Data can oftentimes seem intangible, we can’t feel it or physically see where it goes. Ever since the ruling of Schrems II, organisations have been forced to query where in the world their data is being stored. With the United States' levels of data privacy and protection under scrutiny, schools should be cautious with the service providers and vendors used in the course of business. Read our Schrems II blog for a scrub up on the ruling. Transferring data outside of the organisation to a service provider or vendor comes with risks which can be identified and subsequently mitigated through vendor management, an important aspect of data protection. What type of data is (or will be transferred), where will be data stored, and the risks associated with such transfer activities are some of the things to consider when transferring the data to local or overseas service providers or vendors.
Let’s take EdTech suppliers for a moment. These service providers can be extremely beneficial to helping teachers do their job by facilitating sufficient tracking of the child’s learning progress within the tool. The relief of finally finding the perfect resource to help you teach your students can seem to only result in positive outcomes. However, depending on where in the world that service provider is located, and what they do with the data once it is transferred to them may have important data protection implications. One of the most important aspects to consider when deciding whether or not to use a service provider or vendor is the benefit to the child versus the risks that arise from the business relationship.
A common risk is the use of children’s data for profiling purposes which should only be kept to a minimum or limited to when it is in the child’s best interest. The question posed to us is how we determine what is considered the child’s best interests in relation to using service providers or vendors.
Kurni & Srinivasa recently indicated in Governance of Data for Children’s Learning in UK State Schools that “Learning EdTech tools will sometimes use a child’s data for profiling and automated or automated decision-making. This can be a feature of products used for personalised learning that use data analytics and aim to identify both skills and strengths in individual children and to detect when children are falling behind and could benefit from an early intervention.”
A CRIA is an impact assessment that solely focuses on the benefit of the child when encountering a transfer of personal data. It is a process which takes a holistic approach to assessing how the child may be impacted by the type of data processing you are exposing them to.
9ine’s GRC platform has built-in CRIA capabilities to ensure that the risks associated with safeguarding, profiling and automated decision making are considered before any new EdTech systems, software and platforms are used. In performing a CRIA, your school can understand the risk of the transfer of children’s data to third parties.
9ine’s Vendor Assessment offers schools a structured and efficient evaluation for third-party risk management. The assessment helps schools to identify, assess, analyse, mitigate, and monitor risks and performance across all third parties such as contractors, data processors, IT managed service providers, and EdTech platforms and services.
The Vendor Assessment (or Processing Operation Assessment) function is embedded in the 9ine GRC platform for schools to use when they need it, making it accessible and effective. It includes the Vendor Assessment Database which is pre-populated with data processor assessments. Including assessments performed on EdTech companies to enable your school to quickly review and assess applicable risks and mitigating controls.
CRIAs are also incorporated into the Vendor Assessment function within the platform along with, transfer impact assessments (TIAs), through a series of questions that will help you determine whether the vendor that you wish to use adequately protects the rights of. These questions are highly based on any concerns that might be associated with using the vendor when it comes to a child’s wellbeing. The questions range from concerns around the child’s self-image and behaviour, to the extent of which they can be contacted through the service that the vendor provides. Questions around whether there have been any previous incidents with the vendor where they have not adequately held the rights of a child to the correct standards allow your school insight into the service provider’s data protection standards.
These evaluative questions will help your school to decide as to whether the vendor you wish to use the services of will adequately protect the rights of your school’s students. Being cautious of the vendors you share personal data with is an important aspect of your data protection programme.
If your school would like to find out more about how 9ine can help with vendor management and third party transfers: