A primary source of confusion and conflict between schools, EdTech suppliers, and other agencies often lies in defining their exact relationships with each other, and the subsequent relationships with the students, staff, and families involved. It should be straightforward – schools as data controllers, and suppliers as data processors. However, issues persist due to the varying circumstances, as pointed out by the ICO Helpline.
Before we proceed, it’s important to agree on specific terms and definitions, consider different perspectives, and then formulate what we believe should be the standard procedure. This article isn’t intended to be a basic GDPR course, or a step-by-step guide, but rather aims to provoke thought and provide pertinent questions for self-assessment, regardless of your role in the process.
Let’s take a quick look at what the GDPR says are the definitions of key terms.