Coming soon to a cinema near you…
Actually, coming very soon to your organisation! The new General Data Protection Regulations (GDPR) will ‘go live’ on the 25th May 2018. So what are the implications for education? In this post we provide some helpful information on what it actually means to your school, your learners and how to prepare for it. We also start to consider how data rights could be integrated into learning opportunities.
A little bit of background
In 2016 the European Commission agreed that the UK Data Protection Act enshrined in legislation back in 1998 was considerably out of date. It is actually a testament to the DPA writers that it is still used and largely remains in context, the 8 Data Protection Principles underpin all our privacy checks. But times have and are a changin’. The new GDPR has these changes covered and simply aims to protect us all.
What are the key changes?
What else do schools need to do?
There are broad key areas schools are required to demonstrate they have taken action in, simplified as below:
- Awareness, Accountability and Governance. How is Data Privacy part of your school’s digital culture? Have you got checks, guidance in place and is everyone aware?
- Knowledge of all the information you hold, do you have this for all your data?
- Documentation of all the Data Processes you have in place and have the required Data Protection Impact Assessments have been carried out?
- Who is responsible? Who are your Data Protection Officers and Leads?
- Lawful processing, you are only processing data you really need to.
- Communicating rights (aforementioned agreements and consents).
- Individual’s access to their own data.
- How do you manage and report data breaches?
- If you are a school outside of the UK, how do you manage international transfer of data?
The ICO website has really helpful self-assessment questions with further information, links to it at the bottom of this blog post.
If you haven’t already, put this on the agenda at your next Senior Management Team Meeting and start to gather information in the areas above. May 2018 is not far away!
Learners at the Heart of your Digital Learning Strategy
It’s time to review your Acceptable Use Policies, gone are the days of corporate style AUPs only there to protect the organisation’s IT equipment. Why not include rights / data privacy information in your Safe and Responsible Use of Technology Agreements? This presents a well rounded view with learner’s rights at the heart of your approach and a big step forward in your compliance to GDPR. As always, it is preferable to co-create these with your learners in a context and language that is appropriate to them.
Google Education and GDPR
If you are a school using G Suite Education, you will be comforted to know that Google Education has you covered for the use of Google Services and compliance for data processing. Your G Suite Education Administration Console provides links to required certificates for compliance, easy to save to your drive and attach to an overarching GDPR document for your school.
Google Takeout also is a great example to show how learners can take their own content with them when they leave. We’ve highlighted this in an earlier Appsevents blog post here.
However, it is still very much down to you as an organisation to show you have considered all aspects of the GDPR, but if you make a start now you will be well and truly ready when May comes around.
Google Certified Trainer, Admin and Educator
Further Reading and Important Links
Google Education Information on G Suite and GDPR
Google Education Trust and Privacy Center
ICO Info for Organisations
ICO Info on reporting a Data Breach Incident
ICO GDPR Self-Assessment Checklist for Education
ICO Quick Ref Guide Personal and Sensitive Data Definition
ICO Lesson Plans for Data Privacy
AppsEvents: Best Practices on Terminating Student Accounts