The ICO also recommends that you complete a DPIA if you plan to use new technologies so it would be good practice to create one for the use of IRIS Connect.
The ICO has a template for this document if you do not already have one.
We have also completed a template DPIA that you may wish to use for reference when completing your DPIA. You can download it here or view it below.
Risk profiling and mitigation measures may vary from school to school so these have been left blank.
Contents of this article:
- Screening Questions
- Data Protection Impact Assessment:
- Section 1: Describe the nature of the processing:
- Section 2: Assess Necessity and Proportionality
- Section 3: Special Category
- Section 4: Lawfulness of the Processing
- Section 5: Secondary Uses of Data
- Section 6: Rights of the Data Subject
- Section 7: Accuracy and Currency of personal data as a safeguard
- Section 8: Third Parties and Commercial Partners
- Section 9: Security Measures
- Section 10: Retention of Personal Data
- Section 11: International Transfers of Personal Data
- Section 12: Consultation Process
- Section 13: Documentation
- Section B: Identification and Assessment of Risk:
- Section C: Identification of Measures to Mitigate Risks outlined in Section B
- Section D: Risk Assessment Matrix
Screening Questions
Answering “Yes” to any of the following screening questions represents a potential Information Governance risk factor that will have to be further analysed to ensure those risks are identified, assessed and mitigated through a Data Protection Impact Assessment (DPIA) (For further guidance on the questions below, please click here):
Question | Category | Screening Question | Yes | No |
#1 | Systematic and Extensive Profiling with Significant Effects |
Will the service/project use systematic and extensive profiling or automated decision-making to make significant decisions about people? |
☒ | ☒ |
#2 | Large Scale Use of Sensitive Personal Data | Will the service/project process special category data or criminal offence data on a large scale? | ☐ | ☒ |
#3 | Public Monitoring | Will the service/project systematically monitor a publicly accessible place on a large scale? | ☐ | ☒ |
#4 | New Technologies | Will the service/project use new technologies? | ☐ | ☒ |
#5 | Denial of Service | Will the service/project use profiling, automated decision-making or special category data to help make decisions on someone’s access to a service, opportunity or benefit? | ☐ | ☒ |
#6 | Large-scale Profiling | Will the service/project carry out profiling on a large scale? | ☐ | ☒ |
#7 | Biometrics | Will the service/project process biometric data? | ☐ | ☒ |
#8 | Genetics | Will the service/project process genetic data? | ☐ | ☒ |
#9 | Data Matching | Will the service/project combine, compare or match data from multiple sources? | ☐ | ☒ |
#10 | Invisible Processing | Will the service/project process personal data without providing a privacy notice directly to the individual? | ☐ | ☒ |
#11 | Tracking | Will the service/project process personal data in a way which involves tracking individuals’ online or offline location or behaviour? | ☐ | ☒ |
#12 | Targeting of Children or Other Vulnerable Individuals | Will the service/project process children’s personal data for profiling or automated decision-making or for marketing purposes, or offer online services directly to them? | ☐ | ☒ |
#13 | Risk of Harm | Will the service/project process personal data which could result in a risk of harm in the event of a security breach? | ☐ | ☒ |
#14 | Location of Processing | Will the processing of personal data take place in a country outside of the UK? | ☒ | ☐ |
#14.1 | Location of Processing |
If you have selected ‘Yes’ above, where?
|
||
Dublin, Ireland |
Summarise why you identified the need for a full DPIA, or provide your reasons for not completing a full DPIA. |
The school want to implement IRIS Connect, a secure system which enables teachers to record lesson footage and upload it to a digital platform with role-based log-in. Once uploaded teachers may choose to selectively share their videos with other teachers within the school or between schools when given permission by their Data Protection Officers. Platform tools enable collaborating professionals to analyse the videos in a way which is aligned with high-quality professional development. Teachers may use platform tools to analyse the impact their teaching practices have on learners, and to provide each other with high-quality feedback and examples of outstanding teaching. Over time the system supports teachers to refine their practices reflectively and collaboratively thereby improving as teachers. This data processing has a number of risk considerations which must be taken into account:
1. Evaluation or scoring
The IRIS Connect system contains tools which enable the analysis of classroom activities and behaviours such that the teacher can quantitatively refine their classroom practice to improve learning outcomes
2. Systematic monitoring
While the IRIS Connect system does not operate in an “always on” state and requires an elective act to record practice in one locality for a predefined time, the classroom is a dynamic and quasi-public environment.
