Contents
- What you need to do to approve IRIS Connect
- Select and document your lawful basis
- Data Minimisation/Offering an opt-out
- Review your Privacy Notice and update if necessary
- Complete a DPIA
What you need to do to approve IRIS Connect
Schools with trainees on the Training Programme must appoint someone as the IRIS Connect Lead for their school; this person will sign the Data Processing Agreement with IRIS Connect (this is separate from the Teach First School Partnership Agreement).
This person will receive an invite from IRIS Connect as the school year approaches, the individual will need to login to IRIS Connect and confirm the trainee’s user account creation and programme enrollment for their users. For further guidance on these steps within IRIS, please view the what I need to do article.
The IRIS Connect Lead acts as the Organisation Administrator (who must be a senior member of staff) that manages the Organisation’s compliance with the Data Processing Agreement and is responsible for making day to day decisions about the management of user accounts, recorded data, permissioning collaboration groups, data sharing and the monitoring of data recorded by your Organisation including the review of any flagged content.
If the school doesn’t complete the enrollment approval process on the IRIS Connect platform the Trainees and Mentors will not be able to make full use of the platform's functionality until this is accepted. This includes:
- Not being able to share recordings with their colleagues at the school
- Only being able to record with the anonymisation filter (a black and white filter applied to the whole video to hide all data subjects identities). This filter can impact on the quality of reflection and feedback that can be provided as it reduces the viewers ability to discern the full activities, behaviours and learning taking place within the lesson.
Select and document your lawful basis
A requirement of GDPR is that before collecting and processing personal data is that you must have a valid lawful basis. There are six available lawful bases for processing. No single basis is ’better’ or more important than the others. Further information from the ICO can be found here
Whilst many schools initially assume that consent is required for recording lessons it is not necessarily the most appropriate lawful basis. The ICO advises when selecting a lawful basis:
“Take care to get it right first time - you should not swap to a different lawful basis at a later date without good reason. In particular, you cannot usually swap from consent to a different basis.”
The 'public task' lawful basis means you can use personal data when it's needed to do something that's in the public interest or part of your official duties. For schools, this includes work like training new teachers and helping staff develop professionally.
The Teachers standards, which have statutory force and explicitly covers "all trainees working towards QTS, and all those completing their statutory induction period." explicitly state that: "Appropriate self- evaluation, reflection and professional development activity is critical to improving teachers’ practice at all career stages. The standards set out clearly the key areas in which a teacher should be able to assess his or her own practice, and receive feedback from colleagues.".
If you have any questions or concerns regarding your GDPR compliance or anything to do with the use of IRIS Connect feel free to contact IRIS Connect directly at support@irisconnect.co.uk who will be able to assist you. Additionally you will want to work with your school Data Protection Officer (DPO)
Data Minimisation/Offering an opt-out
If using Public Task as the lawful basis for the recording then
Trainees, mentors, and involved pupils/staff do not have a right to opt-out, unless another legal issue (e.g. safeguarding or wellbeing) overrides it.
While an opt-out isn’t required:
- It’s still good practice to handle objections sensitively.
- If individuals strongly object, schools should consider reasonable accommodations where possible (especially if students are involved).
There are some strategies to accommodate individuals who have opted out of being recorded whilst still being able to record the lesson.
3) Edit feature
Review your Privacy Notice and update if necessary
If your school’s Privacy Notice doesn’t already cover the use of video recordings for professional development purposes then you will need to update your Privacy Notice.
Even if it does, you should still review it to ensure it covers the following information:
| The categories of pupil information that we process include: | Images, audio and video recordings. |
| Why we collect and use pupil information |
To support pupil learning through the professional development of our teachers.
|
| How we collect pupil information | Video and audio recordings. |
| Who we share pupil information with | Recordings will be shared with Teach First Mentors and Development Leads |
| Why we share pupil information | Recordings are shared with Teach First so that the trainees can benefit from mentoring, coaching and professional feedback to aid their training and development. |
| Where the data is stored | The videos are captured, stored and shared within the IRIS Connect system which is a secure, dedicated professional development system. Further information can be found here. |
| How long the data is stored | The data is stored in line with our organisations Data Retention Policy/[School lead to add duration] |
| The basis is the data collected | The lawful basis that the data is being collected is Public Task [School lead to edit as required, depending on what was decided as per here] |
Further information can be found here
Updating Stakeholders
When changes are made to a Privacy Notice, the Information Commissioner's Office (ICO) advises that organizations must proactively bring changes to individuals' attention. This means taking reasonable steps to ensure that those affected are made aware of the updates.
Your school likely already has a process in place for notifying parents and guardians of Privacy notice changes so we recommend that you follow that.
Complete a DPIA
A DPIA is a Data Protection Impact Assessment. The ICO outlines the criteria for whether you need to conduct a DPIA which you can review here.
They also provide a screening and process checklist here
Even if you determine that a DPIA is not legally required, it's considered good practice to do a lightweight DPIA or at a minimum record your reasoning that a DPIA is not required. This shows due diligence if questions arise later from staff, parents, or the ICO.
You can find an example prepopulated DPIA completed by IRIS Connect here.