A report published last week by career focused social network LinkedIn, identified the “Emerging Jobs” of 2020 in the UK. The report, which can be found here, looks at the roles that are experiencing significant growth.

At number one is “Artificial Intelligence Specialist”, confirming that this field is expanding out of the academic realm and into the mainstream. At number two, having experienced a 24-fold increase since 2015 is the role of Data Protection Officer.

Of course, one of the subjects exercising the minds of these new Data Protection Officers is the work of Artificial Intelligence Specialists. In the Education sector, in addition to being a subject of research and development, there is a great deal of interest in whether AI can lead a revolution in tailored teaching and learning.

Last year, alongside the GDPR, the EU produced a well-considered but concerning report called The Impact of Artificial Intelligence on Learning, Teaching, and Education. The report concluded there was great potential for AI in education, but that potential brought with it some significant risks.

We’re not talking about machines with human like intelligence just yet. Instead, the application of machine learning, grounded in the massive amount of data generated on a continuous basis. By 2025 the amount of data generated globally is estimated to reach 175 zettabytes – enough such that at standard internet speeds it would take nearly 2 billion years to download it all! (IDC, 2018).

There are some questions about this AI approach. Firstly, the principle of machine learning is that the algorithms are based on historical data. This means that the criteria for measuring success may be based on data with inherent bias. It’s also true that the past is not necessarily a good guide to the future. Such techniques don’t cope well with creativity and innovation.

But perhaps a greater concern is the fact that AI driven systems will find employment not just in teaching but in assessment. ‘Big Data’ driven machine learning can create highly detailed categories of outcomes and place people into them on the basis of their behaviour. The scope of data used in these algorithms would also be much larger than current techniques. There are suggestions that in addition to student responses, video footage could also be used to judge their level of engagement and behaviour.

What can clearly be seen at the end of this process, is the possibility of classroom technology that would manage both delivery of material and assessments of progress. It’s easy to see how this would be attractive across many settings, including the growing world of online learning.

How this Links to Data Protection

Coming back to the number 2 emerging role, the Data Protection Officer, these types of AI proposals create some major challenges. The Information Commissioner’s Office has an open Consultation on the use of AI in processes that make decisions about individuals. One significant question often raised; is how you explain to data subjects the decision-making process of your AI driven system.

Although the processes are based on algorithms, the sheer number of factors taken into account mean it can be hard for anyone, other than the AI specialists, to understand how the decisions are made. As a data controller, if you’re using such a system, you need to be able to explain how it works in a straightforward enough way for your data subjects to understand.

There are suggestions that the data about a students’ attendance, achievement, behaviour and progress could also be analysed to provide clues that there may be other issues in their lives affecting their ability to learn. This could include problems at home or other personal issues. While this could help identify the need for lifesaving support and prevention methods, there could be significant ramifications from a data protection standpoint.

As we look forward to a new decade it’s essential we recognise that the full implications of data driven education technology.

The main vehicle for this is the data protection impact assessment (DPIA). Alongside the standard considerations of the way that data is transferred, evaluated and managed, the DPIA needs to take a broader view of the initiative.

It’s worth remembering that just because a system can perform a particular function, it doesn’t mean that you must use that capability. Decisions made about the path any student should follow can have life changing consequences. The prospect that these decisions being made in part by algorithms that are difficult to explain should give us all some pause for thought.

As AI begins to appear in the mainstream, it is pleasing to see a rise in Data Protection Officers. So, we welcome the top two emerging roles and can see a long future of discussion and debate about pragmatic use of AI in education.

 

 

While the Christmas holidays are tantalisingly close, many schools are struggling with the norovirus outbreak that is sweeping across the country. It got us thinking about the way that winter can leave us feeling washed out, both physically and mentally and how that could have an impact on more than just the mood at work.

Short winter days leave us sleepy, often hungry and lower in mood and that’s not even considering those individuals who suffer from the more serious Seasonal Affective Disorder. The causes of these issues are poorly understood, but in general, our bodies expect to sleep when it’s dark and be active when it’s light. Our fixed working patterns don’t allow us to accommodate this type of change.

