Recording of Online Lessons
I read, with interest, a discussion on LinkedIn about the recording of lessons being conducted via online teaching. This is not exactly a new discussion. There have been discussions about recording video-conferencing as far back as 2002 that I am aware of (Becta and Becta’s ICT Research Network), and I am sure that there has been more than that. It has also been discussed a fair bit since you will find some guidance around some aspects of safeguarding, and yes … it has areas where different organisations disagree.
NSPCC say that you should talk to parents, carers and children about the benefits and risks (very good) and then talk about getting them to sign their consent. I want to facepalm this, but as some schools might be tempted to use systems that allow the service provider to use the data for their *own* purposes … it might be relevant. Even the LGfL guidance says to check if it is needed. Whether that should happen is a discussion for another day! They have some other good ideas, but don’t really seem to understand how schools work with choosing IT (or should be working).
You can find a range of information about the use of online tools, safeguarding factors on recording and so on. But few of them will talk about the lawful basis other than check if consent is needed. There is a comprehensive article from HCRLaw on the creation and use of recorded materials. But, in the end, the phrase “it depends” will always be raised.
If we go back to the introduction of cameras into classrooms (which can be extremely beneficial for improving learning and teaching, as well as providing resources for those off, etc.), a DPIA would have been completed and that would have involved stakeholder feedback, to raise both privacy concerns and concerns about reuse of the data for other purposes. We know this, but it has occurred on a pretty regular basis, and most decent companies who provide classroom-based camera systems have a raft of guidance to help with this. We also need to remember that recordings of classroom settings usually involve a discussion with staff during that stakeholder feedback about whether access to recordings (and their image/voice) will be within a closed environment that have access control, or will it be publicly published. This also applies to online learning recordings. Staff are data subjects too.
Due to the recent legislation, online learning (well, online teaching in many cases) *is* the new normal and hopefully will be a significant tool even after lockdown and virus-related issues have disappeared.
Making sure the purposes of recording are clear from the outset is vital. What many regards as the three core activities of school life apply.
- The safeguarding and well-being of staff, students and those in the school environment.
- The delivery of the educational curriculum.
- The operation and running of the school.
These can be covered on a range of Lawful Bases, but Public Task covers them all, save where specific laws require a different approach, e.g. biometrics.
Retention periods for that particular the system (e.g. Zoom) would be set out as needed against the purpose and data minimisation principles would mean where a recording, or part of a recording, is needed to be kept for longer due to safeguarding issues, then that data is transferred to the systems managing safeguarding. This also deals with aspects of access control, as well. Whilst this is not exactly raised during the article’s discussion, we have so many systems in so many organisations that are incorrectly used as dumping ground-like … a poor attempt at long term storage. Email, home areas on file servers, that desk draw that you never want to open because it is full of notes or memos or forms that should have been dealt with and added to the correct systems … and online platforms are no different. Data that needs to be stored for a particular purpose, e.g. the recording of safeguarding issues, needs to be kept in *that* system. This means a robust process must be in place for this to be managed. This would also be captured in the DPIA.
We also have to remember that we are looking at technical *and* organisational controls here. The recording of a lesson in some systems can be granular. Using systems that allow for pausing when children will be interacting also helps deal with the long-term risk of children being on the recording, as well as risks around the recording children where there are valid objections (remember schools … it is not about a parent not giving/withdrawing consent!!!)
This changes the lesson’s retention period as a catch-up resource …. and again, that can be stored in a different system with its own retention settings, e.g. within a particular platform such as a media content service rather than on the online teaching solution. Again, robust processes and DPIA come into play here.
I always say if you get three privacy professionals in a room together to discuss something, you will always get four answers … and the only common one will be “it depends!” This is no different when talking about CCTV. It *will* vary from school to school. It has too, and yes, this is the caveat I teased about at the start. When I talk to schools about knowing who you are, it is about making sure schools have a strong understanding of their community, whom they partner with, common issues, who the families are, the area in which the physical building sits. It also depends on the organisation’s risk appetite, operational issues and resources, technical capacity, and much more. I doubt we will get strict agreement from all parties on this one.
