The ICO also recommends that you complete a DPIA if you plan to use new technologies so it would be good practice to create one for the use of IRIS Connect.
The ICO has a template for this document if you do not already have one.
We have also completed a template DPIA that you may wish to use for reference when completing your DPIA. You can download it here or view it below.
Risk profiling and mitigation measures may vary from school to school so these have been left blank.
Contents of this article:
Step 1: Identify The Need For a DPIA
Explain broadly what the project aims to achieve and what type of processing it involves. You may find it helpful to refer or link to other documents, such as a project proposal. Summarise why you identified the need for a DPIA.
The school want to implement IRIS Connect, a secure system that enables teachers to record lesson footage and upload it to a digital platform with role-based log in. Once uploaded teachers may choose to selectively share their videos with other teachers within the school or between schools when given permission by their Data Protection Officers.
Platform tools enable collaborating professionals to analyse the videos in a way which is aligned with high-quality professional development. Teachers may use platform tools to analyse the impact their teaching practices have on learners, to provide each other with high quality feedback and examples of outstanding teaching. Over time the system supports teachers to refine their practices reflectively and collaboratively thereby improving as teachers.
This data processing has a number of risk considerations that must be taken into account:
The IRIS Connect system contains tools that enable the analysis of classroom activities and behaviours such that the teacher can quantitatively refine their classroom practice to improve learning outcomes
While the IRIS Connect system does not operate in an “always on” state and requires an elective act to record practice in one locality for a predefined time, the classroom is a dynamic and quasi public environment.
A high proportion of the school population are likely to be subject to some level of data processing
The IRIS Connect system allows DPOs from different organisations to define terms for selective sharing of video data to enable inter-school collaboration and professional development programmes
Teachers are employees of the school and given the power imbalance are vulnerable subjects for the purpose of the GDPR. Students may be below the age where they can be considered able to knowingly and thoughtfully oppose or consent to the processing of their data
While digital video platforms are becoming mainstream for teacher professional development (around 30% of secondary schools use one form or another) the system is new to the school and therefore may be considered an innovative organizational solution.
Step 2: Describe the Processing
|Describe the nature of the processing: how will you collect, use, store and delete data? What is the source of the data? Will you be sharing data with anyone? You might find it useful to refer to a flow diagram or other way of describing data flows. What types of processing identified as likely high risk are involved?
Video data is collected via a dedicated mobile application that encrypts the video locally and uploads to the IRIS Connect servers. All data in transit is encrypted. Once the upload is complete the video is deleted from the local device. The IRIS Connect platform is highly secure and operates role based login and privacy by design. Once the video is uploaded only the teacher who recorded the video has full access to it. Administrators have access to thumbnail images drawn from the videos uploaded so that they can see a basic preview of the content to ensure that all video uploaded is appropriate.
The teacher has control of the deletion and sharing of the video. Sharing between users of the same organisation is enabled by default. By mutual agreement, DPOs at different locations may vary this scope to enable sharing between users at their organisations under the auspices of a separate data-sharing agreement. Downloading of video is disabled by default. If user A shares a video with user B, user B does not have the ability to share or download the video. Video is deleted by the user when no longer required or by the school in line with their data retention policy or by IRIS Connect in line with its data retention policy.
IRIS Connect operate strict controls over who may access data and protocols for gaining permission from clients if access is required.
|Describe the scope of the processing: what is the nature of the data, and does it include special category or criminal offence data? How much data will you be collecting and using? How often? How long will you keep it? How many individuals are affected? What geographical area does it cover?
The nature of the data collection is video of classrooms learners and teachers. The video may be anonymised via the use of the IRIS Connect anonymisation filter feature. If the video is not anonymized learners appearance be apparent. Additionally, if the teacher refers to the student by name the video may include the name of and appearance of a data subject.
The school plan to enable each teacher to use the system at least once per term. Therefore we envisage 90 session recordings of an average duration of 1 hour. So 90 hours per year. Only a small proportion of this data is likely to be shared between users and an even smaller fraction shared via inter-school collaboration.
Video data will not be stored beyond its usefulness to the purpose. Many videos will cease to be useful after an initial round of review and collaboration. A small percentage may prove to be a good example of a particular strategy or technique and may be retained indefinitely.
