When the new GDPR laws were enforced across the EU 2018, we all set to work to ensure we could meet the new regulations. With schools around the world still teaching and learning online, it’s caused many to focus on data protection in schools and re-evaluate their processes. Schools are now asking the question: how can we make sure we’re still meeting GDPR requirements when using online learning platforms?
When do you need to gather consent?
According to Data Protection guidelines, consent can be covered in your school’s Privacy Statement and Data Protection Policy. As a best practice, these should be shared with students and parents/legal guardians at the beginning of each school year or as soon as a new version has been issued.
You will only need to gather consent from parents when processing special category data, such as biometric, health (including gathering health information to manage Covid in schools) and special personal data. In these instances, they must be clearly informed of the specific use of this data, consent must be given freely, the option to withdraw consent at any time must be provided, and details of all consent should be securely recorded. There are also various types of consent which you may be required to obtain, details of which are featured on the ICO’s website.
Consent must be provided by parents for students under the age of 16 (though in the UK this has been lowered to 13 under the DPA 2018), between 16-18 years old we’d recommend proceeding with dual consent, and from the age of 18 and above students may provide consent.
Checking online platform Ts & Cs
Every online platform should have its own data protection policies and guidelines, which will highlight their approach to processing and storing personal data.
We’ve gathered these from some of the top platforms schools have started using to support them in creating an online learning environment, so you can make sure they fit in with your existing data protection policies:
Zoom
Many schools are using Zoom for a range of online schooling activities, from classroom learning to one-on-ones between students and members of your Wellbeing Team. According to Zoom’s privacy policy, they don’t monitor or store meetings unless you specifically request them to do so. They also have inbuilt functionality that alerts participants via both audio and video when they join meetings if that meeting is being recorded. This gives participants the option to leave the meeting if it’s something they’re uncomfortable with.
If you are recording any meetings, then you may need to obtain consent from your students and/or their legal guardians to do so. Whilst this may not be necessary for larger classes, if you’re having a one-on-one meeting between a teacher and a student then this might be advisable for the protection of both parties.
For more information, you can access Zoom’s full privacy policy here.
Microsoft Teams
Being offered free for schools to use during this time and available to sync with your school’s existing data with Microsoft School Data Sync, Teams is a great way to keep your school community connected throughout closures. There are instances when Microsoft will collect data from you, but this will generally be that of your Administrator rather than your Users and therefore should fit within your existing data protection guidelines. If your school has already been using Azure Active Directory, Office 365 and other Microsoft products, then using Teams shouldn’t require any additional consent to be gathered from your students and/or their parents.
You can access Microsoft’s full privacy statement here.
Google Classroom
Another free service for schools that supports them in moving classroom learning online, Google Classroom aims to boost collaborative learning by helping teachers share assignments and communicative with their students. As Google is audited externally by compliance agencies, you can be confident that their services will meet your data protection, privacy and security standards. However, they also build and operate their own secure servers and platform services which make it easy for your Data Administrators to monitor and manage data security with this platform.
Find out more by visiting Google Classroom’s Privacy & Security Centre.
Moodle
Moodle is used by hundreds of millions of users worldwide as one of the most popular online learning platforms for education providers. In compliance with GDPR requirements, you can request what data Moodle holds on you and how they use it at any time. Additionally, because they are following the latest EU laws and regulations regarding data protection, any processing of your school’s data should also align with your school’s own policies regarding data processing and privacy.
Moodle’s Privacy Notice explains how they use any personal data to create a collaborative learning environment for your school.
What’s the best way to record consent?
Whilst the above platforms may not always require you to gather consent from your students or their parents, there may be instances in which you need to do so. Whilst schools are closed, you’re going to need to do this via a digital platform and preferably one which securely collates and stores consent in a single place – for many, this makes sense to be incorporated into your existing management information system (MIS).
By using an inbuilt Data Protection module, you can use consent registers to accurately capture the consent you need from parents from the very beginning of their journey with your school by integrating this with your admissions process. If your MIS allows for it, you can also then share these directly with students and parents via Portals or other channels; this means that they’re always aware of what they’ve given consent for and it provides them with an easy way of amending this as necessary.
Because your MIS holds significant data from every area of school life, this will also support you with processing Data Subject Access Requests (DSAR). This functionality should enable you to record these requests against a data subject, so you can clearly see the status of the DSAR, the date it was initiated, and any other key information relevant to the onward actions required.