3. Data processed on a large scale
A high proportion of the school population is likely to be subject to some level of data processing
4. Matching or combining datasets
The IRIS Connect system allows DPOs from different organisations to define terms for selective sharing of video data to enable inter-school collaboration and professional development programmes
5. Data concerning vulnerable data subjects
Teachers are employees of the school and given the power imbalance are vulnerable subjects for the purpose of the GDPR. Students may be below the age where they can be considered able to knowingly and thoughtfully oppose or consent to the processing of their data
6. Innovative use or applying new technological or organisational solutions
While digital video platforms are becoming mainstream for teacher professional development (around 30% of secondary schools use one form or another) the system is new to the school and therefore may be considered an innovative organizational solution. |
Data Protection Impact Assessment
Section 1: Describe the nature of the processing |
|||||
how will you collect, use, store and delete data? What is the source of the data? Will you be sharing data with anyone? You might find it useful to refer to a flow diagram or other way of describing data flows. What types of processing identified as likely high-risk are involved? |
|||||
Data Collection: Video data is collected via the dedicated IRIS Connect ‘Record’ mobile application which encrypts the video locally and automatically uploads to the user’s account on the IRIS Connect servers. All data in transit is encrypted. Once the upload is completed the video is automatically deleted from the local device. For further information about the Record app - see here
Data Access: Data is accessed via the IRIS Connect platform. This is a highly secure closed system which operates role-based login and privacy by design. Once the video is uploaded only the teacher who recorded the video has full access to it. Further information about the IRIS Connect security measures and controls can be found here
The teacher has control of the deletion and sharing of the video. Sharing between users of the same organisation is enabled by default. By mutual agreement DPOs at different locations may vary this scope to enable sharing between users at their organisations under the auspices of a separate data-sharing agreement.
Downloading of video is disabled by default. Further information about IRIS Connect’s approach to downloading can be found here
Sharing can only take place via the IRIS Connect web platform via user accounts. If user A shares a video with user B, user B does not have the ability to share or download the video. Further information regarding sharing can be found here.
IRIS Connect operates strict controls over who may access data and protocols for gaining permission from clients if access is required. SARs can be managed through the videos being tagged automatically by date and the user who recorded it. Additional data of title and tagging is recommended to be added by the user post-recording.
Administration: The following users will be set up as system administrators: 1) 2) 3) Administrators have access to thumbnail images drawn from the videos uploaded so that they can see a basic preview of the content to ensure that all video uploaded is appropriate. Further information regarding the roles and responsibilities of administrators can be found here.
Data Compliance and Safeguarding Appropriateness will be based upon the videos meeting the purpose of the data processing; teacher professional development, and to consider any safeguarding needs are being met. Thumbnails provide a general overview of a video to highlight any obviously inappropriate content. When reviewing the thumbnails, if the admin has any concern of the content and appropriateness of the recording they can request full access via the feature within the platform. The admin can also delete any video from this interface.
Further information regarding the safeguarding features of the system can be found here.
Personal Data Personal data that will be captured within the IRIS Connect system includes: 1) User account information: User’s avatar (profile picture), email address/username, first name and second name 2) Video data: Classroom recordings will include the faces and voices of anyone present within the room, both teachers and pupils.
Video will be gathered with full knowledge of data subjects. This will be made clear to the pupils by the teacher conducting the recording and through the school's privacy policy.
|
|||||
Is this a change to an existing process? | |||||
☐ Yes | ☒ No | ||||
Describe the scope of the processing: Thinking about the proposed processing of personal data, describe the flows of personal data, i.e., where it is first collected, where it is used, how it is used, where it is shared, how it is stored and when it is deleted. |
|||||
Collection of data: The nature of the data collection is video of classrooms, learners and teachers. The video may be anonymised via the use of the IRIS Connect cartoonization feature. If the video is not anonymized learners' appearance will be apparent.
The anonymisation feature will be off by default, however, the school may decide to utilise this feature for particular needs such as with data subjects who require additional safeguarding, or when sharing data outside of the school.
Additionally, if the teacher refers to the student by name, the video may include the name and appearance of a data subject.
The school plans to enable each teacher to use the system at least once per term. Therefore we envisage 90 recordings of an average duration of 1 hour. So 90 hours per year.
The recording start and end times are controlled by the individual user. Recordings can range from a few minutes to full lessons.
All members of school staff and all pupils are potentially subject to data processing within the IRIS Connect.
IRIS Connect recordings will be exclusively restricted to learning environments on the school site. The devices used for video capture are mobile devices that can record sections of a classroom (less than 180 degrees) however dual-view recordings with two devices used at the same time may be used.
The aim of the recording is to capture as much of the classroom environment as possible. Both staff and students will be recorded in the video so that the system can provide a high-quality professional development experience to the teacher. It is understood that the personal data of both staff and students will be processed by the system.
Use of data: Only a small proportion of this data is likely to be shared between users and an even smaller fraction is shared via inter-school collaboration.
Within the IRIS Connect platform, users can share with other users within their organisation, who also have an IRIS Connect account. Sharing can only take place via the platform.
The platform supports collaboration with other users from other organisations. This must be requested and then approved by the organisation’s administrators. Further information regarding sharing can be found here Further information regarding sharing can be found here.
IRIS Connect operates strict controls over who may access data and protocols for gaining permission from clients if access is required.
Storage of data: Data will be stored with the IRIS Connect platform for the entirety of its lifecycle. Any requirements to export outside of the platform must be approved by the administrator and enabled by IRIS Connect.
Data Retention/Deletion of data: Video is deleted by the user when no longer required or by the school in line with its data retention policy or by IRIS Connect in line with its data retention policy.
The school will keep the data whilst it is still needed for teacher professional development. The school will delete data when: - it is no longer useful for the teacher’s professional development. This will be managed by the individual users who will review their recordings annually. This will be communicated to the users via the DPO) - the teacher leaves the school. This will be managed by the administrator.
