Remote learning: considering the GDPR

Data protection won't be your number one concern right now, but you need to make sure you're considering it.

Get your data protection officer (DPO) involved in any plans you make for remote working, and take a look at our tips below for ideas on what to consider.

Introducing a new online service

If you've already got pupils signed up on an online service for learning, there's no need to worry about this. You should have covered this already and can proceed as normal.

If you're introducing a new system, you'll need to consider a few points.

Establish your school's role

• If you're the data controller (i.e. you share personal data with the service and/or receive it back), you'll need to establish a lawful basis - the 'public task' basis should apply for any service necessary for educational purposes, so you won't need to get anyone's consent
• If you're not the data controller (i.e. pupils sign-up themselves and you can't see their work), you can't require pupils to join as they or their parents must consent to it with the service provider - try to think of other learning options that don't involve them having to share data with the service

If you're the data controller, read below.

If you're not, the responsibilities for following data protection law lie with the service so the next part doesn't apply to you.

Steps to take if you're the data controller

• Conduct a data protection impact assessment to identify and minimise risks
• Ensure that the service provides sufficient guarantees it's GDPR-compliant (most services will likely have information on their security measures which should suffice)
• Make sure any contract you agree to is GDPR-compliant
• If the service holds personal data on international servers, check whether you can make this international transfer
• Update your privacy notices to reflect your data sharing with the service
• Share only the personal data that the service needs to work

Staff accessing personal data from home

A large number of your staff will likely access personal data about other staff members and pupils when working remotely, including when managing online learning.

Ideally:

• Staff will be able to access personal data on a secure cloud service, or a server in your IT network that's accessible through a virtual private network (VPN), so they're not keeping any data on their devices
• Devices will be provided by your school, so you can make sure appropriate security arrangements are in place
• You'll have provided data protection training to staff, so they know what steps to take

If you don't have these measures in place right now, don't panic. Just make staff really aware of security issues and make sure they keep their devices safe.

How to make devices secure

Get staff to follow the steps below on the devices they're using, if these aren't in place already.

Lean on your IT staff to help staff with putting these measures into place.

• Keep the device password-protected - strong passwords are at least 8 characters, with a combination of upper and lower-case letters, numbers and special characters (e.g. asterisk or currency symbol)
• Encrypt the hard drive - this means if the device is lost or stolen, no one can access the files stored on the hard drive by attaching it to a new device
• Make sure the device locks if left inactive for a period of time
• Avoid sharing the devices among family or friends
• Install antivirus and anti-spyware software
• Keep operating systems up to date - always install the latest updates

Sharing contact details

You may need to collect or share contact details you didn't need to before, such as email addresses, as part of your online learning system.

Don't worry too much about this - if you're collecting or sharing them as part of your functions as a school, the 'public task' basis would apply and you won't need to seek consent.

However, try to collect and share as little personal data as possible to complete your purpose.