Enhancing Data Protection Governance: Roles & Responsibilities
A core part of data privacy and protection compliance is about demonstrating accountability. This includes the ability to evidence management...
8 min read
9ine : Nov 24, 2020 2:41:12 PM
Many of you will have seen Netflix’s docudrama, The Social Dilemma. The film explores the alarming human impact of social media, with experts from Big Tech, including Google, Facebook, Twitter, Instagram and more warning of the consequences of their own creations.
Taking center stage is the influence that our day to day interactions with apps and technology have on our lives and the decisions we make. Although not a particularly new doomsday argument, the show’s release in the run-up to the 2020 U.S. election painted an intriguing contextual backdrop given the widely reported impact the Cambridge Analytica data scandal had on the last one.The misappropriation of data for political gain is indeed nefarious, however, what the documentary touches upon but fails to go into greater detail is the child protection and safeguarding issues relating to profiling and third party aggregation of data and where collective improvements need to be made. This blog takes a look at the issues raised within the documentary and places them within the context of schools and education.
The role of a school is to educate its pupils while ensuring their safety. Protecting pupil data should be seen as part of the school’s safeguarding responsibilities. Whilst many schools teach online safety as part of their curriculum, schools can go further to protect their pupils in school. By filtering and monitoring the internet usage of devices connected to their networks, schools can safeguard their pupils by preventing access to inappropriate content and sites which seek to exploit the personal data of users online.
Website filtering systems already form part of many schools' IT security framework; think of Smoothwall, Lightspeed, Sophos, Palo Alto, iBoss etc. Schools fully understand how children can be influenced by what they see on the internet and why filtering and blocking sites is so important to prevent harmful or distasteful sites reaching pupil devices. But monitoring internet use is often seen as a step too far and an intrusion of the users’ privacy, particularly as it will need to apply to all users of the school network, including staff.
This is where school governing bodies and their child protection staff need to fully understand the technology they have in place so that they can be confident in its application, especially when identifying children accessing or trying to access harmful and inappropriate content online.
The General Data Protection Regulation (GDPR) requires careful consideration to ensure the protection of school systems and the safeguarding of pupils is balanced against the right to user privacy. Balancing your obligations to comply with data protection, safeguarding information / cyber security legislation is a complex area - take our word for it! That’s why we are offering the opportunity to book an informative virtual workshop with us free of charge.
9ine provide free, virtual leadership training in the areas of data protection & security and systems in education. This workshop provides independent, school-specific training, the outputs will provide your school with a clear plan of action for evidencing compliance, and what best practices look like.
Schools are already aware of the harm that can be caused by social media and inappropriate content online. Inappropriate content here means material that is illegal, shows violent behaviour (such as bullying, self harm or suicide), promotes discrimination or drug / substance abuse, or is pornographic. There are, however, additional factors to consider regarding the personal data of users connecting to the school network.
Let’s start at the beginning, schools usually generate a profile for each person in their school to enable them to logon and use school computers. This allows teachers and pupils to make the online connections they need in school for study and work, connections which are often made using applications. App providers collect personal data. Sometimes it is low level but occasionally that low level personal data collection can escalate and be a viable commodity for others to purchase and exploit.
For instance, an app provider may collect the IP address of the user, their name, age and their location. This information may allow the app provider to make certain assumptions about that user by comparing the data with other users’ demographics. The user may then use their school profile to logon to the app at home using their own device. This provides an opportunity for more information to be collected by the app provider, such as a different location. This helps to build a profile of that user which can be sold to third parties who might aggregate that personal data with data collected from other apps. Those third parties may then use that data to target online inducements and advertisements to the users based upon their online behaviour, their location, or any other vulnerabilities that may have been assessed as a result of algorithms used by the app provider or third party.
The crux of the matter is that website use is perilous and data is collected and exploited online, often without the knowledge of the user. One of the pertinent quotes from The Social Dilemma in this regard was, “if you're not paying for the product, then you are the product.” Schools are in an ideal position to educate their staff and pupils about understanding the commoditisation of personal data and how to employ relevant safeguards. At the heart of this is the need to explain why filtering and monitoring website use is considered a necessity to help limit users’ exposure to the above risks.
