In this document IRIS Connect is not providing you with definitive legal advice, ultimately it will be up to the school and your DPO to decide on your policies for GDPR. However, in light of conversations that we have had with schools going through the process, we have produced the following to provide an understanding of the practices that other schools have followed.
Some example documents are provided, these are designed to provide an indication of what appropriate documentation might look like. Your school and DPO should carefully consider how they inform your policies, getting further advice where appropriate.
The following tasks will help you to ensure that you are processing the data in line with with GDPR:
1. Select your lawful basis for processing the data
2. Create internal documentation to support your selection of lawful basis
3. Update other documents (if required)
Below we have provided step by step suggestions to guide you through this process.
1) Selecting your lawful basis (ICO Guidance)
In the GDPR there are 6 lawful bases for the processing of data. You will need to select one or more of these as your bases for processing data with IRIS Connect. The bases are outlined below with a brief description of how they might relate to IRIS Connect.
Please be aware that many of our schools are selecting Public Task, possibly backed up with consent if they have expressly sought this in previous agreements such as the home-school agreement.
To select consent as your primary lawful basis is a perfectly valid decision, but you should be aware that unless already explicitly gained in a previous agreement then it will require a new process that must be explicitly opt-in and may be the most difficult process to implement.
The ICO is clear in it’s guidance that:
No single basis is ’better’ or more important than the others – which basis is most appropriate to use will depend on your purpose
So you should look through the following list and ensure that you have selected the most appropriate before selecting consent.
|Basis||Public Task (ICO Guidance)|
|Description||You can rely on this lawful basis if in the exercise of official authority. This covers public functions and powers that are set out in law or to perform a specific task in the public interest that is set out in law.|
|Relevance to IRIS Connect||You would need to document that the use of IRIS Connect is in the public interest and has a lawful basis. Many schools are using this basis to cover a great deal of the data processing they do as the running of the school is a task that is in the public interest and has a basis in law.
The provision of professional development to staff (and therefore the use of IRIS Connect) can be seen as a required element of the task of running a school. Additionally there are statutory requirements relating to professional development for teachers that you might like to highlight. (Based on our experience with other schools, we have selected public task as a basis in our example documentation below).
|Basis||Legal Obligation (ICO Guidance)|
|Description||You can rely on this lawful basis if you need to process the personal data to comply with a common law or statutory obligation.|
|Relevance to IRIS Connect||This does not mean that there must be a legal obligation requiring the specific processing activity. The point is that your overall purpose must be to comply with a legal obligation which has a sufficiently clear basis in either common law or statute. In many ways this is similar to public task as you would need to document that the use of IRIS Connect is for a purpose that the school is required to undertake.|
|Basis||Legitimate Interest (ICO Guidance)|
|Description||The legitimate interests can be your own interests or the interests of third parties. They can include commercial interests, individual interests or broader societal benefits.|
|Relevance to IRIS Connect||You would need to document that the use of IRIS Connect is a legitimate interest of your school by completing a legitimate interests assessment (LIA) balancing the interest that you have identified against the rights and expectations of the individual. Please be aware that schools cannot use legitimate interests as your lawful basis if the task is a requirement of your role as a public authority. Therefore you would need to argue that the use of IRIS Connect was not a normal extension of your role as a school, or use Public Task instead.|
|Basis||Consent (ICO Guidance)|
|Description||Consent means offering individuals real choice and control. Explicit consent requires a very clear and specific statement of consent.|
|Relevance to IRIS Connect||Some schools have already made provision in agreements such as the home-school agreement or have conducted a specific permission process. However, if you have not made this provision, or do not believe that the agreement was explicit enough then you should look to provide and document an additional lawful basis. You could look to initiate a new consent process, however, this may be complicated and the ICO’s guidance is: If consent is difficult, look for a different lawful basis.|
|Basis||Contract (ICO Guidance)|
|Description||You can rely on this lawful basis if you need to process someone’s personal data to fulfill your contractual obligation to them.|
|Relevance to IRIS Connect||Unless you have an agreement that stipulates the systems use, then this basis is unlikely to apply|
|Basis||Vital Interests (ICO Guidance)|
|Description||You are likely to be able to rely on vital interests as your lawful basis if you need to process the personal data to protect someone’s life|
|Relevance to IRIS Connect||While we believe that IRIS Connect is really, really important, we concede that this is not likely to be an applicable lawful basis.|
2) Create internal documentation to support your selection of lawful basis (ICO guidance)
Based up the ICO’s documentation template for data controllers, the following provides information on how you may wish to document your lawful basis for processing.
