.

Risk Management

This is my biggest learning point from the last 3 years, since my post in 2017.     There are no 100% answers when it comes to cyber security and data protection.    It is all about managing risk.   Every action we take in terms of the setup of a system, the processes we use, the third parties, etc, all involve a business benefit or gain but also a risk.   Nothing is without risk.    As such we need to constantly be reviewing the risk and deciding what risk is acceptable and what is not.   We need to examine the available mitigation measures and decide which will be implemented and which we will not implement with this often due to potential operational efficiency loses or simply down to cost.   Above all, we need to document these considerations and the resulting decisions.

Conclusion

I am not sure GDPR changed things as much as I thought it might however it definitely did provide an opportunity to re-examine processes, systems, etc with a view to keeping data safe and secure.  This also provided a key opportunity to develop the all-important documentation in relation to processes and systems.    I think in 2017 I looked at GDPR as a piece of legislation and an end point in ensuring readiness for May 2018.    Looking back, I now see GDPR as more of an ongoing process which will never end.   GDPR is about ensuring we are doing all that is reasonably possible to safeguard the data trusted to our possession.

GDPR and third party solutions

I have previously written about third party related cyber risk in relation to data protection and GDPR but I think it warrants a little bit of a further discussion.    To start I will state what I believe is the key message:

A third-party system in use by your school, such as a cloud hosted MIS or Learning Platform doesn’t mean that data security and data protection isn’t your problem.   Its still your data and although the third party might be processing it for you, you are still the controller.   You are still responsible for the data and for ensuring that adequate security measures are in place, and that you can prove that they are in place, or at least have received reasonable assurances to the fact they are in place.

There is also a second key point which I feel needs making in that cyber security and data protection decisions should always use a risk-based approach.    The approach and level of detail required in impact assessment for a learning tool where student emails are the only personal info and for a school management system containing name, address, medical, academic, pastoral and other personal data, are totally different.    The greater the risk the greater the time and effort required to ensure that an appropriate assessment and appropriate decision making has taken place.

So, let’s take two different scenarios and look at them.   The first scenario is a good old cloud hosted solution while the second is the one which is often overlooked, being a locally hosted solution using a third-party product.

A cloud hosted solution

I feel this is the more accepted and therefore easier of the two scenarios.   Here we have a school using a cloud hosted MIS for example.   The data is held on hardware outside the school on a third-party platform.    The school must therefore ask a number of questions relating to how the third party keeps data secure, how they will provide the data in the event the school requests it and how the data will be deleted should the school cease using the service, to list just a few.     Most of this info will be outlined in the terms and conditions or any contract which was signed so it is relatively easy to get the information.   There will also be questions related to how the third party tests its security through penetration and/or vulnerability testing as well as what their process is should a data breach occur.      I often ask vendors to confirm when their last penetration test took place and, in higher risk systems, ask them to provide a summary of findings.    The answers to the above questions will help the school to establish a view on the risk associated with the platform plus to document that appropriate consideration of cyber security and data protection has taken place.

A locally hosted solution

This is, I feel, the more difficult scenario.   The third-party platform is hosted on the schools own network and hardware and therefore the security of the platform can be directly impacted by configuration decisions of the school itself.   The school therefore should ideally be conducting regular penetration testing to check the security of the infrastructure on which the third-party solution sits.   The issue here is that some third parties at this point believe that the security of the data is therefore down to the school as they control the network and network setup.   This is the kind of response I have received from a number of solutions vendors only recent.   To a point they are correct but only to a point.   The network should be constructed with “privacy by design” in mind such that it is developed with security always in mind, but the network infrastructure is only half the solution.    The other half is the third-party software.   It too should have been developed with “privacy by design” at the forefront of thinking and it is for schools to question whether this is the case.    For me, this means asking questions in relation to how the company approaches checking their application for vulnerabilities.    This ideally should involve a proactive search for vulnerabilities including the use of vulnerability assessment or through bug bounty programmes.    There is also the acceptance that the finding of vulnerabilities should be treated as a “when” as opposed to an “if”.    As such companies should be able to demonstrate that they have a plan in place for when a vulnerability is identified in their platform.   This plan should involve notifying clients in a timely fashion.   In relation to being timely I think it is important to consider the ICOs requirement to potential report data breaches within a 72 hour period, so it would be preferable that disclosure happens sooner, and ideally within 24hrs, rather than later.   It is this vulnerability notification process which I seem to often find to be particularly lacking in third party vendors supplying solutions to schools.