You might ask, how does this relate to data protection? We know that how people feel has an impact on the tasks they must perform. Tiredness tends to lead to errors in judgement which, when dealing with personal data, can lead to data breaches.

Add to this the many activities that everyone is trying to get done before the Christmas break and you have a recipe for mistakes. We talked about this in our white paper Taking Control of Data Breaches.

Given that it’s probably fairly difficult to relocate your workplace to somewhere closer to the equator (that has more even daylengths), what can be done to avoid the data protection winter blues?

  1. Recognition: We’re now close to the shortest day, but did you know that the third Monday of January is considered by some to be the most depressing day of the year. If this is true, then we need to accept that December and January may represent periods of higher risk. Recognising risk is critical to mitigating it.
  2. Resourcing: It’s unlikely that you’ll be able to put off tasks until the spring, so you may need to consider how to ensure they are completed without issue. Simple steps like having a second pair of eyes checking before a large group email is sent or moving to envelopes with windows to avoid mismatched labels can make a huge difference, but you may have to prioritise.
  3. Rest: Once the break arrives, if you can, take the chance to switch off for a while. We’ll be thinking about data protection after the Turkey, but hopefully you won’t have to.
  4. Resolutions: With the new year it’s time to remind people of their responsibilities. But, rather than presenting to people; get them to consider what might ensure that all of your personal data is managed to plan.
  5. Remember, YOU are important too! Self-care is important for all of us, however, according to a recent report by Education Support, 75% of all education staff have faced physical or mental health issues within the past 2 years due to their work. So, taking some time out for you is vital to keeping your spirits up. Some things to help with self-care include listening to music, waking 15 minutes before you need to and practicing breathing techniques.

We can’t say whether any of these will guarantee you don’t make mistakes, but maybe you can have some fun finding out.

 

 

When you talk about data protection all day, every day, it’s easy to assume that everyone else does the same. Some of the terms and names used when referring to the new GDPR are not as clearly defined as they could be. So, this week we are looking at the role of a ‘data processor’ and answering some of the frequently asked questions about this role and its relationship to a ‘data controller’.

What’s a data processor?

Imagine for a moment that you’re running a school. You have all sorts of personal data about individuals including the pupils, their parents and your staff. You’re in charge of collecting, storing, checking, manipulating and outputting all that personal data. You’re also in charge of ensuring that the personal data is properly protected. Having these responsibilities earns you the title of ‘data controller’.

All the things that you can do with the personal data are bundled up and called ‘processing’. This means that whatever you do with personal data, even just storing it is considered ‘processing’.

You can manage all this processing yourself or you can choose to ask another organisation to undertake some of this processing on your behalf. You provide the personal data and clear instructions of what you want the third party to do with the data. If the third party is processing your personal data based only on your instructions, then it earns the title of ‘data processor’. It can be helpful to think about data processors as subcontractors for jobs that you would otherwise do yourself.

Can I be a data controller and a data processor? 

The simple answer is yes. In fact, it’s very likely that most data processors will be data controllers at the same time. The data processor is likely to have personal data about its own staff and customers and it will decide how that data is processed. This makes it a data controller.

If you’re a data controller it doesn’t follow that you’ll be a data processor. This only comes if you’re providing a service to third parties. It is worth noting if you’re running a Multi-Academy Trust, that where you provide processing of data for the academies you are not considered a “data processor”.

Are my staff data processors? 

This is a question we’ve been asked quite a few times recently. Your staff are processing data based on your instructions. However, your own staff are not considered to be third parties in the legal sense, so any processing they do is part of the operation of the data controller.

If you use staff that you don’t have a direct contract of employment (or an equivalent agreement) with, for example agency staff who are paid by the agency, then the agency is acting as a data processor.

If a data processor has a data breach, what happens?

You’ve chosen to sub-contract some of your data processing to a third party, but it’s still your data that’s being processed and it’s your responsibility. If the data processor experiences a data breach, then the risk is to your data subjects.

So, if it does happen, the data processor tells you what occurred and gives you the support needed to manage the impacts of the breach on your data subjects. If you must report the breach to the ICO, the data processor must give you the information you need to make that report.

