Data protection and privacy implications of online and remote learning

Katie Rigg Head of Safeguarding & Student Well-being

By Mark Orchison, Managing Director, 9ine and Katie Rigg, CIS Head of Safeguarding & Student Well-being

This is the second article in our series on how schools and universities can adapt to new learning environments (read the first one here), prepared in response to the many questions we have received from our members in recent weeks.

Please take from this article what is helpful for your community. These are exceptional and unprecedented times, and you can only do what your resources allow and what you think is best based on the information available to you. We will continue to share information as we all learn more about the benefits and risks of using different learning models.

While this article contains a general summary of the key data protection laws, it is not legal advice. Institutions should tailor the principles in this article to their own unique context and legal framework, consulting with their lawyers if legal advice is required.

A word about GDPR and other equivalent privacy laws

The European GDPR has created a ripple of changes in data protection & privacy law across the world. These laws regulate how your school or university collects, processes, stores and transfers personal data. They also require institutions to have in place policies and structures to record and evidence the ways that institutions comply with the law.

Within an education context, schools and universities collect significant amounts of personal data, including special category data that require additional protection. They also share personal data with other institutions, often in other countries.

All organizations, regardless of location, need to be mindful of data protection and comply with relevant local laws and contract provisions.

Key questions from schools and universities

1. How does GDPR impact on our ability to deliver online learning?

The European General Data Protection Regulation (GDPR) and other equivalent privacy laws should not stop you from delivering education or keeping students safe. These laws do, however, require you to be mindful about how you collect and store personal and sensitive information about your staff, faculty, students and their families. Taking steps to ensure that your online learning platforms comply with the privacy laws in your country will help you to keep this information secure and mitigate any legal and financial exposure.

2. How can we ensure that our online learning platforms comply with data protection requirements and uphold the privacy rights of individuals?

A. Identify the correct lawful purposes:

Online educational learning platforms invariably collect a variety of personal data to connect the platform users. Online counselling sessions may also involve sensitive or ‘special category’ being shared.

The GDPR requires institutions to have at least one lawful purpose for processing personal data and an additional lawful purpose for processing special category data.

While consent may be appropriate to use for some institutions, care should be taken if consent is being relied upon as a ‘catch-all’ for processing personal data. This is because individuals have the right to withdraw consent to processing at any time, and the withdrawal of consent might prevent institutions from delivering their education services. This could, in turn, cause institutions to breach their contractual obligations to students or their parents.

Institutions should consider whether there is an alternative lawful purpose before relying on consent. For example, it might be appropriate to consider whether the institution has a legitimate interest in maintaining the continuity of education remotely.

For fee-paying schools, the lawful purpose of processing personal data for online educational classes and counselling sessions could be, for example, the performance of a contract (i.e. your parent contract). Where special category data is being processed, the additional lawful purpose might be the provision of health care, reasons of substantial public interest or, for more serious cases, vital interests.

B. Make sure the technology platform you use is compliant with the privacy laws in your country, that it is not collecting more personal data than is necessary and is only using that personal data for the purposes agreed upon.

Most online learning models require the assistance of a technology or software platform such as Microsoft Teams, Zoom and Google Meet.

Most of these platforms require, as a minimum, the name and email addresses of students, teachers and faculty members using the facility. This is necessary for the platform to manage identification, accounts and log-ins. Where possible individuals should only use institutional email addresses, not personal ones. Additionally, these platforms might use images, audio and/or free-text messaging. Platforms may also collect data via cookies or other online identifiers.

Online platform providers are considered ‘third-party processors’ under data protection law because they will be processing personal and possibly special category data on the institution’s behalf. If you are using a processor for the first time or have not yet assessed whether it meets the requirements of your data protection law, you must check its level of compliance. The processor’s terms and conditions of use and privacy policies will help you to do this.

C. Carry out a risk assessment to weigh up the risks and mitigate any harm associated with carrying out live-streaming and/or recording online sessions.