Schools have to take into account the data protection rights of their students and staff when implementing any measures which affect their privacy. Filtering and blocking inappropriate sites in school prevents online connections being made to those sites, which helps to keep the school secure and does not affect the privacy of the user.
Monitoring sites, however, does affect the privacy of the user due to the school being able to access the browsing history of the users connecting to the school network. This will include any browser windows left open while the user was off site. For most, this will include learning / work based material. However, consider a case where the browser window contains a connection to an inappropriate site from which inferences can be drawn about the user. The filtering framework attached to the school network may prevent the content being shown in school but, because of the monitoring framework is in place, that site now forms part of the school monitoring log attached to that user. That user will have an expectation of privacy but the extent to which that expectation is reasonable will depend on whether the user’s device is school-owned or user-owned as part of a Bring Your Own Device (BYOD) initiative.
A school-owned device, typically, has the following elements:
In contrast, a BYOD, is:
It is clear that the expectation of privacy concerning a user of a BYOD device will be much greater than a user of a school-owned device, and there may be some reluctance on the part of the user to access the internet using a school WiFi which is monitoring website use. Whilst the school can take little action regarding BYOD users accessing online content independently of the school WiFi, this should not be seen as a reason to avoid monitoring altogether.
The GDPR requires the privacy of users to be balanced against the objectives of the school and for schools, as data controllers, to demonstrate their accountability and compliance with the law.
Before any monitoring is carried out and any personal data is collected, a Data Protection Impact Assessment (DPIA) should be carried out to consider:
It is important that the school’s Data Protection Officer (DPO) is involved with this DPIA process. Once a DPIA has been completed and the monitoring system is to be implemented, it is important that schools are transparent about the data they collect and why they collect it. Privacy Notices should therefore be updated to explain the process of monitoring and why it is necessary.
Where consent is being relied upon as the legal basis, a written consent form should detail how the data is being collected and why. It should also document how long the consent will be valid for (e.g. for the duration of the employment contract). This should be reflected in the school’s Retention Policy.
Internal governance should also be updated, including data maps and Records of Processing Activities (RoPA) to ensure they include this processing activity and document the legal basis for processing.
A number of policies should be integrated into the school culture to ensure users are aware of the technologies that are used, how they are configured and how they are to be used. All policies should be presented to the relevant user at the earliest opportunity upon joining the school. This could be during their first tutor session as a pupil or during their induction as a member of staff. Any changes to these policies should also be communicated quickly and efficiently to all users.
It is important that policies underpin the vision and values of the school and directly refer to both safeguarding and data protection. Some important policies to consider:
Schools need effective monitoring systems in place to, most importantly, profile the online behaviour of children and do so at an individual risk level. Monitoring also needs to be proportionate for all users within the school, including staff - if there are any less intrusive ways of achieving the same result then these need to be considered. The challenge of implementing this though is compounded by the requirement to not ‘over block’ access to the internet and restrict what children can be taught with regards to online teaching and safeguarding.
It’s important that schools, staff and students alike are realistic about the risks to personal data online. Monitoring won’t solve everything or prevent your users from using the web independently of the school network. What’s important is ensuring the appropriate level of training is provided to staff and students to make them aware of the real consequences at stake, not just the Hollywood pitfalls laid out in The Social Dilemma. Regarding the danger posed to children, child protection and safeguarding staff within schools should be leading the way on deciding how to best use the data presented by their network filtering / monitoring solutions and ultimately decide on the specific training required for all staff.
ABOUT THE AUTHOR:
Marcus is a Senior Technical Consultant at 9ine, responsible for the on the ground management of new build / refurbishment projects. He specialises in the application and configuration of technical systems and services within schools, including mobile device management (MDM) systems. He holds a bachelor's degree in computer network management and design.
A core part of data privacy and protection compliance is about demonstrating accountability. This includes the ability to evidence management...
The National Centre for Cyber Security recently published an alert for those responsible for IT and Data Protection in education. The alert brings to...
Data protection regulations differ across the globe, with some regions lacking regulations while others have more prescribed legislation and...