While you might have a commercial agreement in place with the data processor, as far as the ICO is concerned, you have a responsibility to ensure you choose a supplier who would have appropriate data protection measures in place. If those measures fail, then it’s your choice of supplier that’s at question.

If I run a system on my site, why can the supplier still be a data processor? 

If the supplier of a piece of software can access the software in operation such that personal data is accessible, then they are classed a “data processor”. The most frequent way this happens is through the provision of support.

Whether an agent comes to your site or connects online, they can usually see the data in the system. This is more than enough for the support agent to discover personal data about your data subject which may get disclosed inappropriately.

If you get a support contract with this type of assistance you need to ensure you have the right terms in your agreement.

What do I need to do to protect my data subjects? 

If you’ve decided to use a data processor then you need to:

  • Have a written agreement that sets out how the data processor will deal with your data and that it will be compliant with the GDPR.
  • Satisfy yourself that the data processor can deliver the safeguards that it is claiming to have.
  • Include the existence of the data processor in your data map.

 

I hope this has given you some clarification on the difference between a data controller and a data processor, and the responsibilities each hold regarding the GDPR.

These a just a few of the questions about data processors and data controllers and their responsibilities under the GDPR. If you’d like us to take a look at another area of the regulation, let us know by getting in touch here.

Careless Talk Causes Breaches

(and can be costly too!)

 

GDPR is not normally associated with parties, but recently I heard the end of a conversation about an office Christmas party and it set me thinking about the impact that a misplaced sentence can have. Friendships and working relationships can be badly damaged, in some cases, irreparable.

If I choose to pass on my unvarnished opinion about a colleague during the Christmas bash, then I can find myself in a lot of trouble. If on the other hand, I whisper information that has come from the data controller then not only am I in hot water, but I’ve also given the extra present of a data breach.

Paragraph 4, Article 32 of the GDPR says:

“The controller and processor shall take steps to ensure that any natural person acting under the authority of the controller or the processor who has access to personal data does not process them except on instructions from the controller, unless he or she is required to do so by Union or Member State law.”

Put more simply, you must ensure that people are given clear guidance about what they can and can’t do with personal data and you must ensure they stick to those rules.

Bear in mind that it doesn’t matter how information is disclosed for it to be a breach. Whether you’ve been hacked, sent an email to the wrong person, lost a paper file or repeated information to someone who shouldn’t know it, a breach has occurred.

With verbal disclosure the situation is often made worse by the fact that our natural desire is to share more ‘interesting’ information, which is also usually more confidential and leads to greater upset.

We’ve seen examples where incidents have been dealt with from a disciplinary standpoint but have gone unrecognised as a data breach. Obviously, if you need to report the breach to the ICO, you’ll have to explain why you missed the 72-hour deadline for reporting. It is difficult to say that you have a sound regime for data protection but missed this high-profile target.

What steps should you take to avoid these issues:

Training
  • All your staff need to know about the risks of verbal disclosure. Include it in your normal GDPR training but you may need to provide a special briefing. As well as knowing that they need to notify your DPO or GDPR lead, it’s a great time to remind people of the perils of letting information slip.
Easy reporting
  • Take away any barriers that prevent staff from alerting you to an issue. Have an email address just for staff to alert you of issues or consider an online form.
A response procedure
  • If people do report issues then you need to have a well-established procedure to deal with them. Get it recorded and you can even practice to make sure the 72-hour deadline can be met.
Joined up processes
  • Issues which trigger disciplinary procedures may relate to data protection issues and vice-versa. Make sure that there is a section in the guidance for both areas that highlights the risks and include this in your general training and particularly induction training.

So, as you contemplate the upcoming festivities, it may be worth a timely reminder to everyone that we have to consider what we’re saying just as much a what goes into an email.

Being as clear as mud when it comes to Data Protection

A key principle of data protection is transparency. You must be upfront about what you plan to do with personal data.