In this example:
- We have selected public task as the lawful basis.
- We have included information to support the sharing of the data between schools as in our example we are intending to use the system to collaborate with other schools
- We have not provided responses for the fields relating to third countries or international organisations that personal data are transferred to as IRIS Connect stores all data within the EU.
- We have not provided details for an Article 9 basis for processing special category data. If you intend to record data that is special category then you would need to select one of the conditions for processing listed in the linked ICO guidance.
|Purpose of processing||Providing professional development for teachers that enables them to engage with self evaluation, reflection and receive feedback from colleagues.|
|Categories of individuals||Pupils, Teachers and other employees that may be in the classroom.|
|Categories of personal data||A range of personal data about individuals is likely to be recorded due to the use of video and audio recording.|
|Categories of recipients||The system that we have selected (IRIS Connect) provides a privacy-by-design service to ensure that only users approved by the school can access the data and only when it has been specifically shared with them for an educational purpose.|
|Link to contract with processor||https://www.irisconnect.com/uk/organisation-administrator-agreement/|
|Retention schedule (if possible)||https://www.irisconnect.com/uk/support/gdpr/data-retention-policy/|
|General description of technical and organisational security measures (if possible)||Our staff are required to adhere to both our own internal security policies and the conduct rules that they agree to when activating their user account (https://www.irisconnect.com/uk/support/gdpr/end-user-licence-agreement-eula/).
IRIS Connect have published the following documentation relating to their security measures and controls.
|Article 6 lawful basis for processing personal data||We have selected public task as the basis for lawful processing for the following reasons:
Supporting pupil learning through the training of teaching staff is required to perform our statutory function. Specific specific statutory requirements, worth noting are Teachers standards:
The standards state that:
Appropriate self evaluation, reflection and professional development activity is critical to improving teachers’ practice at all career stages. The standards set out clearly the key areas in which a teacher should be able to assess his or her own practice, and receive feedback from colleagues.
And that teachers should:
Additionally, as referred to in the Teachers standards, the statutory guidance on School teachers pay and conditions specifically points out that it is the professional responsibility for Headteachers to:
And for all teachers to:
|Rights available to individuals||We will make provision for data subjects to actively opt out of their data being recorded.|
|The source of the personal data (if applicable)||Data is collected during classroom video and audio recordings. Additional data may be input to the system by users of the system reflecting on their practice or providing feedback to other users.|
|Location of personal data||All data is stored within the EU.|
|Data Protection Impact Assessment required||Yes|
|Link to Data Protection Impact Assessment||(See below for our example)|
3) Updating other documents
Data Protection Impact assessment (ICO Guidance)
The ICO also recommends that you do a DPIA if you plan to use new technologies so it would be good practice to create one for the use of IRIS Connect.
The ICO has a template for this document if you do not already have one. While the details of what you would add to this and your perception of risk will vary greatly from school to school, there is some information in the example that we have created that might help you to fill in your document.Download example
Privacy Notice (DFE Advice)
Your privacy notice should take into account the data collected by the system, the use it is put to and anybody you are sharing it with. Here is a template from the DFE that you can use if you are creating a new privacy notice.
To continue our example of wanting to collaborate with other schools, based upon the template from the DFE, we would add the following to the relevant sections:
|The categories of pupil information that we process include:||Images, audio and video recordings.|
|Why we collect and use pupil information||To support pupil learning through professional development of our teachers.
(To support pupil learning in itself is probably enough, but there is no harm in being as transparent as possible)
|How we collect pupil information||Video and audio recordings.|
|Who we share pupil information with||Selected schools with which we collaborate for professional development.|
|Why we regularly share pupil information||Selected schools with which we collaborate for professional development.
We collaborate with selected schools for teacher professional development using a secure video system. The use of this system enables our teachers to collaborate around practice and gain expert feedback from other teachers in schools that we trust.
(You may wish to specifically add the names of the schools, school partnership or trust here for complete transparency)