Many videos will cease to be useful after an initial round of review and collaboration and will be deleted. A small percentage may prove to be a good example of a particular strategy or technique and may be retained for extended periods of time. These will be reviewed every 3 years to ensure they are still useful. |
|||||
Describe the context of the processing: what is the nature of your relationship with the individuals? How much control will they have? Would they expect you to use their data in this way? Do they include children or other vulnerable groups? Are there prior concerns over this type of processing or security flaws? Is it novel in any way? What is the current state of technology in this area? Are there any current issues of public concern that you should factor in? Are you signed up to any approved code of conduct or certification scheme (once any have been approved)? |
|||||
School teachers are employees who may feel vulnerable to the use of video. Teaching unions have previously raised concerns about schools using video to place their teachers under surveillance with video. The use of IRIS Connect is purely for the purpose of professional development and the school is committed to only using it for this purpose on an opt-in basis, as per the agreement between the ACSL and ATL on the use of IRIS Connect. There has always been a degree of concern within society pertaining to the collection of video data which includes minors, however, once the purpose, scope and security measures are explained this tends to lead to very low levels of objection. Pupils and parents will be informed by our privacy notice and will have the right to object to the data processing. There are no known security flaws in the IRIS Connect system which has operated for over a decade without incident. The IRIS Connect system is a mature platform which is well-supported and has a high level of compliance with data security best practices.
|
|||||
Is what you are proposing to do part of a project? |
|||||
☒ No, this is separate from any project. | |||||
☐ Yes, it is part of the [project name] project. | |||||
How many individuals’ personal data will be involved? | |||||
All staff within the school All pupils within the school |
|||||
How many people with have access, or already have access to, the personal data? (i.e., data subjects themselves, Council staff, third party organisation etc.) | |||||
All staff within the school | |||||
Where does the personal data come from, i.e., from data subjects themselves, multiple sources or other organisations? | |||||
Data comes from data subjects
|
Section 2: Assess Necessity and Proportionality |
|||||
This section helps you assess the “necessity and proportionality” of the processing of personal data. |
|||||
2.1. | Have you considered any other methods to achieve your purpose that are less privacy-intrusive? (For example, collecting fewer personal data items or using a different method entirely that perhaps doesn’t use personal data). | ||||
☒ Yes | ☐ No | ||||
2.1.1. | Explain your answer to 2.1. | ||||
The only alternative to video-based observation and professional development is in person observation and monitoring. The limitations of this, covering time, ineffectiveness, and lack of scalability lead to video being deemed the only effective approach for professional development, both in terms of cost and results. |
|||||
2.2. | Will all data items that you collect (see Section 3 below) serve a specific, justifiable purpose? | ||||
☒ Yes | ☐ No | ||||
2.1.2. |
Explain your answer to 2.2. Describe the purposes of the processing: what do you want to achieve? What is the intended effect on individuals? What are the benefits of the processing – for you, and more broadly? |
||||
Significant educational research shows that teacher quality and therefore the quality of the professional development is the single largest controllable factor affecting educational outcomes for children. Consequently, there are multiple statutory requirements for school staff to engage and promote professional learning within and between schools. Yet, such obligations are hard to achieve given the barriers of time, distance and money. These barriers are overcome with digital video and digital collaboration technology. By removing the barriers to effective professional learning, we will engage more teachers more frequently with high-leverage professional learning interactions such as reflecting upon their teaching, analysing and refining their impact on learning, seeing examples of high-quality teaching and giving and receiving high-quality contextualized feedback. 95% of teachers using IRIS Connect report improved classroom practice. Our objective is to achieve these same outcomes within the school and thereby improve outcomes for learners. Better outcomes for learners will result in significant and broad societal benefits.
Supporting pupil learning through the training of teaching staff is required to perform our statutory function. Specific statutory requirements, worth noting are Teachers standards:
The standards state that: Appropriate self evaluation, reflection and professional development activity is critical to improving teachers’ practice at all career stages. The standards set out clearly the key areas in which a teacher should be able to assess his or her own practice, and receive feedback from colleagues. And that teachers should:
Additionally, as referred to in the Teachers standards, the statutory guidance on School teachers pay and conditions specifically points out that it is the professional responsibility of Headteachers to:
And for all teachers to:
Why is the use of video necessary to achieve these objectives?
We therefore deem it justifiable to collect the data items listed in this document.
|
|||||
2.3. | How will you intend to prevent or manage function creep? (For example, if it is established that additional personal data will be required, who will you report this to, how will you consider this?) | ||||
Function creep will be avoided through our commitment to the use of IRIS Connect solely for the use of professional development.
This is a requirement of the IRIS Connect system and stated within the DPA:
4.4 Management of Use: The IRIS Connect system is for professional development, educational research and learning development, consequently, you agree: 4.4.1 To ensure that the use of the system is aligned with the stated purpose and that the system is not used for surveillance of staff or learners Users will be made aware of this during their IRIS Connect training and a communication will be sent out to all staff from the DPO.
Additionally, we will maintain an ongoing open-door policy for staff to be able to report use of the system which is not aligned with the purpose.
|
|||||
2.4. | How will you ensure that the data you collect is accurate and minimised to what is necessary? | ||||
Data Retention Data will be minimised to what is necessary by ensuring the users only record and retain what is useful for their professional development. This will be managed by the individual users who will review their recordings annually. This will be communicated to the users via the DPO and added to the school’s data retention policy. Additionally, data will be deleted when the teacher leaves the school. This will be managed by the administrator.