All members of school staff and all pupils are potentially subject to data processing within the IRIS Connect.
IRIS Connect recordings will be exclusively restricted to learning environments on the school site.
Describe the context of the processing: what is the nature of your relationship with the individuals? How much control will they have? Would they expect you to use their data in this way? Do they include children or other vulnerable groups? Are there prior concerns over this type of processing or security flaws? Is it novel in any way? What is the current state of technology in this area? Are there any current issues of public concern that you should factor in? Are you signed up to any approved code of conduct or certification scheme (once any have been approved)?
School teachers are employees who may feel vulnerable to the use of video. Teaching unions have previously raised concerns about schools using video to plate their teachers under surveillance with video. The use of IRIS Connect is purely for the purpose of professional development and the school is committed to only using it for this purpose on an opt in basis, as per the agreement between the ACSL and ATL on the use of IRIS Connect.
There has always been a degree of concern within society pertaining to the collection of video data which includes minors, however, once the purpose, scope and security measures are explained this tends to lead to very low levels of objection. Pupils and parents will be informed by our privacy notice and will have the right to object to the data processing.
There are no known security flaws in the IRIS Connect system which has operated for over a decade without incident. The IRIS Connect system is a mature platform which is well supported and has a high level of compliance with data security best practices.
Describe the purposes of the processing: what do you want to achieve? What is the intended effect on individuals? What are the benefits of the processing – for you, and more broadly?
Significant educational research shows that teacher quality and therefore the quality of the professional development is the single largest controllable factor affecting educational outcomes for children.
Consequently, there are multiple statutory requirements for school staff to engage and promote professional learning within and between schools
Yet such obligations are hard to achieve given the barriers of time, distance and money. These barriers are overcome with digital video and digital collaboration technology.
By removing the barriers to effective professional learning we will engage more teachers more frequently with high leverage professional learning interactions such as reflecting upon their teaching, analysing and refining their impact on learning, seeing examples of high-quality teaching and giving and receiving high quality contextualized feedback.
95% of teachers using IRIS Connect report improved classroom practice. Our objective is to achieve these same outcomes within the school and thereby improve outcomes for learners. Better outcomes for learners will result in significant and broad societal benefits.
Step 3: Consultation Process
Consider how to consult with relevant stakeholders: describe when and how you will seek individuals’ views – or justify why it’s not appropriate to do so. Who else do you need to involve within your organisation? Do you need to ask your processors to assist? Do you plan to consult information security experts, or any other experts?
We will operate a multi-faceted stakeholder engagement and consultation. We will actively inform parents and learners of the programme including the purpose and provide them with clear mechanisms to ask questions and object to processing.
We will engage teachers in an extensive programme of orientation and induction facilitated by an onsite launch event which makes clear the systems privacy by design model, as well as their rights and obligations in the use of the system. We will clearly signpost that the use of the system is on an opt-in basis.
We will engage our network manager in a review of the IRIS Connect system to ensure that it is compatible with our network and does not present a security risk.
Step 4: Assess Necessity and Proportionality
Describe compliance and proportionality measures, in particular: what is your lawful basis for processing? Does the processing actually achieve your purpose? Is there another way to achieve the same outcome? How will you prevent function creep? How will you ensure data quality and data minimisation? What information will you give individuals? How will you help to support their rights? What measures do you take to ensure processors comply? How do you safeguard any international transfers?
What is the lawful basis for processing:
We have selected public task as the basis for lawful processing for the following reasons:
Supporting pupil learning through the training of teaching staff is required to perform our statutory function. Specific specific statutory requirements, worth noting are Teachers standards:
The standards themselves (part 1 and part 2) have statutory force (under regulation 6(8)(a) of the Education (School Teachers’ Appraisal) (England) Regulations 2012).
They are issued by law; you must follow them unless there’s a good reason not to.
The standards state that:
Appropriate self evaluation, reflection and professional development activity is critical to improving teachers’ practice at all career stages. The standards set out clearly the key areas in which a teacher should be able to assess his or her own practice, and receive feedback from colleagues.