As schools take on more and more third-party solutions, and as more and more of these solutions are integrated and communicate with each other, the cyber security and data protection risk related to third parties only increases.    Schools therefore need to ensure that this is carefully considered and that they have taken all reasonable measures to ensure that their data and that of the students, staff and parents related to the school remain secure.    An easy starting point is therefore contacting third parties and asking some of the questions listed in this post.

Banning Office 365 in schools?

A German state have announced that they are banning the use of Office 365 in their schools citing GDPR reasons (read article here).   The issue arose, according to the article in the Verge, following Microsoft closing their German data centre resulting in a potential risk where German personal data may be accessed by US Authorities.

My view on this is that there has been a certain amount of overreaction on the part of the German state where viewed as a GDPR related action.   I can understand their concerns in relation to unauthorised access to data by US authorities.  This would represent a GDPR risk however it takes a very narrow view of the situation.

A broader view would include the implications for not using Office 365 to store data.   This means that schools are now storing their data locally on servers most likely within individual schools.   I would suggest that the ability of individual schools, school groups or local authorities to secure their local data including appropriate monitoring and patching of servers, etc is likely to be far short of what Microsoft provide in their data centres.  They are unlikely to have the resources, both technology and staffing, or the skills and experience.    As such removing one GDPR risk in relation to potential unauthorised access by US authorities has simply replaced it with another risk being a reduced level of security for data in each school.    I would suggest that the new risk is higher than the risk they have mitigated in banning Office 365.

In all this discussion there is a wider, more important, question;  who has my data including any telemetry data resulting from system usage?     The answer is sadly that this is very difficult to identify.   Every time we use an Android phone, do a google search, order from Amazon, access Office 365 or do any manner of other things using Internet connected technologies data is being generated and stored.   It is also often shared and then combined with other datasets to create totally new datasets.   Consent for data gathering is clear in very few sites/services.   In most it is buried in detailed terms and conditions written in complex legal’eese.    In some cases the terms and conditions are clearly excessive such as in the recently trending FaceApp where use of the app grants the company a perpetual license to display “user content and any name, username or likeness providing in connection with your user content” (see a related tweet here).   Basically when you provide your photo to the app they can keep it and use it as they see fit from now until the end of time.  There is also the use of tracking cookies as well, where I have large number of websites seeking permission to use cookies but without any real details as to what data is being stored or why the data is needed.

It is the wider question for which I applaud the German state as they are helping to raise the question of data, how it is gathered, used and shared.   The waters are incredibly murky when it comes to how the big IT companies, such as Google, Facebook and Microsoft, manage data.  We all need to stop and examine this situation however not as individual states or countries but on a global and societal level.    As to Office 365 being a GDPR risk;  I suppose it is but then again there are very few, if any systems which do not represent some sort of risk and I doubt we are going to put down our phones, stop searching google, buying for amazon, etc.

GDPR Teddy bear?

GDPR discussions once again have hit the news, complete with the usual worry and panic. But what about GDPR in relation to Teddy Bears? Has anyone thought of that?

The recent announcement of the proposed fine of British airways has once again re-ignited the GDPR related discussion.  The fact that it was followed promptly by a further fine for the Marriot hotel chain just added fuel to the fire.    I have once again seen a number of emails and posts on social media regarding GDPR support and consultation services and also GDPR “solutions”.     This continues to worry me as the security and protection of organisational data is an ongoing process and not simply a task to be done and then revisited yearly or a product/service to be purchased.     It also worries me that some schools or even other organisations may sign up to services seeking an answer however will find that their purchase adds little value but at significant cost.

In relation to the lack of clarity and need for advice around GDPR a couple of school based queries I have recently observed stick in my mind.   One related to a teddy bear and diary which was passed around in class with young children taking it home and adding a note or drawing to the diary as to their time with the bear.   The children were all around the 4-6 year old range.   The bear would then be passed on, along with the diary, to the next child and so on as it circulated the class.  The concern here was that each students drawings, comments or even photos were being passed on so did this mean that GDPR prevented the activity or required parental consent from each parent or similar.

Another query related to a class year book within a Year 4 class which would be produced from input from students and from photos gathered throughout the year.   The yearbook would then be shared with all students.   The concern here related to the use of names and photos in the yearbook and whether GDPR requirements prevented the activity or put specific requirements around the data which was allowed and/or permissions and consents which were needed.