Reporting We will have a clear procedure for users to be able to report inaccurate data which will be communicated by the DPO
Minimisation tools IRIS Connect has several tools that assist users achieve data minimisation such as editing and anonymisation. See these articles on data capture and data retention. Quality of Video Data: IRIS Connect ensures that the video data is of high quality and clearly captures the necessary details, sufficient to fulfil the purpose of the data processing. This involves having good resolution, good quality microphones and tripods to aid the recording quality and to avoid misinterpretation. Videos can be easily edited within the platform if any discrepancies are identified. Please see here for editing information. Metadata Accuracy: Users will be instructed to ensure that the metadata associated with the video data, such as title, comments and tags are accurate. These elements can be easily edited within the platform if any discrepancies are identified. Data Storage and Handling: Using the IRIS Connect system for storage will ensure the data is robustly and securely stored to prevent data corruption or loss. Regular backups and data integrity checks are part of their security measures and controls. User Training: We will ensure staff are training who will use the IRIS Connect system in proper procedures to ensure consistency and accuracy in recording and processing the data.
|
|||||
2.5. | Consider how to consult with relevant stakeholders: describe when and how you will seek individuals’ views – or justify why it’s not appropriate to do so. Who else do you need to involve within your organisation? Do you need to ask your processors to assist? Do you plan to consult information security experts, or any other experts? | ||||
We will operate a multi-faceted stakeholder engagement and consultation. We will actively inform parents and learners of the programme including the purpose and provide them with clear mechanisms to ask questions and object to processing. We will engage teachers in an extensive programme of orientation and induction facilitated by an onsite launch event which makes clear the systems privacy by design model, as well as their rights and obligations in the use of the system. We will clearly signpost that the use of the system is on an opt-in basis. We will engage our network manager in a review of the IRIS Connect system to ensure that it is compatible with our network and does not present a security risk. |
Section 3: Special Category |
|||||
This section considers the special characteristics of the personal data that could be processed. The law establishes that certain types of personal data presents greater degrees of risk than others, and as a consequence has to be treated differently. |
|||||
Please identify whether the personal data will include any of the following categories: | |||||
3.1. | Category: | Yes | No | ||
3.1.1. | Name (Teacher only. Needed for the user account) | ☐ | ☐ | ||
3.1.2. | Address (home or business) | ☐ | ☒ | ||
3.1.3. | Identifying Number (WCCIS) | ☐ | ☒ | ||
3.1.4. | Email Address (Teacher only. Needed for the user account) | ☒ | ☐ | ||
3.1.5. | Date of Birth | ☐ | ☒ | ||
3.1.6. | Employee Number | ☐ | ☒ | ||
3.1.7. | Driving Licences | ☐ | ☒ | ||
3.1.8. | IP Address | ☐ | ☒ | ||
3.1.9. |
Financial Information…………………………... If “Yes”, does this include credit card info?..... |
☐ | ☒ | ||
☐ | ☐ | ||||
If “Yes” to 2.1.9., please provide additional details about all financial information collected/processed: | |||||
3.2. |
Special Category Data (sensitive personal data):
|
||||
3.2.1 | Information about the racial background of an individual(s) | ☐ | ☒ | ||
If “Yes”, please provide additional details about the personal data: | |||||
It is understood that within the video footage, there may be incidental capture of certain characteristics of an individual, such as their racial or ethnic origin. However, the incidental capture of certain characteristics, without the intent to deduce or process special category data, is not considered as processing special category data under GDPR, as per the European Data Protection Board guidelines on the processing of personal data through video devices.
Section 5 of the guidelines explicitly states that the use of video is “Not always considered to be processing of special categories of personal data”, providing the following example: “Example: Video footage showing a data subject wearing glasses or using a wheelchair are not per se considered to be special categories of personal data.”
The clear distinction in the guidelines is “if the video footage is processed to deduce special categories of data”. The guidelines go on to provide the example for the collection of biometric data: “video footage of an individual cannot however in itself be considered as biometric data under Article 9, if it has not been specifically technically processed in order to contribute to the identification of an individual. In order for it to be considered as processing of special categories of personal data (Article 9) it requires that biometric data is processed “for the purpose of uniquely identifying a natural person”.“. It goes on to quote GDPR Recital 51, saying that the processing of images “processing of photographs should not systematically be considered to be processing of special categories of personal data as they are covered by the definition of biometric data only when processed through a specific technical means allowing the unique identification or authentication of a natural person”.
It is very clear that any incidental data within the video footage relating to a person’s characteristics is not required to be considered special category data if that is not the purpose of the recording. It is very clear that the use of this system is for the teacher’s professional development and not for the recording and processing of any particular characteristic or identity of any natural person.