A failure to be transparent has recently brought the Department for Education into the Information Commissioner’s Office’s sights. Information from the annual census returns was apparently shared with Immigration Officials, without the data subjects being informed. This is the opposite to what you should be doing.

According to an article in the Guardian the ICO position is that:

“Our view is that the DfE is failing to comply fully with its data protection obligations, primarily in the areas of transparency and accountability, where there are far reaching issues, impacting a huge number of individuals in a variety of ways.”

It’s not clear yet what the consequences for the DfE will be from these findings.

Just a few days before the news about the DfE broke, the Information Commissioner felt compelled to ensure that political parties understood their data protection responsibilities as we head towards the election in December.

In addition to telling the parties that they needed to follow the principles of data protection, she also specifically addressed the controversial issue from the Brexit Referendum and subsequent elections – advertising on social media.  You can read the Commissioner’s full statement here.

These concerns are about transparency. How do you know what someone is doing with your personal data and how that usage might affect your rights and freedoms? The GDPR is very clear about the information that should be provided especially when your personal data is being used. It’s not always clear how well individuals understand the information presented to them, if they are given any at all.

The principle of transparency doesn’t just apply to political parties and government departments. It should be the cornerstone of the data protection policies and practices for every organisation.

So, what does Transparency mean for an organisation in the Education sector?

  • You must be clear about why you are processing personal data
  • You must be able to show you’re using the minimum data necessary
  • You must be able to show you have a legal basis for your processing and sharing of data
  • You must take action to inform individuals about how their data is being processed

How can you demonstrate that you’re meeting these requirements?

Your data mapping, providing it follows the model set out by the ICO will address the first three and your privacy notices should address the last item.

Our experience is that many schools and colleges haven’t mapped their use of personal data to the level of detail that the regulation expects, and this could become a problem if a complaint is raised by a data subject.

You may know in detail how data is collected, stored, updated and shared, but the legislation requires that this is documented. Does your documentation fully cover the movement of personal data around the organisation?

Do your privacy notices strike the balance of informing individuals about how their data is used while being accessible and unambiguous.

While you try and figure out the fake news from the real around the election it may be a good time to ensure that you’re being properly open about the way you collect and use personal data.

If you are unsure how you process data, or would like some guidance on how to document this, please contact our GDPR experts on 0113 804 2035 or click here.

Are you facing the same GDPR problems as most?

We asked a number of both Data Protection Officers and GDPR Leads in Education what the most common GDPR problems they come across are, interestingly, most of the answers were the same, so we thought we would put together a list of GDPR problems and some ways of how to resolve them.

1. Not Enough Time

Yes, we all struggle with it. Often, a DPO also has one or more other roles within the School, School Business Managers and Senior Leadership Teams are often the first point of call when seeking a new Data Protection Officer. These roles are often picked because the DPO is required to be a senior manager and needs a really good all-round understanding of the school. However, Business Managers have to co-ordinate much of the non-teaching activity and the members of the SLT have to combine teaching, line management and other development projects.

We can’t make extra time (if only!) but where we can help is to ensure that you focus on the highest priority items. Whether it’s through our GDPR training, getting visibility through the Sentry System or even getting us to take on some of the load,5 we can help you deal with GDPR more efficiently

2. Lack of GDPR Knowledge

It is no surprise that many DPO’s don’t understand the full complexities of GDPR requirements, such as data mapping, retention schedules, when a breach should be reported to the ICO and the web of complexity in a data protection impact assessment. The Data Protection Officer is responsible for advising on the interpretation of the regulations with all difficulties that real life can throw at a situation.

Here at GDPR Sentry, we offer GDPR Training, from basic staff awareness training to complex Data Protection Officer training to ensure you have all the knowledge you need for your compliance journey.

3. 24/7 Availability

DPO’s have holidays, and rightly so! When on annual leave, a Data Protection Officer is unlikely to want to be available to discuss breaches or the response to a subject access request. Most DPO’s would prefer not to have to be available at weekends and in the evenings. However, If a breach occurs and it needs to be reported to the ICO, this needs to be done within 72 hours of when the breach was discovered.

