9ine Insights | Latest news from 9ine

[COVID-19] Guidelines: Remote Working & Data Sharing Protection

Written by 9ine | Mar 11, 2020 1:48:06 PM

In the current climate, it is important that schools do not use data protection regulations to discourage remote working or data sharing, but instead sensibly evaluate the impact of these processing activities, taking into account the risks to the school, staff, pupils, and parents of pupils.

9ine has developed some simple steps to assist you in identifying the risks and mitigating actions associated with remote working and data sharing. We would recommend that you consider these in conjunction with any guidance you have received from your Government/Public Health and Education Authority.

Record of Processing (Data Mapping)

  • Create a unique COVID-19 record of processing. This will act as a single source of reference to show what personal data is being processed in response to the threat of COVID-19 and how it is being processed. When these measures are no longer required, you can easily see which processing is no longer required and take any appropriate action.
  • Within your Record of Processing, you should ensure you detail:-
    • The type of personal data being processed,
    • The lawful basis for processing,
    • The platforms you will be using to work remotely, and
    • The personnel/parties who will have access to data and how that access will be affected
  • Consider undertaking a Data Protection Impact Assessment to assess the risk of any high-risk processing at the school.

Technical and Organisational Measures

  • Check that the applications you are considering using, or those that are already in use, have appropriate security measures in place (e.g., encryption, 2FA), and put this information in the Record of Processing. Consider:-
    • Where and how will the data be stored? e.g., secure school network
    • Who has access?
    • Who can view the application? e.g., is it just the teacher or is it the year group?  Can you restrict access?
    • Are there backups in place?
  • Consider undertaking a controller-to-processor assessment for any supplier contracts.

9ine are supporting schools around the world in the eventuality that they're required to provide school services remotely as a result of COVID-19. Download the Remote Learning Readiness Worksheet now.

Being Open and Transparent

  • Consider your privacy notices which inform your staff, pupils, and parents about how their personal data will be processed under the threat of COVID-19.
  • Make sure it is clear and easy to understand.
  • Let them know the security measures you have taken to protect their personal data.

Evidencing Your School's Accountability

  • Make sure you evidence all your decision-making processes involving personal data so that you can demonstrate compliance with the data protection principles.

We hope that this, together with our previous blog on Remote Learning Readiness, will help you to continue to educate and work with students and staff while keeping their personal data safe and secure. 

ABOUT THE AUTHOR:

Judith Downing, Senior Data Protection Consultant, has almost 20 years of experience working in the field of data protection, has a BCS Practitioner Certificate in Data Protection, and is also a certified GDPR practitioner. She currently advises schools in the UK, Europe, and internationally on all aspects of data protection compliance, either through our service desk or on-site audits.