Data protection considerations for education institutions under current working arrangements

The education sector has faced a number of challenges during the pandemic. Changes have required careful consideration in respect of how students are supported in their education whilst keeping them safe. One of the main areas of law which has had to be considered in the changes made is data protection. Some of the main considerations education institutions have had to take into account and continue to develop are set out below.

1. Remote Learning
   
   Education institutions have further developed remote learning resources for students both during lockdown and for instances where students are self-isolating. Various apps have been utilised as well as live streaming of lessons. Both of which involve processing personal data.
   
   a) Apps for sharing learning and student development
   
   Many education institutions have replaced paper reports and worksheets with a variety of apps where work can be uploaded directly and returned. Some apps allow a student’s development to be recorded and shared with parents. In order to use the apps, personal data of students and /or parents is requested. There has been some confusion whether consent is required for this purpose or whether it can be considered public task.
   
   When introducing any new data processing system, institutions should consider the extent of processing of any personal data and whether the same goal can be achieved without processing all the data. Some apps will permit the school to retain the personal data and give students code names etc hence limiting the personal data being processed. Such apps can be utilised under public task of providing education. However, some apps may require full details of the student and or parents, and institutions should consider the need for such extensive processing and whether it brings additional benefits such as a communication tool. If no other lawful basis for processing the extensive data is appropriate, consent should be considered. This of course brings its own complexities, as some may refuse consent and institutions need to resort back to previous methods of paper learning packs or communicating through emails for parents who may object.
   
   b) Streaming of live lessons or use of live remote meetings
   
   A range of options have been utilised by institutions including virtual video meetings, where all students can be seen in their home unless cameras are switched off, or more recently following the return of students, live streaming of the lesson in class to those who are continuing to learn from home.
   
   Institutions should consider what personal data needs to be processed and balance this with the value obtained by students from the remote lesson. A code of conduct for students and staff has been put in place by many institutions to ensure safe use of live lessons. These have included a dress code, considering what is visible on the camera in terms of background e.g. avoiding photographs or other individuals appearing in the background etc.
   
   In addition, consideration has been given to the benefits of recording live lessons / meetings and if these will be shared with anyone, as well as how these will be stored / accessed. Some staff may also wish to use recorded lessons on their own social media channels. Before agreeing to any of this, the implications under data protection needs to be considered and only where processing of this personal data is absolutely necessary should it be taken forward. Risk assessments should be undertaken and thought given to how personal data can be further minimised, e.g. muting attendees and only focusing the recording on the white board etc.
   
   With regards to virtual meetings or hearings (e.g. complaints or exclusions) where face to face meetings cannot take place at this time, the same considerations need to be given to these as for remote live lessons. Unfortunately, in a remote meeting it is not always possible for attendees to see everyone else who is present and whether any covert recording is being made. Institutions should set out clear rules in respect of any meeting or hearing before it takes place so that all are clear in terms of confirming attendance and no recording to be made without permission etc.


2. Covid-19 Testing
   
   Institutions have had to facilitate the additional processing of personal data, initially in terms of reporting. Following testing in schools, schools were required to report the results for students and staff. Some data breaches have occurred where schools have incorrectly shared the results with the wrong student or parent. This latter element should not be so much an issue where students will be testing at home and uploading their own results.
   
   Institutions need to ensure they are processing the personal data relating to positive cases of Covid-19 in line with the data protection requirements, both when reporting to agencies and when making others in the institution aware if they are required to self-isolated taking care not to name individuals.
   
   
3. Qualification Grading
   
   As institutions are again being asked to grade students for qualifications instead of examinations, consideration should be given to what personal data will be processed for this purpose and the records they will retain for the same. Students may make requests for further information about how grades have been assessed or may make a full subject access request for all of their personal data. Institutions should consider what information they can share and when this can be shared in line with guidance from the Government and Examination Boards. If institutions are aware that they may receive a number of requests they may wish to be proactive on results day and share additional data with students to avoid a flurry of subject access requests during the holiday period or alternatively have a process set out which all staff and students are aware of in terms of how the institution will respond to such requests in a timely manner to permit any challenges to be made.
   
   In addition to the above considerations, institutions should review their data protection policies, privacy notices, and retention and destruction policies to ensure the above matters are taken into account and any further changes they are considering to their practices which involve the processing of personal data.

First published by Times Educational Supplement (TES) in April 2021.

Daljit Kaur is a senior associate in the Education team at law firm Browne Jacobson, and advises schools on a range of matters including data protection.