In both cases I think the concerns around GDPR in relation to the planned activities are disproportionate.   That said I think having the concerns and raising them and then recording decisions is excellent as it evidences that GDPR is taken seriously by the school and considered where there may be personal data involved.    It is also important to note that I do not profess to be a GDPR expert and certainly couldn’t attest to how things might go in court of law.   I however doubt that lots of the so called “experts” to be found sharing their services could reliably predict the outcomes should such issues progress to their eventual final resolution in the courtroom.

In the case of the teddy bear, in my view, it would be anticipated that the parents already know the parents of other children in the class and their children.   It is also reasonable to expect that it is unlikely that much of what is written or drawn by a 6 year old will constitute personal data.  In addition parents will have control over any photos which they may work with their child to add to the diary.   As such, having at least thought about GDPR, it is reasonable to assume little personal data if any is involved plus, where it is, parents will be providing content through choice and will be aware of how the diary will be shared, etc.   To be totally clear and transparent it may however be worth outline in a letter to parents the activity and how the diary will be shared, plus how parents can choose to contribute or not.

Where the year book is concerned there is likely to be a bit more personal data in that it will most likely contain the names of children.    Again, like the teddy bear, you would expect students to know the other students in the class and therefore you would also anticipate parents of a pupil to know students and names through their own child.    As an element of caution you might decide to only list forenames rather than full names thereby minimising the data being shared.     As a year book it is clear the purpose of data gathering and how it will be shared.    Once again a letter outlining the activity could be shared with parents allowing them to exempt their child from inclusion however other than this I believe the act of at least considering potential GDPR implications would suffice.

For me one of the key aspects of GDPR which isn’t discussed as often as it should be is the actual act of stopping and considering data protection.    To actually stop and consider what data is being processed, what the risk level is in relation to if this data is leaked or otherwise breached, how permission or another lawful basis for processing was arrived at, etc, is a key part of GDPR.   This is the part in relation to demonstrating compliance in that GDPR has been thought about and decisions taken.  From here, in my view, it is a risk based decision.

In both the two examples I cited, the teddy bear and the year book, the anticipated risk is low so the act of giving it thought and taking a decision should suffice.   There is no need in these cases to get hugely concerned and spend massive amounts of time and effort.   This would be disproportionate to the risk level.   I would suggest that simple common sense in these cases should suffice.

Where however the data involved is more extensive, where the data is shared with third parties and where the risk of harm or distress is greater a more extensive level of consideration is required.

So, in conclusion, don’t panic!   In most cases, where risk is low, make sure you have stopped and considered GDPR and data protection, and make sure that such consideration is documented even if only in an email or in minutes of meetings.   If however the risk of harm or distress is high then make sure more comprehensive consideration has been given.

 

 

 

 

GDPR for schools

GDPR is now in effect.   As such I thought I would share some thoughts and advice on how schools might tackle some common issues which might arise.

 

USBs

The issue with USB, or other removal storage device, use in schools is that they are easily lost or stolen, plus even when data is deleted it may be possible to recover it.    In a time now passed, USBs were a near essential piece of kit in allowing sharing of data, lesson materials, etc, however now we have Office 365 and the G-Suite for education there is no need.    Using OneDrive or GoogleDrive users can now easily share files all within the confines of the schools IT systems and control.  As such my prevailing advice would be to include reference to avoiding USBs use for personal data in your Acceptable Usage Policy and in awareness or cyber security training.  I stop short of preventing USB use simply because some resources are still provided on USBs and they are still so very common.    They also continue to be useful for sharing images or video footage or for other large files.

Personal devices

Before discussing personal devices of staff I think we need to be clear on what constitutes using a personal device for school purposes.   As far as I am concerned, simply setting up email on your phone constitutes its use for school purposes as it will store your emails and any included school data.    Some, at this point, would suggest personal devices should be banned however I think this is a little heavy handed.   The benefits of staff having their email on their phone are huge.   Banning personal devices also totally removes the potential benefits associated with a BYOD (Bring Your Own Device) environment including the personalisation benefits which arise where the device belongs to the user and therefore is set up by them to meet their needs and preferences.    My approach again, like with USBs, is to ensure coverage of personal device use is included in the schools Acceptable Usage Policy plus ensure it is also covered in any training provided to staff.     I would also make sure the appropriate policies indicate a need to ensure personal devices have appropriate security such as device encryption plus passcodes, passwords or biometrics enabled.    There should also be a requirement for staff to report a lost or stolen personal device where it was setup or used to access school data or systems.

