The Problem With the EdTech Community is …

Supporting the EdTech Community with By Design and By Default principles

The Problem With the EdTech Community is …

My Data Protection World

Well, there isn’t really a problem. Or rather the are so many little ones that to say there is a problem is like saying coastal erosion is a problem. And knowledge and understanding of this can save you so many headaches and worries.

One thing that is consistent is that due to a lack of clarity, guidance, standards, experience, peer support or simply the ability to read or listen, you will find those that repeat myths or repeat misinterpretations of legislation. These can be seriously damaging but sometimes just come from people having a different perspective or experience, and often done with the best of interests too. These are probably the most difficult areas to address right now and a recent conversation on LinkedIn highlights this.

Have a read of it first … I’ll still be here … see you when you come back.

Now it is worth saying that there are folk out there who, in my years of working with and in EdTech, I’ve had a difference of opinions on how we achieve the same goal, but a healthy agreement that the goal is a good one. Likewise, there have been those I strongly disagree with due to their approach no matter about the goal being the same. Crispin and I float between the two. That said, this does give me a chance to clarify some points that others have also raised in recent months that link with or are the same as some that this discussion has brought forth. Be aware that this is not a definitive answer to everything, does not constitute legal advice and might not be popular when I say it.

1 – No matter what anyone may think about the work on data protection, it seems such a massive, complicated, bureaucratic entity simply because a) the law has had to change to be more explicit, show more accountability and ensure the rights of individuals are understood and b) like many other sectors, schools and EdTech vendors have done very little about data protection and privacy for years.

I am not as long in the tooth as others in the education space, but I’ve been around long enough to see that this has been true for many areas, not just data protection. Some get away with it, others don’t.

Once you understand that the initial kick-off element on understanding how your schools use data and what data it uses, or as an EdTech vendor you understand how your product will use the schools’ data, then you can see that it is a big job only depending on what you have, or haven’t, been doing up to this point.

And being blunt about it, a few years ago I could honestly say that I didn’t know a single school, MAT or LA (remember Scotland deals with this at LA level) that has had it right. Some had been close but no one quite right. It is worth saying that this was representative of so many sectors, so nothing that unexpected.

2 – Several years in and there are hundreds of schools that are doing it right. There are still problems but they are being addressed but they are getting there. The approach has gone from being a massive process to one that is of review, incorporated into the management of changes, having a more end-user appreciative approach and a greater awareness of responsibility.

But what is this responsibility and where does it sit? Again, the law is clear that the responsibility is shared between the data controller and data processor, but the data controller is the one who makes decisions. The ICO has some good checklists to help and support this but we also need to remember that we should not view data protection/privacy in a silo but as part of what exists across the whole of school life. 

Some get this … and it will be no surprise that these also tend to be schools and MATs that also do well in other areas of governance within their schools, where pastoral support is part of the blended life of children, where there is a strong sense of ownership of the care and growth of the children, staff and the wider community. This is not to say it is without effort, without mistakes or without room for improvement, but these areas are also recognised too and fit into the strategic approach schools take. As you can see though, the emphasis here is around the schools being in control and making decisions.

So where does this leave EdTech Vendors who see themselves as data controllers, as they may say that they decide how it all works, they did the code, they did the design. Think about it this way though. The school has set out the parameters for what they want EdTech tools to do. They want to make sure that the ‘safe’ approach that they hold as a standard across all areas of school life fits in with this. They complete a risk assessment and decide that an EdTech tool is or isn’t suitable for both the educational requirements and the responsibility for keeping data safe.

When you look at it from that position, it is clear that the school is making the decision. If you don’t meet the requirements, you don’t get the job. This is simply a matter of due diligence during procurement. But as mentioned earlier, not all schools do it this way and some who do try, well … they make a meal of it. And this is where you get bureaucracy and red tape and “you can’t do that because of GDPR” … which sounds so familiar … you can’t do X because Y is a common retort on safeguarding and health & safety. It is actually a case of Y says these are the criteria you must apply, so where does X fit within that and what are the risks? And so we get to who decides what those risks are?

3 – When faced with the idea of someone being able to make decisions for you and taking of an administrative burden, most people would be happy with that. I admit that my position has always been, “Well, if someone else is making decisions, what if I don’t agree with them? Is there a baseline that can be pushed past or is this a ceiling you cannot go higher than?” I’ll be even blunter. I have seen too many central approaches that have limited innovation, growth and even generated harm due to the lack of consideration for the fact that schools can be vastly different from one another. I have spent a fair chunk of time in my Educational Technologist career talking about this and trying to stop the stifling of innovation. At times I have pushed on risks being taken and not always appropriately considered, but over time I have learnt where the boundaries can lie, and what to consider when I find them. The late Tom Cooper helped me a lot with this understanding during the hazy days of BSF, my time pushing against Northants County Council and then helping to change their approach, and then across a number of EdTech vendors has continued to embed the idea that one size does not fit all.

In a previous role (Head of Services and Operations at GPDR in Schools) I continued my perennial battle to better understand how Capita’s solutions worked together, to help build some standardised data models that schools could use. I couldn’t get anyone to sign anything off within Capita because they had a certain reality to face. It mattered little what they designed their software to do, once it was installed in the school then the school was both data controller and data processor. Capita only got involved from a support position (if they had the support/training contract) and the school was free to use fields and tools in a whole new way. Some areas were mandated to comply with the school census, but others could be changed around. Markbooks are used for behaviour, not assessment (you could argue that data is data), behaviour used for rewards (you could argue the same) and so on. No central stamp could cater for this. Also, the control and access to this data were completely in the hands of the school too. One might be overly generous with access, others overly rigid. Yes, you could have best practices, but it also depended on the roles and responsibilities of different staff in the school. As a DPO I would then ask a few simple questions of schools on this.

  • Do you check if staff have got access to the information they need to do their job?
  • Do you check if staff have got access to information they don’t need to do their job?
  • How often do you check this?
  • What happens when someone leaves or changes their role?

Some might see this a red tape, but don’t we do the same with keys around the school? Do all staff have access to the Head’s office? To the Business Manager’s office? To the safe? Who has access to the chemical store? The cleaners’ store? Have they had COSHH training? This sort of risk management is nothing new and so data protection falls very easily into here.

4 – At this point, we see that any auditing of suppliers should be part of the due diligence a school undertakes. This covers understanding what they want the EdTech to actually do, the benefits, the training needed to get the most out of it, how it will be made sustainable if there has been a capital cost, how is the effectiveness reviewed … and data protection/privacy is just another aspect of that. I tend to explain it as the risk is a triangle between Safeguarding (including online safety), Data Protection/Privacy and H&S (including mental health), again trying to ensure that it is not a silo.

And there is a lifecycle around this. Plan, Do, Check, Act is the simplest form you can apply and you would not go far wrong with it either. 

When people think about it as 000s of schools auditing SIMS, what you are talking about is schools auditing how they are using SIMS. This happens once and is then topped up on a regular basis, either when there is a major change or as part of an annual review. Once this is settled in, you get to the position of a combination of exception reporting or input from changing strategies. A bit like how we deal with school buildings perhaps? 

But one important aspect of this is whose responsibility is it within the school?

5 – If you ask the same about H&S or Safeguarding you will be told that it is everybody’s responsibility but for many schools, it is not talked about at all. Is this because it is not in place or because it is so embedded that it is part of life? As you can gather, I have seen both sides. The schools where H&S/Safeguarding are not talked about at all because it is not in place have massive issues anyway. Focussing on data protection here is likely to hinder rather than help and for those schools, I tend to just say they need to manage *all* their risks, as well as get into with a school improvement partner asap … as well as re-examine what the hell their Governing Body is doing!

For the other type, it has become more common sense. in the same way, a teacher walks into the class and sees children piling tables and chairs into a pyramid to let the more adventurous souls pin a banner to the ceiling, or perhaps a teacher walks into a flooded classroom, we know that these are not good things and appropriate action is needed. A strange person is hanging around the school playground and never seems to pick up a child, that is a red flag there. So what do we do about this sort of common sense for data protection and privacy? 

The barrier here is life outside of school. We live in a world where the school is the equivalent (or should be) of a swimming lesson with an experienced and qualified instructor, yet outside of school … that instructor is tombstoning from the end of the pier, being broadcast on social media and stripping off in the process. So many need educating about their own risks before they can look at the risks within the school. Where central standards are emphasised, there can be a lot of pushback about how the state should not try to control the rights of individuals, showing that there can be misunderstandings about the balance of rights and professional responsibilities. I am not going to say what could fix this, but a greater understanding is needed. I would also say that were things are not deemed appropriate then they are dealt with at a school level first, as they are best placed to deal before any escalation.

6 – And this comes back to accountability. In the same way that school trips have risk assessments, then so should other areas. Again, if you had done the same trip, again and again, you are looking for what has changed at the location or what is different about the cohort on the trip. A central standard and check can be applied for certain areas of the trip (food safety checks and so on) and these are akin to things such as ISO27001/27701/9001 and so on. There is not a fixed standard for Data Protection in EdTech (yet) and the closest we have is the burgeoning work through the Digital Futures Commission, and expertise they are drawing in. 

 Working with those in EdTech who are keen to better understand, and better explain, how data is being used was a major step for me a year ago. We still face many battles, and sometimes the stigma that a trading company processing data is automatically bad, but others doing it will be automatically good, whether academic research or even the schools themselves! I wish it was so cut and dried.

Leave a Reply

Your email address will not be published.

This site uses Akismet to reduce spam. Learn how your comment data is processed.

%d bloggers like this: