IRIS Connect is not providing you with definitive legal advice, ultimately it will be up to the school and your DPO to decide on your policies for GDPR. However, we do want to pass on to you the experience that we have gained from working with hundreds of schools and the practices that they have followed.
Some example documents are provided, these are designed to provide an indication of what appropriate documentation might look like. Your school and DPO should carefully consider how they inform your policies, getting further advice where appropriate.
Please note: This information is for EU based organisation's covered by the GDPR.
Contents of this article:
1) Selecting Your Lawful Basis
ICO Guidance can be found here.
The lawful basis for recording is selected and managed by the data controller (in the case of IRIS Connect which is the Customer).
In the GDPR there are 6 lawful bases for the processing of data. You will need to select one or more of these as your bases for processing data with IRIS Connect. The majority of schools using IRIS Connect select the basis of Public Task so we have used this basis within our templates and examples.
If you have already gained consent for this type of data processing (for example in your home-school agreement), then you may wish to proceed on that basis. However, if consent has not been explicitly gained in a previous agreement, then selecting the lawful basis of consent will require a new process. The new process would have to be explicitly opt-in and may be difficult to implement.
The ICO is clear in it’s guidance that:
The GDPR sets a high standard for consent. But you often won’t need consent. If consent is difficult, look for a different lawful basis.
If you are not confident that you already have consent, you should consider another legal basis. As an organisation discharging a statutory obligation you should consider Public Task.
|Basis||Public Task (ICO Guidance)|
|Description||You can rely on this lawful basis if in the exercise of official authority. This covers public functions and powers that are set out in law or to perform a specific task in the public interest that is set out in law.|
|Relevance to IRIS Connect||Many schools are using this basis to cover a great deal of the data processing they do. The running of the school is a task that is in the public interest and has a basis in law.
The provision of professional development to staff (and therefore the use of IRIS Connect) is a required function of running a school. There are statutory requirements relating to professional development for teachers, as detailed in the example below.
Do I Need Consent/Permission to Record?
This will depend on your local legal framework.
For example in the EU, operating within the GDPR framework, many of our institutions have not required consent from students as it is possible to select the legal basis of ‘public task’.
The legal basis (there are 6 to select from as outlined by the GDPR) for recording is decided by each organisation.
Many organisations already have permission in place (e.g. via a letter home to collect permission for a range of data collection the school conducts) however the ICO states that:
No single basis is ’better’ or more important than the others – which basis is most appropriate to use will depend on your purpose
Therefore, particularly in an education context, Public Task is often used.
If you believe that your local data protection framework requires consent, then if possible an opt-out rather than opt-in is process is desirable.
Additionally, the IRIS Connect system provides a number of data minimisation strategies that can be used to minimise consent requirements, such as:
- Anonymisation filters
- Camera positioning
2) Create Internal Documentation to Support Your Selection of Lawful Basis
ICO Guidance can be found here.
Based upon the ICO’s documentation template for data controllers, the following provides information on how you may wish to document your lawful basis for processing.
In this example:
- The school has reviewed all the legal bases and consulted with their DPO. In this circumstance they have selected Public Task as the most appropriate for their school.
- The school has included information to support the limited sharing of the data between themselves and other organisations as they are engaged in a programme of professional learning which extends between organisations.
- They have not provided responses for the fields relating to third countries as IRIS Connect stores all data within the EU.
- They have not provided details for an Article 9 basis for processing special category data. If you intend to record data that is a special category then you would need to select one of the conditions for processing listed in the linked ICO guidance.
|Purpose of processing||Providing professional development for teachers that enables them to engage with self evaluation, reflection and receive feedback from colleagues.|
|Categories of individuals||Pupils, Teachers and other employees that may be in the classroom.|
|Categories of personal data||A range of personal data about individuals is likely to be recorded due to the use of video and audio recording.|
|Categories of recipients||The system that we have selected (IRIS Connect) provides a privacy-by-design service to ensure that only users approved by the school can access the data and only when it has been specifically shared with them for an educational purpose. These individuals will be education professionals i.e. teachers, classroom assistants, professional development providers or educational researchers.|
|Link to contract with processor||https://www.irisconnect.com/uk/organisation-administrator-agreement/|
|Retention schedule (if possible)||https://www.irisconnect.com/uk/support/gdpr/data-retention-policy/|
|General description of technical and organisational security measures (if possible)||Our staff are required to adhere to both our own internal security policies and the conduct rules that they agree to when activating their user account (https://www.irisconnect.com/uk/support/gdpr/end-user-licence-agreement-eula/).
IRIS Connect have published the following documentation relating to their security measures and controls.
|Article 6 lawful basis for processing personal data||We have selected Public Task as the basis for lawful processing for the following reasons:
Supporting pupil learning through the training of teaching staff is required to perform our statutory function. Specific specific statutory requirements, worth noting are Teachers standards:
The standards state that:
Appropriate self evaluation, reflection and professional development activity is critical to improving teachers’ practice at all career stages. The standards set out clearly the key areas in which a teacher should be able to assess his or her own practice, and receive feedback from colleagues.
And that teachers should:
Additionally, as referred to in the Teachers standards, the statutory guidance on School teachers pay and conditions specifically points out that it is the professional responsibility for Headteachers to:
And for all teachers to:
Why is the use of video necessary to achieve these objectives?
|Rights available to individuals||We will make provision for data subjects to actively opt out of their data being recorded.|
|The source of the personal data (if applicable)||Data is collected during classroom video and audio recordings. Additional data may be input to the system by users of the system reflecting on their practice or providing feedback to other users.|
|Location of personal data||All data is stored within the EU.|
|Data Protection Impact Assessment required||Yes|
|Link to Data Protection Impact Assessment||See example here|