Photography

I have discussed photography before; you have read the post here.    It continues to be a concern.   The issue for me is that we all now carry a camera with us in our smart phones so it is easy for us to capture images for sharing via social media, email, etc.    There are lots of benefits in this, particularly the potential to capture impromptu photos which can be used in teaching and learning.    Schools need to provide some guidance on what is acceptable around the taking of and using of photographs.  This could be contained in the acceptable Use Policy or in a separate Photography policy.    Where staff use their own phones for taking photos this should be covered by the use of Personal device in the AUP as mentioned above.

Third Party sites

This is most likely the biggest area of concern as far as I see it.   Schools must know where they are sharing data so a process must exist to ensure that any sharing of student data is logged.   Schools must also ensure that the sites to which data is shared are secure.    Generally this will take the form of a review of the sites privacy or data protection policies to ensure key points in relation to security and sharing of data are covered.    Thankfully in most cases the sharing of data will be limited to a pupil’s school email address and name for the purposes of providing them an account to login to a particular service.   As such the risk associated with a breach is low and therefore a simple check of the services policies should suffice.    Records of these checks should be retained.    Where more data is being shared, such as date of birth, age, SEN info, etc, more questions should be asked of a service including if they carry out penetration testing and/or external auditing around their security, what their breach notification policy is, etc.

There a couple of third parties which all schools are likely to have to share with such as examination boards, local authorities or councils, social services, etc.     For these I think consideration should be given as to how data is shared making sure student details are not emailed unencrypted to such bodies.    Where possible an online portal provided by the body should be used and where this doesn’t exist an encrypted email service such as Egress might be considered.    I think schools should also review the data protection policies or privacy notices of these bodies, as they would do for third party websites using in lessons, just to show that they have done some due diligence.

Risk Assessment

I think a very important activity for a school to undertake is a risk assessment.   This should indicate the risks that are perceived and also any mitigation which has been taken, or may be taken in future.    Having a risk assessment in place, which is regularly reviewed and updated, can go some way to show that the schools is aware of risks in relation to IT and school data and is actively seeking to minimize risk where it exists.   This helps to prove “privacy by design”.

Conclusion

There is now single blueprint for being GDPR compliant.  It depends very much on the school and its processes.   The key for schools is to able to show that every reasonable measure is being taken and that decisions around risk associated with data processing or sharing are carefully thought through with evidence retained of the decision making process.

GDPR should not be a panic activity to try and get things “right”.   GDPR is an ongoing process showing a focus on data privacy and security at the heart of a schools operation.    All schools need to show not just how they “have” complied with GDPR but how they will continue to ensure GDPR compliance and treat the data of their students and other stakeholders with the utmost care.

 

GDPR and photos around school

Recently a member of staff popped in to discuss how she would like to share photos of a school sporting event with the various schools which were involved.   This got me thinking about GDPR and the implications for events and photography at such events.

Firstly, let’s consider the photos themselves.   They might show groups of students involved in a sport or gathered at the start or end.   They might also include spectators who attended the event including parents or visitors to the school.   My first piece of advice here is simply to ensure that it is clear to people that photography will be taking place and that such photos may be used by the school for various purposes including newsletters and other marketing or publicity materials plus that they may be shared with other organisations involved in the event such as other schools.    This notification can either be put on programmes or event marketing materials, or can be made clear at the event itself via posters or other displays.   I believe this should be sufficient as gathering specific consent from all in attendance would be impractical plus where consent is not provided, avoiding including individuals in action event photography would be very difficult indeed.    Taking a risk based view, given that no names are attributed to the photos, and therefore individuals are not clearly identifiable I see the risk of taking photos as events to be low.   As such I see the provision of notices of the intention to take and use photos as sufficient.

Once we start identifying individuals in photos, possibly by naming them, or given that the photo is of a small group of individuals who therefore are more identifiable, then I think we would need to look to have consent or some other basis for processing the data.    Schools usually have such a permission form or other method to gather permission from parents to use photos of children in their materials.  Key here is to ensure that a permission form makes clear the purposes for which photos might be used. E.g. marketing purposes, around school for display purposes, etc.