Further information for the European Data Protection Board can be found here. |
|||||
3.2.2 | Information about the ethnicity of an individual(s) | ☐ | ☒ | ||
If “Yes”, please provide additional details about the personal data: | |||||
3.2.3 | Information about the physical or mental health of an individual(s) | ☐ | ☒ | ||
If “Yes”, please provide additional detail about the personal data: | |||||
3.2.4 | Information about the religion or philosophical beliefs of an individual(s) | ☐ | ☒ | ||
If “Yes”, please provide additional details about the personal data: | |||||
3.2.5 | Information about the sexuality of an individual(s) | ☐ | ☒ | ||
If “Yes”, please provide additional details about the personal data: | |||||
3.2.6 | Information about the political views of an individual / individuals | ☐ | ☒ | ||
If “Yes”, please provide additional details about the personal data: | |||||
3.2.7 | Information about the Trade Union membership of an individual / individuals | ☐ | ☒ | ||
If “Yes”, please provide additional details about the personal data: | |||||
3.2.8 | Genetic information of an individual / individuals | ☐ | ☒ | ||
If “Yes”, please provide additional details about the personal data: | |||||
3.2.9 | Biometric data of an individual / individuals | ☐ | ☒ | ||
If “Yes”, please provide additional details about the personal data: | |||||
3.2.10 | Information about the criminal offences or conviction(s) of an individual / individuals (including alleged offences or convictions). | ☐ | ☒ | ||
If “Yes”, please provide additional details about the personal data: |
Section 4: Lawfulness of the Processing |
|||||
In order to assess the level of risk associated with the personal data and its proposed use, it is necessary to look to the justification for processing. |
|||||
On what basis will the personal data be processed? Tick all relevant conditions below.
For information on the Lawful Bases set out below, click here.
Please note that if you have identified that the processing will involve special category data (2.2). above, then additional conditions for processing detailed in 3.7. – 3.16. will need to be identified.
For more information on the lawful bases for processing special category personal data, click here. |
|||||
4.1. | Processing is necessary for the performance of a contract between the Council and the individual / individuals whose data is being processed. |
☐ |
|||
4.2. |
Processing is necessary for compliance with a legal obligation
If so, what legislation places this obligation on the Council? |
☐ |
|||
4.3. | Processing is necessary in order to protect the vital interests of the individual or individuals whose data is being processed. |
☐ |
|||
4.4. |
Processing is necessary for the performance of a public task.
|
☒ |
|||
What legislation supports the public task being carried out? Does the processing actually achieve your purpose? Is there another way to achieve the same outcome? How will you prevent function creep? How will you ensure data quality and data minimisation? What information will you give individuals? How will you help to support their rights? What measures do you take to ensure processors comply? How do you safeguard any international transfers?
Answer below: |
|||||
We have selected public task as the basis for lawful processing for the following reasons: Supporting pupil learning through the training of teaching staff is required to perform our statutory function. Specific specific statutory requirements, worth noting are Teachers standards: The standards themselves (part 1 and part 2) have statutory force (under regulation 6(8)(a) of the Education (School Teachers’ Appraisal) (England) Regulations 2012). They are issued by law; you must follow them unless there’s a good reason not to. The standards state that: Appropriate self evaluation, reflection and professional development activity is critical to improving teachers’ practice at all career stages. The standards set out clearly the key areas in which a teacher should be able to assess his or her own practice, and receive feedback from colleagues. And that teachers should:
Additionally, as referred to in the Teachers standards, the statutory guidance on School teachers pay and conditions specifically points out that it is the professional responsibility for Headteachers to: 46.8. Lead, manage and develop the staff, including appraising and managing performance. 46.14. Promote the participation of staff in relevant continuing professional development. 46.18. Collaborate and work with colleagues and other relevant professionals within and beyond the school including relevant external agencies and bodies. And for all teachers to: 50.14.Participate in arrangements for their own further training and professional development and, where appropriate, that of other teachers and support staff including induction. 50.16.Collaborate and work with colleagues and other relevant professionals within and beyond the school. Is there another way to achieve your objectives: Teacher reflection (central to the teaching standards) is virtually impossible to achieve meaningfully without the use of video. To provide teachers with the same frequency of high impact professional learning interactions would be impossible for the school through other means. The process of experiencing high quality teaching and giving and receiving high quality feedback, in the absence of video collaboration, would require in-person lesson observation. In person lesson observation represents a subjective one-off experience, with no record for analysis and discussion post event. this leads to low quality professional discussion with lower impact upon professional practice. Additionally in person observation requires another professional to be available to provide the physical observation and debrief process. Within a busy school environment this will entail significant additional cost for the school as we would have to employ more cover staff to free up the observer. The process of providing high quality examples of teaching practices is even more difficult to achieve through other means. It is difficult to know when it would occur so you would have little control of whether the observing teacher would get the experience they would need from their observation. Furthermore, the school would like all staff to have a shared understanding of what a high quality practice looks like. It is physically impossible to fit the entire teaching staff in a single classroom on the off chance a particular high strategy will be demonstrated with sufficient quality. Finally inter-school collaboration would very difficult through other means. It would have all of the drawbacks already identified with the addition of significant