Lessons for us all?

If you have been involved in education and the quest for GDPR compliance in schools, the recent report following the ICO audit of of the DfE probably comes as no surprise. If you have followed my posts, or indeed any other aspects of my work, you will know that I have a theme that recognises that Education in the UK has yet to enjoy the full benefit of the kind of advances in Technology that we might see in other sectors. For a sector that's core functions rely upon the use of data the education sector remains by-and-large at the bottom of the pile when it comes to effective use of technology.

This is not to say there are no examples of exemplary practice and I am thankful for my work with Naace which provides constant reminders of the aspirational schools, providers, consultants and advisors that do exist out there. But, it has to be said that when you walk into the average school you often have to look hard to find the efficiency, excitement, stimulation, wonder, innovation, or any other characteristics you may care to think of, that describe an educational establishment that is receiving the full benefit of an IT enabled working environment.

Since the introduction of GDPR I have assumed it to be useful to consider there to be no differences between the aims of GDPR and those associated with schools supporting their staff by providing the infrastructure and training that will enable them to receive full benefit. If you do one properly then you achieve the other, and both have the outcome of freeing staff from many of the inefficiencies they currently endure in meeting the current demands of data processing within educational establishments.

I do not think I am by any means alone in thinking this. Schools that have made step changes in their use of IT will already know it, as will the providers of services to schools who have developed their products to make full use of digital infrastructure. These stakeholders continue to press and push and find the boundaries and blockers that inhibit progress in these areas . And it is true the GDPR, as a tool to ensure good practice and move the sector on, finds those blockers too.

What schools have not had the benefit of though, is a flow-down of advice or preferred practice that would support schools achieving compliance or achieving efficiencies, from a Ministry that truly understood the GDPR priorities that impact schools. For that reason we might have anticipated the ICO findings.

So, as a starting point here are a few things that in my experience have impacted schools and made GDPR interpretation and compliance difficult. All would benefit from DfE guidance and support.

Parity of Parental Access Rights

The Education (Pupil Information) (England) Regulations describe parental rights to access their child's "educational record" at any time. This provision only applies to parents of children at maintained schools and the right does not extend to parents of pupils at schools managed by an Academy Trust. This means that every parental request to access data for a child at an Academy needs to be considered as a Subject Access Request. Some ignore the distinction, others absorb the significant administrative workload and the implicit erosion of a working relationship with parents. I have spoken to the DfE about this and was told that "they recognise the anomaly".

Clarifying Frameworks for Lawful Basis of Public Task

If you have had any dealings with OfS funded schemes, in particular NCOP initiatives you will be asked enter into an agreement to provide data to them to facilitate this engagement. This data includes basic details but also asks for data regarding the ethnicity of the students. This is Article 9 data, the sharing of which requires closer scrutiny. Formally this data was collected using the Lawful Basis of "Consent". Latterly many schemes are now using "Public Task" as a Lawful Basis.

Although "Public Task" and the statutory provisions cited by the OfS provide the framework for the OfS to process the data, this does not mean that schools are obliged to be the providers of that data when it is available elsewhere, the Local Authority for instance. The Lawful Basis is not reciprocated. Although a school might recognise its statutory duty to support a child's learning and therefore agree to share the basic data, the OfS will not provide enough detail to satisfy a DPIA as far as the Article 9 data is concerned.

After much scrutiny of the Education Act I found Part IX - Chapter iV Section 537B which obliges schools to provide data for funded education outside school to persons prescribed by the DfE. This (as a statutory framework that compels schools to provide the data required) is not referenced by the OfS, or at least certainly not provided as a statutory framework.

It seems to be there is some scope for the DfE to support schools and identify the full extent by which Statutory Instruments govern data use and enable, or otherwise, sharing.

Use of Email

This may not be a popular view, but anyone who is at the DPO end of data breaches will know that 99% of breaches result from the mismanagement of email. I'd suggest that there is an inappropriate and unhealthy reliance upon email in schools. Given the push for cloud-based platforms and content management during the current crisis I wonder if the time is right to outlaw the sharing of data using email? In my view there is now no need to ever attach data to email and no data should ever leave any school this way. Sharing cloud-based files offers a more secure mechanism that is, let's face it, just as easy to apply, but it is not going to happen any time soon without a top-down imperative.

MIS Integrators

The growing use of MIS Integrators is a for the most part a godsend to schools. They improve the interface of more specialist MIS systems and enhance engagement and facilitate efficiencies in many ways. Completing a DPIA for a MIS integrators is problematic though, especially if the integrator has arrangements to use the services of other providers, which is a growing trend. The DfE's Data Protection toolkit for schools quite rightly highlights the importance of identifying what data these application extract, but understanding the implications of data sharing with a service that grows arms and legs that require further review, DPIAs and Data Sharing Agreements, is difficult. This is an unwelcome burden and work that is replicated, (or even worse, not replicated) across the country. One wonders if the DfE might offer to support schools a little on that journey with a little guidance or regulation?

That's the top of my DfE GDPR blockers. If the ICO audit results in an awareness of the need to pick up some of these issues we may begin to use GDPR as a catalyst for improvement within schools.

If you feel that there are any issues that should be included in this list please feel free to add below.