We recommend other members of your team are up to date with GDPR, so that in the event of absence, breaches and SARs can be dealt with efficiently and correctly. We can even provide out of hours or holiday cover to support the DPO.

4. Conflict of Interest

In the real world many decisions are driven by calculations of cost and benefit. The Data Protection Officer is expected to always put data protection first, even when this may create higher costs or cause issues for the organisation. For DPOs who are juggling more than one role this can create conflicts of interest where data protection is balanced against other priorities.

The DPO is meant to have no role in decision making about data processing at the same time as being a senior manager. Outside of very large organisations this is almost impossible to achieve. This is most evident during a data protection impact assessment.

We can support the risk assessment of an impact assessment ensuring that every angle is considered, and you have an objective perspective for your initiative.

5. Getting a Second Opinion

If you are a Data Protection Officer and you come across something you are unsure of, where do you turn? A lot of DPO’s we work with have admitted they feel like there is no support, they are expected to be the ‘go to’ person for all things data protection, however, due to a combination of the points above, unfortunately, a newly appointed DPO can’t know everything about such complex regulation.

 

If you can relate to any of the above GDPR problems, you are not alone. GDPR Sentry are here to support Data Protection Officers with their role, offering a range of one-off or ongoing support services. To speak to our GDPR Experts, click here.

Wednesday 23rd October 2019

Following on from our latest update last week, ‘How Brexit will affect GDPR’, as always with Brexit, there is another twist in the tail.

In the increasing febrile corridors of Westminster, the latest set of proposals for an orderly Brexit offer a crumb of comfort from the perspective of data protection and the GDPR.

Article 67 of the new Withdrawal Agreement makes it clear that at least until the end of the Transition Period (31/12/2020) data protection between the EU and the UK will continue to be governed by GDPR as it is currently.

This should give plenty of time for any work required to ensure an adequacy decision is in place by the time the Transition Period ends.

Whether you’re for or against leaving the EU, the prospect of not having to prepare rafts of new contractual clauses for EU data controllers must be considered positive.

Of course, given the uncharted territory we’re in, the prospect of a no-deal Brexit can’t be completely discounted. If this should happen then the UK will not be considered a suitable location to transfer data into from the EU.

Although it’s the responsibility of the data controller transferring information, you need to be prepared to demonstrate that you have a solid legal basis to receive personal data. The Information Commissioner’s Office website still has good guidance on what you’d need to do.

Once there is any further clarity, we’ll provide an update, although we’re not holding our breath!

Click for more GDPR News for Education

With the ‘Harry2’ story recently hitting the headlines, we ask, how far do Schools really need to take data protection?

Newhey Community Primary School have branded Harry Szlatoszlavek with a number 2 as his surname, so they can differentiate between him and another boy with the same first name.

The Rochdale based Primary School says they are complying to data protection regulations by not including surnames on notebooks, just in case they are taken out of the classroom.

Harry Szlatoszlavek’s mum Tanya had contacted the Information Commissioners Office and been informed this policy is not necessary.

Tanya strongly believes the School are taking away Harry’s own identity by branding him ‘Harry2’, she said ‘he even received a Christmas card saying ‘Harry2 from Jack2’

With this recent story, we thought it worth considering how far Schools need to go with compliance

The GDPR is a large piece of legislation which many find overwhelming. Schools have to deal with hundreds, sometimes thousands of students and their personal data.

We have outlined below some ‘GDPR Myths’ and the true situations;

  • All data breaches must be reported to the ICO

Truth: If a breach is likely to result in a risk to people’s rights and freedoms then it must be reported to the ICO within 72 hours. Not all breaches need to be reported and this decision ultimately lies with your Data Protection Officer to make the judgement as to report the breach or not.

  • Personal data can’t be processed without consent

Truth: Most of the personal data processed by schools and colleges is done on the basis of performing a public task, or under a contract. Consent is only really used where the data is not obligatory. Good examples are the consent to use photographs and giving information about ethnic origin.

  • All student records must be deleted once they have left the School

Truth: When a student moves school, it is a legal requirement that their main pupil file move with them, this applies to transfers between schools as well as the transition between primary and secondary school. Schools can keep information about the registration of pupils.