travel and accommodation costs. Function Creep: We will prevent function creep by making a clear declaration of purpose and maintaining an ongoing open door policy for staff to be able to report use of the system which is not aligned with the purpose. Data quality and data minimisation: The IRIS Connect system will collect high quality video and audio sufficient to fulfil the purpose. We will ensure that all analysis and data entry is as accurate as possible. We will have a clear procedure for users to be able to report inaccurate data. Video data will not be kept for longer that its useful purpose in line with the school’s data retention policy. Information and rights: School staff will be informed via our extensive onboarding consultation and training process, the DPO will be responsible for ensuring that staff are aware of their rights and know how to exercise them. Students and parents will be informed via appropriated notices and will have a clear pathway to raise their objections. Compliance of Processors We have engaged with IRIS Connect to ensure their policies and procedures are compliant with the GDPR. |
|||||
4.5. | Processing is necessary for legitimate interests. (Legitimate Interest Assessment required, seek DPO advice). |
☐ |
|||
4.6. | Processing is based on the consent of an individual(s). (Seek DPO advice) | ☐ | |||
4.6.1. |
If consent (3.6) has been selected, then please answer the following:
Can an individual(s) withdraw their consent with ease and whenever they want to? *
*Individuals should be able to withdraw consent at any time and every step the processing of their information without detriment. It should be as easy to withdraw consent as it is to give it. Consent requires prior information and an explicit indication of the consent, separate from other individual options (like accepted terms and conditions) |
Yes:
☐ |
No:
☐ |
||
4.6.2. | If consent has been selected, please indicate the consequences of withdrawal and refusal of consent for both the individuals and the Council. (For example, will the service to the individual be terminated?) | ||||
For the processing of special category data, you need to identify a legal basis (4.1 – 4.6) as well as at least one of the conditions below (4.7 – 4.16):
|
|||||
4.7. | The processing is necessary for the purposes of carrying out the obligations and exercising specific rights of the controller or of the data subject in the field of employment and social security and social protection law | ☐ | |||
4.8. | The processing is necessary to protect the vital interests of the data subject or of another natural person where the data subject is physically or legally incapable of giving consent | ☐ | |||
4.9. | The processing is carried out in the course of its legitimate activities with appropriate safeguards by a foundation, association or any other not-for-profit body with a political, philosophical, religious or trade union aim and on condition that the processing relates solely to the members or to former members of the body or to persons who have regular contact with it in connection with its purposes and that the personal data are not disclosed outside that body without the consent of the data subjects | ☐ | |||
4.10. | The processing relates to personal data which are manifestly made public by the data subject | ☐ | |||
4.11. | The processing is necessary for reasons of substantial public interest, which shall be proportionate to the aim pursued, respect the essence of the right to data protection and provide for suitable and specific measures to safeguard the fundamental rights and the interests of the data subject. | ☐ | |||
4.12. | The processing is necessary for the establishment, exercise or defence of legal claims or whenever courts are acting in their judicial capacity | ☐ | |||
4.13. | The processing is necessary for the purposes of preventive or occupational medicine, for the assessment of the working capacity of the employee, medical diagnosis, the provision of health or social care or treatment or the management of health or social care systems and services on the basis of Union or Member State law | ☐ | |||
4.14. | The processing is necessary for reasons of public interest in the area of public health, such as protecting against serious cross-border threats to health or ensuring high standards of quality and safety of health care and of medicinal products or medical devices, on the basis of Union or Member State law which provides for suitable and specific measures to safeguard the rights and freedoms of the data subject, in particular professional secrecy | ☐ | |||
4.15. | The processing is necessary for archiving purposes in the public interest, scientific or historical research purposes or statistical purposes in accordance with Article 89(1) based on Union or Member State law which shall be proportionate to the aim pursued, respect the essence of the right to data protection and provide for suitable and specific measures to safeguard the fundamental rights and the interests of the data subject. | ☐ | |||
4.16. |
The data subject (or subjects) has given explicit consent. (Seek DPO advice)
|
☐ | |||
4.16.1. |
If consent (3.16) has been selected, then please answer the following:
Can an individual(s) withdraw their consent with ease and whenever they want to? *
*Individuals should be able to withdraw consent at any time and every step the processing of their information without detriment. It should be as easy to withdraw consent as it is to give it. Consent requires prior information and an explicit indication of the intent to consent, separate from other individual options (like accepted terms and conditions) |
Yes:
☐ |
No:
☐ |
||
4.16.2. | If consent has been selected, please indicate the consequences of withdrawal and refusal of consent for both the individuals and the Council. (For example, will the service to the individual be terminated?) |
Section 5: Secondary Uses of Data |
|||||
This section examines whether the processing will involve secondary uses of personal data, for example by re-using information which was gathered for a different purpose originally. | |||||
5.1. |
Will the proposed processing involve the use of existing personal information for new purposes? (For example a CRM system that will enable certain data about clients to be combined with other data and used in a new way.) |
Yes:
☐ |
No:
☒ |
||
5.1.1. | If, yes, will the proposed processing be compatible with the original purposes for which the personal data were first collected? |
Yes: ☐ |
No: ☐ |
||
5.1.2. |
Please explain your response to question 4.1.1. |
Section 6: Rights of the Data Subject |
|||||
This section examines whether the rights of individuals are protected and supported.
Individuals have the following rights in respect to the processing of information about them. They are:
You can find more information on these rights here.
|
|||||
6.1. | Will the proposed processing be communicated to the data subjects in a privacy notice? | Yes
☒ |
No
☐ |
||
6.2. | Will the proposed processing enable the data subjects to exercise their rights of access. | Yes
☒ |
No
☐ |
||
6.3. | Will the proposed processing enable personal data to be rectified? | Yes
☒ |
No
☐ |
||
6.4. | Will the proposed processing enable personal data to be erased? *under certain circumstances | Yes
☒ |
No
☐ |
||
6.5. | Will the proposed processing enable data subjects to exercise their right to restrict processing? *under certain circumstances | Yes
☒ |
No
☐ |
||
6.6. | Will the right to data portability be supported by the proposed processing? *under certain circumstances | Yes
☒ |
No
☐ |
||
6.7. | Will the right to object be supported by the proposed processing? *under certain circumstances | Yes
☒ |
No
☐ |
||
6.8. | Will the proposed processing involve automated decision making or profiling? | Yes
☐ |
No
☒ |
Section 7: Accuracy and Currency of personal data as a safeguard |
|||||
7.1. | Will the proposed processing be supported by checks on the accuracy of personal data. | Yes
☒ |
No
☐ |
||
If ‘Yes’, explain how: | |||||
Quality of Video Data: IRIS Connect ensures that the video data is of high quality and clearly captures the necessary details. This involves having good resolution, good quality microphones and tripods to all aid the recording quality and to avoid misinterpretation. Videos can be easily edited within the platform if any discrepancies are identified. Please see here for editing information. Metadata Accuracy: Users will be instructed to ensure that the metadata associated with the video data, such as title, comments and tags are accurate. These elements can be easily edited within the platform if any discrepancies are identified. Data Storage and Handling: By using IRIS Connect system for storage this will ensure the data is robustly and securely stored to prevent data corruption or loss. Regular backups and data integrity checks are part of their security measures and controls. User Training: We will ensure staff are training who will use the IRIS Connect system in proper procedures to ensure consistency and accuracy in recording and processing the data.
|
|||||
7.1.2. | Describe the possible impact on an individual, considering the possible consequences of processing outdated information for the individuals concerned. For instance, in some cases, an incorrect date of birth for an individual could be a LOW impact, whereas in other contexts an incorrect address for an individual could have a HIGH impact; the converse could be true in other circumstances: | ||||
Mostly HIGH |
☐ |
||||
Mostly MEDIUM |
☐ |
||||
Mostly LOW
Low has been selected here due to the purpose of the data collection on IRIS Connect. The data is being used solely for professional development. Therefore, if video data or user account data, that is being processed and stored within IRIS Connect is not accurate or up to date there is limited impact to the professional development process. |
☒ |
Section 8: Third parties and Commercial Partners |
|||||
8.1. | Is it likely that the proposed processing will involve third parties or require a contract or other written agreement (Data Processing Agreement)? | Yes
☒ |
No ☐ (If selected, please proceed to the next Section). |
||
8.1.1. | If Yes to 7.1., please list the organisations that will require a contract: | ||||
IRIS Connect and the school will enter into a Data Processing Agreement. A copy of which can be found here. |
|||||
8.1.2. |
Is it likely that the organisation will engage with sub-contractors (known as sub-processors)
These are listed within Appendix B of the DPA
|
Yes
☒ |
No
☐ |
||
8.2. | There are a number of different terms used in data protection legislation to describe the roles taken by organisations in their dealings with third parties. Consider the following definitions, and select the position that best described the Council’s role in the proposed processing: | ||||
A CONTROLLER: A natural or legal person or organisation which determines the purposes and means of processing personal data. |
☒
|
||||
A PROCESSOR: A natural or legal person or organisation which processes personal data on behalf of a controller. The Council’s Contractors and suppliers are usually processors if they process personal data solely on its behalf. |
☐
|
||||
A JOINT CONTROLLER (Controller in common): A natural or legal person or organisation which, with another Controller or Controllers jointly determines the purposes and means of processing personal data. |
☐
|
Section 9: Security Measures |
|||||
9.1. | What technical and organisational security measures are in place for the proposed processing? (Please list the proposed security meaures, for example, locks, passwords, device encryption etc.): | ||||
The IRIS Connect system is a closed system that requires user authentication to record and access uploaded data. Taking into account the existing policies that are in place with regard to cyber security and passwords, no additional measures are required.
|
|||||
9.2. | Will staff involved in the proposed processing require additional and specific data protection training? | Yes
☒ |
No
☐ |
||
9.3. | (For ICT System procurement) Have you sought advice surrounding the systems security from the ICT Cyber Security Manager? | Yes
☐ |
No N/A ☒ ☐
|
||
9.3.1. | Please detail the advice given, or why you do not need to seek advice from, the Cyber Security Manager, including any identified risks: | ||||
IRIS Connect is used by 1000s of organisations internationally. They have very high security standards and have achieved Cyber Essentials Plus and conform to NIST standards.
All data covered under this DPIA will be processed and stored by IRIS Connect.
|
|||||
9.4 | Will the proposed processing involve storage or transfer via the cloud? | Yes
☒ |
No
☐ |
Section 10: Retention of Personal Data |
|||||
10.1 | How long is it intended to keep the personal data for as part of the proposed processing? (Tick which apply) | ||||
10.1.1. | The personal data will be destroyed after the completion of the proposed processing. |
☐ |
|||
10.1.2. |
Information is to be retained for a specific period after the completion of the proposed processing.
|
☒ |
|||
If you have ticked 9.1.1., for how long? | As long as the user remains an employee of the school or until the data is no longer useful for the teacher’s professional development. Users will review their recordings annually. |
Section 11: International Transfers of Personal Data |
|||||
This presents a risk as not all countries ensure the same level of protection for personal data. |
|||||
11.1. |
Will the proposed processing involve transferring, storing and/or disclosing personal data to a country or territory outside of the European Economic Area (EEA)?
