Copy
01/21
share on Twitter
View this email in your browser

Data Protection Newsletter

Dear <<First Name>>

This is the latest edition of the Data Protection Newsletter. You're receiving this because your school is using eLIM as its Data Protection Officer, or you have signed up to this newsletter.

In this month's newsletter:

Contact address

If you have any questions about Data Protection contact Amy Brittan at:
dposchools@somerset.gov.uk

New resources for live lessons


An increasing number of schools are planning for live online lessons as part of their remote learning strategy. Live lessons may be delivered through Microsoft Teams, Google Meets or Zoom.

We've produced some draft documentation for subscribing schools, which we strongly advise is in place to protect the privacy of learners and staff.

Privacy Impact Assessment for live lessons – PIA to consider the privacy risks from live lessons, and how the school can minimise the risk of data mishandling. Find it on the SSE DPO resources page under Documentation and Tasks > Privacy Impact Assessments > eLIM PIA Live Lessons 2021

Consent form for recording live lessons – we advise that if the school are recording live lessons where children are using their own webcams, consent is sought from parents. No other lawful basis is likely to be justifiable. Always consider whether recording live lessons for 'safeguarding purposes' is a necessary and proportionate response to a safeguarding risk. If you consider that it is, find a sample consent form on the SSE DPO resources page under Documentation and Tasks > Consent Forms > Recording live lessons consent form 2021

For your school leaders, the eLIM Ed Tech team have also reviewed the Blended Learning webpage to include all the latest DfE remote education guidance and expectations (Restricting attendance during the national lockdown: schools)

Brexit and data protection – update for schools


The UK has now officially left the EU, and laws about international data transfers have changed.

The UK is yet to be granted an ‘adequacy decision’ by the EU which will allow data to flow without additional safeguards. However, the UK and EU have put a temporary arrangement in place, detailed within the UK-EU Trade and Cooperation Agreement which came into force on 1st January 2021.

This allows the current transitional arrangement to continue. Personal data can continue to flow from the EU/EEA to the UK for up to six months, on the condition that the UK makes no major changes to its data protection laws. This gives the EU Commission time to consider granting an adequacy decision to the UK.
The UK has retained the General Data Protection Regulation in domestic law, and GDPR in the UK is retitled ‘UK GDPR’.

If your school has checked which data is being shared with EU/EEA based companies (e.g. ParentPay; Purple Mash) and they have provided you with additional safeguards such as standard contractual clauses, we do not feel that further action needs to be taken until an adequacy decision is granted. Don't forget you can check your Brexit compliance with our Brexit spreadsheet, which has recently been updated with new tools that schools have informed us about. Find it on the SSE DPO resources page under Brexit > Online tools - Brexit compliance check 2021

We do not consider that it is a good use of schools’ time to review all data protection policies, privacy impact assessments and privacy notices now, since we are still in the same legal position as before Christmas, and documentation is likely to require further review in six months’ time.

Once the additional transitional arrangement has concluded, we will provide updated documentation for schools who subscribe to the SSE DPO service. However, you may wish to amend any current reference to GDPR to include the ‘UK’ prefix.

More information here: ICO statement in response to UK Government’s announcement on the extended period for personal data flows, that will allow time to complete the adequacy process | ICO

Class Dojo - can we still use it? (Part 2)


Last month, we discussed reports about Class Dojo and a ‘privacy update’ message which popped up, asking teachers to accept changes to data processing.

We've received reports about inaccurate speculation in teacher forums and Facebook groups about Class Dojo, Brexit, and where data is stored. Some schools are reporting that they have been told to stop using Class Dojo as part of their remote learning.

As we said last month, Class Dojo is not directly affected by Brexit since it has always stored user data in the US. However, the US-EU data sharing agreement (‘Privacy Shield’) has been scrapped after a legal challenge by privacy campaigners.

Since January 1st 2021, we are now bound by UK GDPR, which says everything that’s the EU GDPR but doesn’t bind us to US–EU legal agreements. What we need to ensure is that any student personal data we share with Dojo is lawful according to UK GDPR.

We can do this by ensuring that standard contractual clauses are in place for the data sharing. This means that Dojo will ensure they process personal data in line with EU and UK GDPR. The UK Information Commissioner states that ‘additional safeguards’ must be in place for international data transfers, and standard contractual clauses are one of these recommended safeguards.

The school needs to email privacy@classdojo.com and ask for standard contractual clauses for your setting. More information here https://classdojo.zendesk.com/hc/en-us/articles/360053338371-Consent-to-Transfer-Information

In terms of what data you’re sharing with Dojo, we still advise that you reduce any sensitive information about pupils, including medical or welfare information. If a parent uses Dojo to email the school to inform you of a significant health or wellbeing issue, we advise that the teacher contacts the parent outside of Dojo to discuss this further – e.g. a phone call or using official school email. It’s important to have a clear and transparent communication channel for sharing personal data relating to health and wellbeing.

DPO Case Files – The Confidential Correspondence Conundrum


Just before Christmas, we received an email from a school data protection lead. She reported a data breach that had left her scratching her head at how it had happened.

The SENCO had posted an Individual Learning Plan to a parent, containing sensitive medical and wellbeing data about the child. However, the envelope was addressed to another, unrelated parent, who opened it and realised it wasn’t about her own child. She responsibly informed the school and returned the ILP.

A simple mistake to make? Yes, but when discussing the breach with the DPL, a number of factors became clear. The school did not have a clear system for sending sensitive data in the post, and staff members regularly sent out sensitive mail themselves, increasing the risk that data may go astray. Envelopes were also not routinely marked with the school’s return address and were not marked as confidential.

We agreed that the school would put in place the following measures:
  1. Separate post tray in office for sensitive items, where all staff place mail for posting
  2. Senior member of office staff to double check contents of envelope (for this, we are balancing confidentiality vs risk of sending wrong information)
  3. Sensitive letters to be marked “strictly private and confidential” and “to be opened by addressee only” on envelope
  4. Envelope has clear return address for the school
  5. Sensitive items sent by tracked First Class Post.
These measures would have prevented the information being sent to the wrong parent.

What system does your school have in place for sending sensitive mail by post?

Welcome to the team, Kirsty!

We’re delighted to welcome Kirsty Budge to the Data Protection Officer service, as support for the DPO. Many of you will know Kirsty from her extensive work in External Funding and Contract Support, and she has an excellent relationship with schools and considerable experience in managing time-sensitive situations.

Kirsty will be continuing her existing work alongside data protection and her knowledge and skills will be a great addition to the team.

Issues, questions or myth busting

If you have any questions or issues around Data Protection then please get in contact.
dposchools@somerset.gov.uk
 
Copyright © 2021 e-Learning and Information Management, All rights reserved.


unsubscribe from this list    update subscription preferences 

Email Marketing Powered by Mailchimp