This means that keeping things ‘just in case’ should not be considered a separate purpose. It fits in exactly to the thought process for CCTV and Classroom cameras, but tightly controls the retention period.
When we get to Lawful Bases, we will also get differences of opinion. Regardless of what the DfE put into the Data Protection Toolkit for Schools, we need to remember that there is no hierarchy to the Lawful Basis used. It is not Legal Obligations first and so on; it is about the most appropriate Lawful Basis. I tend to look towards Public Task as the most appropriate basis for anything happening within a school, unless directed otherwise. Article 6.1(e) is not only about the performance of a task carried out in the public interest, but also for when they are in the exercise of the official authority vested in the controller. When we consider the repeated changes to guidance or requirements that arise from DfE or other authorities, we need to remember to be equally as flexible. Where a change in requirements could result in significant documentation about the legislative review, it can simply require an update of what guidance or requirements need to be considered and a decision that it makes no effective change to risks or existing processes, should you opt for Public Task. When considering it is more efficient, more likely to support culture change within the organisation as people find it more accessible, and you can still ensure that accountability is at the forefront of the school’s efforts around data protection and privacy. As the school finds data protection and privacy become more embedded, you may find that more specific review can be worth it. Again, we are looking at that caveat again!
One thing I would say, and I have seen it from some privacy professionals dealing with educational institutes, is sometimes you will see there is the use of Legitimate Interest as a Lawful Basis, often where there is the consideration that data may need to be shared with another data controller, or because the main purpose that the data may be needed for (a safeguarding issue) has not happened yet … the ‘just in case’ scenario.
I would say that Legitimate Interest is never applicable in these cases. It has to remain as the same Lawful Basis as the original purpose it is part of … so if it is a safeguarding risk, then the same Lawful Basis would apply, whether it be Legal Obligations or Public Task. Legitimate Interest cannot be used by a public authority in conducting their core activities.
Public authorities can only rely on legitimate interests if they are processing for a legitimate reason other than performing their tasks as a public authority. (https://ico.org.uk/for-organisations/guide-to-data-protection/guide-to-the-general-data-protection-regulation-gdpr/lawful-basis-for-processing/legitimate-interests/ 17/02/2021)
So we come back around to the core of the issue. The school needs to make decisions. Not DPOs, but the school. Why are they recording the lesson? What parts of the lesson do they need to record? How long do they need to retain the data against the various purposes? Where do they retain that data, and does it vary depending on the purpose? Are they informing children and parents? Are they informing staff? Is this informing part of the deployment and onboarding? Is it, basically, part of the culture of the school?
I’m in an interesting position at the moment as I am presently working with a software provider of classroom tools, including support for lesson management, lesson delivery, IT asset management and control, safeguarding monitoring and emergency communications.
As part of this, there are options to record what goes on when children are using computers, and yes, that can be made to cover remote teaching/online learning too. As the majority of solutions provided are on-premise, where the schools are both Data Controller and Data Processor, and the software vendor does not get involved. This means that the school has complete management and control over what they do or don’t record. There are possible high-risk areas, if the school do not take the required technical and organisational measures, but these are turned off by default and have to be configured to be used. Security by Design and by Default, and Privacy by Design and by Default. That still doesn’t stop schools rushing in without thinking, and in the same way that recording of lessons needs to be thought about, so does this.
It is important that this issue has been raised and brought about discussion. It is also vital that it has brought challenge and peer-review. This is not something we are necessarily seeing from within the DfE for this program, and so we need to make sure that we, as privacy professionals, help to continue to raise opportunities for discussion. Most of us are here due to the support of others across our careers, and we are also keen to give back.
There are several places to discuss things, and if anyone ever needs a private discussion, then I am happy to chat with you for free. I can’t promise to fix things or give you hours of support, but I am always there as an ear when needed.