The EEA consists of the following countries: Austria, Belgium, Bulgaria, Croatia, Cyprus, Czech Republic, Denmark, Estonia, Finland, France, Germany, Greece, Hungary, Iceland, Ireland, Italy, Latvia, Liechtenstein, Lithuania, Luxemburg, Malta, Netherlands, Norway, Poland, Portugal, Romania, Slovakia, Slovenia, Spain, and Sweden, |
Yes
☐ |
No ☒
(If selected, please proceed to the next Section).
The data is processed in Ireland, Dublin |
||
11.1.1. |
If yes is selected in 10.1., are measures in place to ensure an adequate level of security if personal data are transferred outside the EEA? |
Yes
☐ |
No ☒
|
||
11.2. | If personal data is transferred outside of the EEA, how will the safeguards be set out? (Tick which apply) | ||||
11.2.1. | Standard Contractual Clauses (SCCs) |
☐ |
|||
11.2.2. | Binding Corporate Rules |
☐ |
|||
11.2.3. | Other |
☐ |
|||
11.2.3. | If any of the above have been selected, please provide an explanation. |
Section 12: Consultation Process |
|||||
This section describes when and how an individual’s views will be sought, or details why it is not appropriate to do so. |
|||||
12.1. | Do you need to consult with relevant experts, e.g. Equality Officer, or the Legal Department | Yes
☐ |
No
☒ |
||
12.2. | Do you need to consult with relevant data subject groups? | Yes
☐ |
No
☒ |
||
12.2.1. | If you have already consulted with data subject groups, please provide further details | ||||
It was deemed not necessary to consult with either the teachers or pupils due to the requirement of Public Task to provide teachers with professional development. The data subjects will however be able to raise any questions or concerns with the school which will deal with these on a case-by-case basis. | |||||
12.3. | Do data processors need to have an input to this assessment? | Yes
☐ |
No
☒ |
Section 13: Documentation |
|||||
Please provide a copy of, or a link to, any supporting data protection documentation, such as a privacy notice (either produced by the service or a third party), sharing agreements or contracts etc. |
|||||
IRIS Connect Data Processing Agreement School Privacy Notice |
Section B: Identification and Assessment of Risk:
The following grid is to be completed using the Risk Assessment Matrix included in Section D below.
Risk Number |
Describe the source of risk and nature of potential impact on individuals (Include associated compliance and corporate risks as necessary) |
Probability of Harm: | Impact of Harm: | Overall Risk |
1 – 5 | 1 – 5 | 1 - 25 | ||
#01 |
Data breach
|
2 | 2 | 4 |
#02 |
Subjects not expecting their data to be processed in this way
|
2 | 1 | 2 |
#03 |
The system not being used for the intended purpose
|
2 | 1 | 2 |
#04 |
Individual pupils withdrawing consent on an ad hoc basis
|
3 | 1 | 3 |
Section C: Identification of Measures to Mitigate Risks outlined in Section B:
The following grid should encompass all risks identified in Section B.
Risk Number | Option to Reduce or Eliminate Risk | Effect on Risk | Residual Risk | Measure Approved |
Eliminated, reduced or accepted | 1 – 25 | Yes/No | ||
#01 |
The IRIS Connect system adheres to the highest standards of data protection and security.
Further information about the IRIS Connect security measures and controls can be found here
Password policy strictly enforced throughout the school
|
Reduced | 1 | Yes |
#02 |
Clear privacy notices, parents, staff and learners engaged and informed. Home school agreement aligned with use and clear pathways to opt out open to all parties
|
Reduced | 1 | Yes |
#03 |
A clear schoolwide statement of purpose and an open door policy for users to report instances of the system being used in a way which is not aligned with purpose.
Training provided to all users.
|
Reduced | 1 | Yes |
#04 |
Use of data minimisation strategies to not capture certain data subjects - anonymisation/editing/camea positioning or not recording some lessons if pupils have opted out.
|
Reduced | 1 | Yes |
Risk assessment completed by: | |
Date: | |
Date considered by Data Protection Officer: |
Section D: Risk Assessment Matrix:
Each risk should be assessed against the likelihood of an incident occurring and the severity of the consequences should one arise.
Likelihood | |
Almost Certain | Could happen at any moment |
Very likely | Repeatedly encountered |
Likely | Likely to occur several times |
Unlikely | Unlikely to occur |
Improbable | Remote likelihood of occurring |
Impact | |
Catastrophic | May result in the highly costly loss of major tangible assets or resources; or may significantly violate, harm or impede an organization’s reputation, or interest; or may result in human death or serious injury. |
Major | Loss of face, costly to remediate, could be combined with other factors to elevate the impact |
Moderate | Chance of service or information loss combined with inconvenience to business. |
Minor | No loss of information, temporary loss of service |
Insignificant | Cannot be exploited or information safe. |
Almost certain | 5 | 10 | 15 | 20 | 25 |
Likely |
4 |
8 |
12 |
16 |
20 |
Possible |
3 |
6 |
9 |
12 |
15 |
Unlikely |
2 |
4 |
6 |
8 |
10 |
Rare |
1 |
2 |
3 |
4 |
5 |
Insignificant |
Minor |
Moderate |
Major |
Catastrophic |