A written risk assessment can help institutions to weigh up and mitigate different risks. For example, the risk of inappropriate or harmful material being shared on an online platform can be reduced when institutions use platforms that enable them to pre-approve and ban participants from sessions. Other safeguarding and data protection risks can be mitigated by carefully reviewing the platform’s privacy settings and checking that online learning platforms are age-appropriate.

The risks of live-streaming a session might include, for example, the inadvertent disclosure of confidential or inappropriate information. This can be mitigated by educating students, their families and staff/faculty about the location of meetings and general house-keeping rules for using online platforms. For example:

advising them to have a bland background to meetings so that no additional information can be collected about their location
ensuring there is no personal or sensitive (or special category) data visible during the meeting
ensuring that cameras (and audio) are disabled when the meeting has concluded.

If institutions wish to record virtual educational meetings, we would suggest that they only do so if they consider it necessary to achieve a specific learning or safeguarding objective, and if they cannot achieve that objective in other ways. Institutions should also consider the risks and benefits of recording as part of their risk assessment. These will include the same issues set out above for live-streaming. Additional considerations include the storage, access, control and retention of the recording.

Resource: Advice on how to live-stream safely: https://learning.nspcc.org.uk/research-resources/schools/e-safety-for-schools/

D. Review and, where necessary, update your data protection and information security policies.

You should ensure that your data protection and information security policies and systems enable you to conduct online classes safely and securely. Where relevant, they should also enable you to store any recordings securely, retaining them for no longer than is necessary.

We would recommend that you keep a separate record of any processing which has been implemented specifically for the purposes of business continuity during the threat of COVID-19. This will allow you to identify the processing activities that you might wish to cease once the threat of the virus has passed.

E. Inform and educate your students, parents or carers and staff/faculty.

You should make sure that your students and, where appropriate, their parents or carers, understand the risks and benefits of online learning. Where recordings are going to be made of some educational sessions, your community should be informed and made aware of this, and of how the recordings will be used. This should include updating your privacy notices so that your community understands the privacy implications of online learning.

Where institutions wish to use online resources for activities outside of the core educational services, they should consider whether they need to obtain consent from students or their parents (depending on the student’s age), in accordance with their internal policies and relevant legal requirements.

Institutions might also find it beneficial to issue guidance on their community’s use of online platforms and processors in order to foster a more holistic approach to their use.

3. How can we keep our community updated about individuals who test positive for COVID-19 without breaching their privacy rights?

You should check and comply with any local regulations. Subject to these, you should not share more personal data than is necessary to protect your community and help prevent the spread of the virus. It may, for example, only be necessary to inform your community that a member of staff or faculty, parent or student has tested positive for the virus, without providing names.

4. When can I share personal information about a student with others?

Your staff/faculty will be bound by the same rules of confidentiality and data protection in virtual environments that they would be in physical learning environments. Staff should only communicate personal information about students on a need to know basis where there is a lawful purpose, in accordance with the institution’s safeguarding and data protection policies.

5. What can we do to protect our community from security risks related to remote working?

Schools and universities should be aware that there has been a significant increase in cybersecurity threats to organizations as individuals seek to take advantage of the disruptions, misinformation and remote working resulting from COVID-19. Attackers are targeting institutions through a variety of cyber scams. Find more information here.

Schools and universities should assess their systems' security and devices to ensure that there is appropriate security, given the current risks.

Further Resources

ICO (UK Supervisory Authority) new guidance on photos in school
ICO action taken against schools relating to photos
FAQs: Video conferencing, remote learning & data protection
Assessing & deploying new platforms for remote learning
WebApp Compliance Platform for Data Protection & Cyber Security
Covid-19 Disaster Recovery & Business Continuity Planning
A self-assessment tool and third-party processor checklist: 9ine has developed this data protection self-assessment toolkit for CIS Accredited Schools. This toolkit includes a checklist of actions that can help you to ensure that your systems comply with data protection principles. Schools that complete the toolkit will also have the opportunity to review their practice with 9ine in the areas of data protection, cybersecurity and internet filtering and monitoring. This Third-Party Processor Assessment Template is available to any CIS member and can be used to evidence your evaluation of third party processors.

Related content: