Why EdTech Suppliers need to engage with ICO and with Schools

With the forthcoming evolution of the Data Protection Regulation across Europe, EdTech within the UK faces an interesting period of engagement with schools. The updated regulation, the General Data Protection Regulation (GDPR), is being brought into force in the UK under an updated Data Protection Bill, which started its progress through Parliament on 13 September.

While the Bill puts in place the requirements based on GDPR, it has a few areas that are specific to the UK (where discretion is given to Member States), including setting the age of consent for children using Internet Society Services (set at 13 compared to the GDPR suggested 16), a system for authorising certification providers (much needed) and putting in safeguards around processing for research, archiving and statistical purposes.

It also puts in place all the additional requirements set out by GDPR on the rights of data subjects, the requirements of data controllers and data processors. In short, it fixes and improves a lot of areas of the Data Protection Act 1998.

For EdTech suppliers this will mean a change in our approach with schools. Schools, as public bodies, will see an increase in what they are required to do. While many schools have had good data protection practices, having embedded the advice from Becta as well as the regular updates from the ICO, there are still many that need additional support and advice. EdTech suppliers are uniquely placed to use the change to show how customer-focussed they can be, not just because they are forced to but because UK EdTech suppliers have a strong history of engagement with schools. In fact, many of us have been raising awareness by running sessions with schools, LAs, MATs, Governors and with specific groups such as Heads, Bursars / Business Managers, IT Support leads, etc., and that is slowly making a difference.

Schools will be asking important questions over the coming months, mainly because they are preparing for the questions that parents and learners will be asking them. We should all be prepared for them.

• What data are you processing?
• Why?
• Do you delete it?
• When?
• Where is it stored?
• How is it secured?
• Can we turn some of it off?
• What do I say to parents and learners?

The list could go on, but a lot of the answers will be in the form of an update to the contract / T&Cs schools have with suppliers.

The ICO released a consultation on the draft guidance on contracts and liabilities between data controllers and data processors. It is essential that we all take an opportunity to review this and feedback to the ICO. We need to ensure that we are happy with the guidance, that it can be translated to a clear message for schools and that it allows enough flexibility for us to work within the boundaries of GDPR.

At GDPR in Schools, we are working with EdTech suppliers to get part of this message across to schools. We take the data maps that you will be producing as part of your audit of what data you have, why you process it, etc. and provide schools with a central portal that they can access it from while they perform their data audits. Along with other tools, we will be helping schools gain compliance and continue to record their activities as they maintain it. As EdTech suppliers, we are all beholden on supporting schools with this activity and we hope that you will join us to collectively support schools.