When the staff member popped in, the issue of event photography highlighted the inaccuracy of the frequently used term “GDPR Compliance”.    The term “compliance” to me conveys a sense of a binary outcome, either we comply or we don’t.    The issues in hand when looking at GDPR are not so clear.   Does compliance mean seeking permission from every individual in a photo, including members of the public?    I would think not.    As such I continue to believe in the need to take a measured risk based view on how we manage data and on our preparations for GDPR.   Where a risk exists, we need to decide whether we accept the risk.   If we do not we must seek to mitigate the risk through permission forms and notices in the case of school photography, to the point that we are then happy to accept, either this or we stop taking photos.

GDPR continues to result in confusion and contradictions of interpretation.   We seek the way, the one way, the best way to achieve compliance yet every school is different plus interpretations and attitude to risk vary.    For me the key is simply to consider your own environment, the risks and your schools appetite for risk, and to act from there.

 

 

GDPR: Third parties and training

As GDPR approaches I thought I would share some thoughts.   Now I must admit to not being a GDPR expect, instead the below represents my thoughts taken from the perspective of managing the prevailing risks around GDPR.

Two issues which currently occupy my thinking in relation to GDPR are managing the use of third parties which either supply software which is used in school or which provide a service where they store school data outside of the school.    Another issue which is currently at the front of my mind is the issue of awareness training and how we ensure staff are suitably informed and aware of GDPR, its implications and particularly what it means for them.

Third Party solutions

Schools may make use of third party software within the school, some of which is locally hosted and stored in the school and some are cloud hosted.

Locally hosted

Locally hosted solutions might include the school management system.    In these cases, we are relying on the third-party vendor ensuring that the software they have created has adequate security measures in place to protect any data held within it.    From a GDPR point of view schools need to show their efforts to comply and in this case, I would suggest the easiest way is to ask third party software vendors to provide details of how they have ensured the security of their product either through their policies or through independent reviews such as audits, vulnerability or penetrations testing.    Although the school is responsible for the security of the infrastructure on which the solution resides, it is the vendors responsibility to ensure the security of the platform itself, independent of where it is hosted.

Cloud hosted

Where cloud hosting is used we have the same issues as for local hosting, in that the vendor must have ensured the security of the platform, however we have the added issue of the vendor supplying the hosting and the infrastructure on which the platforms sits.  My first port of call in examining third parties is their policy documents looking specifically at any GDPR, Data protection, privacy, data privacy or information security policies they may have.    In the best cases this will address issues around security of data, sharing of data, deletion and retention of data.      In my experience, most vendors will quote the security compliance of their hosting service somewhere in their documentation or in response to questions on security.   This usually addresses physical security concerns in that the larger data centres must have tight security to comply with the relevant standards.   This still leaves a requirement to ask questions around business continuity and disaster recovery, in what processes the vendor has in place in the event of a serious incident.    It also leaves questions around ensuring the security of the network on which the service is hosted.   Like with local hosting we can address this by asking questions around any penetration testing or external auditing which has been conducted.

Breach, security incident or vulnerability notification processes are also an important thing to look for across both local and cloud hosted solutions.   If a service is handling student data it is important to know that they have a process in place for notifying service users if an incident occurs or if a vulnerability is identified plus that they have a clear timeline and method of notifying users.

Awareness Training

I think a key aspect of GDPR is making sure the overall school community is aware of the new legislation and what it means for them.   As such training is a key feature of preparations.    I know many companies and individuals are offering training ahead of the introduction of GDPR however I think it is important to establish the purpose of training.   If the purpose is simply compliance then an annual presentation to all staff will suffice as it will provide that all staff have received training.  The issue here is that staff in schools are very busy and therefore the content presented to them is unlikely to stick.   Equally an online resource in my opinion has the same limitation.   The staff will complete the materials however little will stick.    For me the key is a multi-honed approach using various delivery methods including whole school sessions, sessions where discussions and materials are disseminated to department level, broadcast communications such as email campaigns and online training materials.    An awareness of GDPR and more importantly an awareness of the risks associated with processing data needs to form part of the culture, “the way we do things around here”.

Conclusions

GDPR is now fast approaching and the above are just two issues out of a myriad of issues.   Not mentioned above are the implications around developing appropriate privacy notices, the issue of establishing data retention plans, dealing with subject access requests or requests for limitation of processing, handling requests to be forgotten, handling services where data is stored outside the EU and the issue of identifying the legitimate reason or justification for possessing.   The GDPR rules are complex to implement and my advice on this continues to be to take a risk based approach.   For me, currently, the two items above in third parties and awareness training, represent to of the big risks.