  • It is against data protection regulations to take photos of students

Truth: The key word we always need to consider here is “necessary”. If you need photos to demonstrate a pupils’ progress, for example, this can be considered necessary. A photo to be used on a Management Information System is a standard requirement. In other circumstances you may need to gain consent to use photos. Providing you have considered your justification, there is no prohibition on using photos.

  • No surnames should be on any documentation which could be removed from the school premises

Truth: This comes back to the same question of something being necessary. If you have 20 children in a school called Emily, then a surname will be essential to differentiate between them. The GDPR is interested in ensuring that data is protected appropriately when it is being used, not trying to determine how is can be used.

 

If you are unsure on how to be fully compliant with the GDPR, please feel free to get in touch with our Education GDPR specialists here.

Brexit GDPR

Among the political turmoil as we approach the deadline of the 31st October for leaving the European Union, data protection is now being mentioned. Some schools have received guidance about actions that may need to be taken.

The essentials of the situation are these. Despite us having gone to considerable effort to implement GDPR and to enshrine it within UK law, in the event of a No-Deal Brexit, the UK will not be considered an acceptable country for storing personal data about EU citizens under the GDPR.

It would have been expected that a Brexit deal would have included this ‘Adequacy’ decision.

The question is about the how the GDPR regulates International Transfer of information. It applies when an organisation inside the European Economic Area (EEA) sends data to an organisation in the UK. It does not apply when the data is being provided directly by the data subject themselves.

So, for example if a school in France is providing information about a group of students coming on an exchange trip then this would be a transfer between two data controllers. In contrast, if a student from France registers to attend a college in the UK, that would not count as an international transfer.

What needs to be done?

If we have a No-Deal Brexit you need to consider if a data controller in an EEA country is transferring personal data to you. Examples might be getting funding information about international students or receiving references about members of staff from organisational in the EEA.

The Information Commissioners Office has provided a handy tool to create a contract between controllers to enable this transfer to continue. You can find the tool here and you should definitely consult your data protection officer, who can provide more details.

If you would like further information on GDPR, and how it may affect your education facility, please contact us via our contact form or call 0113 804 2035.

Documenting Data Breaches

Why paper and spreadsheets may not be enough…

  • A Breach Scenario

You’ve experienced a breach where information was sent to the wrong person. During the investigation it became clear that the person whose data was breached was aware of it happening. You took the actions that seemed appropriate and decided that it wasn’t necessary to report to the Information Commissioner’s Office (ICO). Case closed.

This is a situation that you might recognise and it’s a pattern that many breaches follow.

If you type ‘data breach’ into a search engine like Google, high in the list of predicted searches is ‘Data breach compensation’. On the pages this search returns you’ll find law firms letting people know about their right to compensation. This compensation can cover both direct losses and emotional distress. It’s very hard to demonstrate that someone didn’t experience distress. You’ll also see that some firms are focused on ‘public authorities’ including schools for raising these claims.

If someone makes a claim it can be strengthened by making a complaint to the ICO. This is quite a simple process although it may take some time. If you’ve provided even fairly basic information to the data subject about what has happened this may be enough for the ICO to make a determination. The first you hear about it may be when you’re informed of the decision.

  • Managing the details

It would be great to think that if you can prevent breaches from ever happening then the problem would be solved. While a breach free world would be excellent it’s not the real world, breaches do happen. Of course, it’s important to put measures in place to reduce the risks of breaches occurring, but it’s also important to pay attention to what happens when they do.

You can have the best measures in place, but if you can’t demonstrate them then they won’t help if a complaint arises.

  • Legal requirement

The time limit for a claim is six years and breach records should therefore be retained for this period of time.

Paper and spreadsheets

There is a risk that using paper and spreadsheets may simply not provide the required level of documentation and could significantly increase the level of risk from a potential claim down the line.

System – Keep track of your actions

By using a system, you can fully document the action that you’ve taken around a breach incident including communicating with data subjects. You can create a timeline, add notes and attachments so that all the information is to hand, whenever you need it.

This is where the Sentry system can help