GDPR – managing your compliance

Disclaimer: 

IRIS Connect is not providing you with definitive legal advice, ultimately it will be up to the school and your DPO to decide on your policies for GDPR. However, we do want to pass on to you the experience that we have gained from working with hundreds of schools and the practices that they have followed.

Some example documents are provided, these are designed to provide an indication of what appropriate documentation might look like. Your school and DPO should carefully consider how they inform your policies, getting further advice where appropriate.

Overview:

The following tasks will help you to ensure that you are processing the data in line with with GDPR:  

1. Select your lawful basis for processing the data

2. Create internal documentation to support your selection of lawful basis

3. Update other documents (if required)

Below we have provided step by step suggestions to guide you through this process.

1) Selecting your lawful basis (ICO Guidance)

In the GDPR there are 6 lawful bases for the processing of data. You will need to select one or more of these as your bases for processing data with IRIS Connect. The majority of schools using IRIS Connect select the basis of Public Task so we have used this basis within our templates and examples. 

If you have already gained consent for this type of data processing (for example in your home-school agreement), then you may wish to proceed on that basis. However, if consent has not been explicitly gained in a previous agreement, then selecting the lawful basis of consent will require a new process.  The new process would have to be explicitly opt-in and may be difficult to implement.  

The ICO is clear in it’s guidance that:

The GDPR sets a high standard for consent. But you often won’t need consent. If consent is difficult, look for a different lawful basis.

If you are not confident that you already have consent, you should consider another legal basis. As an organisation discharging a statutory obligation you should consider Public Task. 

Basis Public Task (ICO Guidance)
Description You can rely on this lawful basis if in the exercise of official authority. This covers public functions and powers that are set out in law or to perform a specific task in the public interest that is set out in law.
Relevance to IRIS Connect Many schools are using this basis to cover a great deal of the data processing they do. The running of the school is a task that is in the public interest and has a basis in law.

The provision of professional development to staff (and therefore the use of IRIS Connect) is a required function of running a school. There are statutory requirements relating to professional development for teachers, as detailed in the example below.

2) Create internal documentation to support your selection of lawful basis (ICO Guidance)

Based upon the ICO’s documentation template for data controllers, the following provides information on how you may wish to document your lawful basis for processing.

In this example:

  • The school has reviewed all the legal bases and consulted with their DPO. In this circumstance they have selected Public Task as the most appropriate for their school.
  • The school has included information to support the limited sharing of the data between themselves and other organisations as they are engaged in a programme of professional learning which extends between organisations.
  • They have not provided responses for the fields relating to third countries as IRIS Connect stores all data within the EU.
  • They have not provided details for an Article 9 basis for processing special category data. If you intend to record data that is a special category then you would need to select one of the conditions for processing listed in the linked ICO guidance.
Field Response
Purpose of processing Providing professional development for teachers that enables them to engage with self evaluation, reflection and receive feedback from colleagues.
Categories of individuals Pupils, Teachers and other employees that may be in the classroom.
Categories of personal data A range of personal data about individuals is likely to be recorded due to the use of video and audio recording.
Categories of recipients The system that we have selected (IRIS Connect) provides a privacy-by-design service to ensure that only users approved by the school can access the data and only when it has been specifically shared with them for an educational purpose. These individuals will be education professionals i.e. teachers, classroom assistants, professional development providers or educational researchers.
Link to contract with processor https://www.irisconnect.com/uk/organisation-administrator-agreement/
Retention schedule (if possible) https://www.irisconnect.com/uk/support/gdpr/data-retention-policy/
General description of technical and organisational security measures (if possible) Our staff are required to adhere to both our own internal security policies and the conduct rules that they agree to when activating their user account (https://www.irisconnect.com/uk/support/gdpr/end-user-licence-agreement-eula/).

IRIS Connect have published the following documentation relating to their security measures and controls.

https://www.irisconnect.com/uk/wp-content/uploads/sites/3/2018/04/Security-Measures-and-Controls.pdf

Article 6 lawful basis for processing personal data We have selected Public Task as the basis for lawful processing for the following reasons:

Supporting pupil learning through the training of teaching staff is required to perform our statutory function. Specific specific statutory requirements, worth noting are Teachers standards:

  • The standards themselves (part 1 and part 2) have statutory force (under regulation 6(8)(a) of the Education (School Teachers’ Appraisal) (England) Regulations 2012).
  • They are issued by law; you must follow them unless there’s a good reason not to.

The standards state that:

Appropriate self evaluation, reflection and professional development activity is critical to improving teachers’ practice at all career stages. The standards set out clearly the key areas in which a teacher should be able to assess his or her own practice, and receive feedback from colleagues.

And that teachers should:

  • develop effective professional relationships with colleagues, knowing how and when to draw on advice and specialist support deploy support staff effectively
  • take responsibility for improving teaching through appropriate professional development, responding to advice and feedback from colleagues

Additionally, as referred to in the Teachers standards, the statutory guidance on School teachers pay and conditions specifically points out that it is the professional responsibility for Headteachers to:

  • 46.8. Lead, manage and develop the staff, including appraising and managing performance.
  • 46.14. Promote the participation of staff in relevant continuing professional development.
  • 46.18. Collaborate and work with colleagues and other relevant professionals within and beyond the school including relevant external agencies and bodies.

And for all teachers to:

  • 50.14. Participate in arrangements for their own further training and professional development and, where appropriate, that of other teachers and support staff including induction.
  • 50.16. Collaborate and work with colleagues and other relevant professionals within and beyond the school.

Why is the use of video necessary to achieve these objectives?

  • There is now a very significant body of evidence to demonstrate that the use of video improves both teacher self reflection and coaching as it addresses fundamental cognitive biases and recollection flaws. It also enables a higher frequency of coaching interaction and wider access to models of best practice than in person observation techniques alone.
Rights available to individuals We will make provision for data subjects to actively opt out of their data being recorded.
The source of the personal data (if applicable) Data is collected during classroom video and audio recordings. Additional data may be input to the system by users of the system reflecting on their practice or providing feedback to other users.
Location of personal data All data is stored within the EU.
Data Protection Impact Assessment required Yes
Link to Data Protection Impact Assessment  (See below for our example)

3) Updating other documents

a) Data Protection Impact assessment (ICO Guidance)

The ICO also recommends that you complete a DPIA if you plan to use new technologies so it would be good practice to create one for the use of IRIS Connect.

The ICO has a template for this document if you do not already have one.

Risk profiling and mitigation measures may vary from school to school, however, here a the completed DPIA from our sample school:

Download example

b) Privacy Notice (DFE Advice)

Your privacy notice should take into account the data collected by the system, the use it is put to and anybody you are sharing it with. Here is a template from the DFE that you can use if you are creating a new privacy notice.

To continue our example, the sample school added the following to the DFE privacy notice template:

The categories of pupil information that we process include: Images, audio and video recordings.
Why we collect and use pupil information To support pupil learning through professional development of our teachers.

(To support pupil learning in itself is probably enough, but there is no harm in being as transparent as possible)

How we collect pupil information Video and audio recordings.
Who we share pupil information with Selected schools with which we collaborate for professional development.
Why we regularly share pupil information Selected schools with which we collaborate for professional development.

We collaborate with selected schools for teacher professional development using a secure video system. The use of this system enables our teachers to collaborate around practice and gain feedback from expert teachers in other schools.

(You may wish to specifically add the names of the schools, school partnership, trust or programme providers that you work with here for complete transparency)