And that teachers should:
Additionally, as referred to in the Teachers standards, the statutory guidance on School teachers pay and conditions specifically points out that it is the professional responsibility for Headteachers to:
46.8. Lead, manage and develop the staff, including appraising and managing performance.
46.14. Promote the participation of staff in relevant continuing professional development.
46.18. Collaborate and work with colleagues and other relevant professionals within and beyond the school including relevant external agencies and bodies.
And for all teachers to:
50.14.Participate in arrangements for their own further training and professional development and, where appropriate, that of other teachers and support staff including induction.
50.16.Collaborate and work with colleagues and other relevant professionals within and beyond the school.
Is there another way to achieve your objectives:
Teacher reflection (central to the teaching standards) is virtually impossible to achieve meaningfully without the use of video.
To provide teachers with the same frequency of high impact professional learning interactions would be impossible for the school through other means. The process of experiencing high quality teaching and giving and receiving high quality feedback, in the absence of video collaboration, would require in-person lesson observation.
In person lesson observation represents a subjective one-off experience, with no record for analysis and discussion post event. this leads to low quality professional discussion with lower impact upon professional practice.
Additionally in person observation requires another professional to be available to provide the physical observation and debrief process. Within a busy school environment this will entail significant additional cost for the school as we would have to employ more cover staff to free up the observer.
The process of providing high quality examples of teaching practices is even more difficult to achieve through other means. It is difficult to know when it would occur so you would have little control of whether the observing teacher would get the experience they would need from their observation. Furthermore, the school would like all staff to have a shared understanding of what a high quality practice looks like. It is physically impossible to fit the entire teaching staff in a single classroom on the off chance a particular high strategy will be demonstrated with sufficient quality.
Finally inter-school collaboration would very difficult through other means. It would have all of the drawbacks already identified with the addition of significant travel and accommodation costs.
We will prevent function creep by making a clear declaration of purpose and maintaining an ongoing open door policy for staff to be able to report use of the system which is not aligned with the purpose.
Data quality and data minimisation:
The IRIS Connect system will collect high quality video and audio sufficient to fulfil the purpose. We will ensure that all analysis and data entry is as accurate as possible. We will have a clear procedure for users to be able to report inaccurate data. Video data will not be kept for longer that its useful purpose in line with the school’s data retention policy.
Information and rights:
School staff will be informed via our extensive onboarding consultation and training process, the DPO will be responsible for ensuring that staff are aware of their rights and know how to exercise them. Students and parents will be informed via appropriated notices and will have a clear pathway to raise their objections.
Compliance of Processors
We have engaged with IRIS Connect to ensure their policies and procedures are compliant with the GDPR
Step 5: Identify and Assess Risks
|Describe the source of risk and nature of potential impact on individuals. Include associated compliance and corporate risks as necessary.
Likelihood of harm
Remote, possible or probable
Severity of harm
Remote, possible or probable
Low, medium or high
Subjects not expecting their data to be processed in this way
The system not being used for the intended purpose
Step 6: Identify Measures to Reduce Risk
Identify additional measures you could take to reduce or eliminate risks identified as medium or high risk in step 5
Options to reduce or eliminate risk
Effect on risk
Eliminated, reduced, accepted
Low, medium, high
Subjects not expecting their data to be processed in this way
The system not being used for the intended purpose
The IRIS Connect system adheres to the highest standards of data protection and security.
Password policy strictly enforced throughout the school
Clear privacy notices, parents, staff and learners engaged and informed. Home school agreement aligned with use and clear pathways to opt out open to all parties
A clear schoolwide statement of purpose and an open door policy for users to report instances of the system being used in a way which is not aligned with purpose.
Step 7: Sign Off and Record Outcomes
Measures approved by:
|Integrate actions back into project plan, with date and responsibility for completion
|Residual risks approved by:
|If accepting any residual high risk, consult the ICO before going ahead
DPO advice provided:
|DPO should advise on compliance, step 6 measures and whether processing can proceed
Summary of DPO advice:
DPO advice accepted or overruled by:
If overruled, you must explain your reasons
Consultation responses reviewed by:
If your decision departs from individuals’ views, you must explain your reasons
|This DPIA will kept under review by:
The DPO should also review ongoing compliance with DPIA