IRIS Connect is not providing you with definitive legal advice, ultimately it will be up to the school and your DPO to decide on your policies for GDPR & Safeguarding. However, we do want to pass on to you the experience that we have gained from working with hundreds of schools and the practices that they have followed.
NOTE: Using the Document
The below document is an example of a policy that a school could use to support the use of BYOD and IRIS Connect. The document should be read, reviewed and updated/edited as required by the school before use.
The school recognises that mobile technology offers valuable benefits to staff from a teaching and learning perspective. Our school embraces this technology but requires that it is used in an acceptable and responsible way.
This policy is intended to address the use by staff members of non-school owned electronic devices to access the internet via the school's internet connection or to capture and review [delete as appropriate] IRIS Connect reflections.
These devices include smartphones, tablets, laptops, wearable technology and any similar devices. If you are unsure whether your device is captured by this policy please check with the school's Network Manager. These devices are referred to as 'mobile devices' in this policy.
This policy is supported by the school’s [Acceptable Use Policy]. [update as required]
Risk Assessment and Rationale
[update as required]
The school wishes to implement a professional development programme for all teaching staff to further improve the teaching and learning taking place within the school. The most effective way to achieve this is to ensure that each member of the teaching staff is able to record their practice as much as possible to facilitate the feedback, coaching and modelling that is required for improvements in teaching to take place. The use of personal devices is a cost-effective way to achieve this.
The school has undertaken a review of the risk associated with the use of personal devices in school. Through the combination of the use of the IRIS Connect apps, alongside the restrictions mandated in this following document have fulfilled the necessary requirements.
See Appendix 1 for a breakdown of the risk assessment
1. Use of mobile devices at the school
Staff must only use mobile devices for the use of IRIS Connect recording / reviewing [delete as appropriate]
Staff are responsible for their mobile device at all times. The school is not responsible for the loss, or theft of, or damage to the mobile device or storage media on the device (e.g. removable memory card) howsoever caused. Reception must be notified immediately of any damage, loss, or theft of a mobile device, and these incidents will be logged.
Mobile devices must be turned off when in a prohibited area and/or at a prohibited time and must not be taken into controlled assessments and/or examinations, unless special circumstances apply.
The school reserves the right to refuse staff permission to use their own mobile devices on school premises.
The school recommend:
1) Device owners assess the risk in the context of the specific class that you will be teaching
2) Plan where you are going to physically place the device in a way to mitigate any risks identified - both from the point of view of what it will be able to capture and how accessible it is to pupils.
2. Access to the school's Internet connection
The school provides a wireless network that staff may use to connect their mobile devices to the Internet. Access to the wireless network is at the discretion of the school, and the school may withdraw access from anyone it considers is using the network inappropriately.
[include if required]
Access to the school’s internet connection is only to be used for uploading/reviewing IRIS Connect reflections. [delete as appropriate]
The school cannot guarantee that the wireless network is secure, and staff and visitors use it at their own risk. In particular, staff and visitors are advised not to use the wireless network for online banking or shopping.
The school is not to be held responsible for the content of any apps, updates, or other software that may be downloaded onto the user's own device whilst using the school's wireless network.
This activity is taken at the owner's own risk and is discouraged by the school. The school will have no liability whatsoever for any loss of data or damage to the owner's device resulting from use of the school's wireless network.
3. IRIS Connect Access
School staff are permitted to connect to or access the following school IT services from their mobile devices:
- IRIS Connect Record app
- IRIS Connect Platform app
- IRIS Connect Web Platform
[delete as appropriate]
Staff MUST use the IRIS Connect Record app. There are no scenarios where recording using the native camera app on the device is permitted.
The IRIS Connect app ensures that recordings are securely made, encrypted before upload, automatically uploaded to the users password protected account and then deleted upon completion of uploads
3.2 Platform Access
Users must only review IRIS Connect Platform data via their own account. You should never review data or recordings via someone else’s account. It must be shared to your IRIS Connect account.
For example: looking at another user's reflection with them on their device is not permitted.
Staff must only use the IT services listed above (and any information accessed through them) for work purposes. School information accessed through these services is confidential, in particular information about pupils.
Staff must take all reasonable measures to prevent unauthorised access to it. Any unauthorised access to or distribution of confidential information should be reported to the school's Bursar or Network Manager as soon as possible in line with the school’s data protection policies.
4. Monitoring the use of mobile devices
The school uses technology that detects and monitors the use of mobile and other electronic or communication devices, which are connected to or logged on to our wireless network or IT systems. By using a mobile device on the school's IT network, staff agree to such detection and monitoring. The school's use of such technology is for the purpose of ensuring the security of its IT systems and for tracking school information.
The information that the school may monitor includes (but is not limited to) the addresses of websites visited, the timing and duration of visits to websites, information entered into online forms (including passwords), information uploaded to or downloaded from websites and school IT systems, the content of emails sent via the network, and peer-to-peer traffic transmitted via the network.
Staff who receive any inappropriate content through school IT services or the school internet connection should report this to the school’s Network Manager as soon as possible.
5. Security of staff mobile devices
Staff must take all sensible measures to prevent unauthorised access to their mobile devices, including but not limited to the use of a PIN, pattern or password to be entered to unlock the device, and ensuring that the device auto-locks if inactive for a period of time.
Whilst Recording the school recommends the use of 'Guided access' on iOS or 'Screen pinning' on Android which is simple to set up and will prevent students from accessing other applications or device features without entering a security code.
Staff must never attempt to bypass any security controls in school systems or others' own devices.
Staff are reminded to familiarise themselves with the school's e-safety and acceptable use of IT policies which set out in further detail the measures needed to ensure responsible behaviour online.
Staff must ensure that appropriate security software is installed on their mobile devices and must keep the software and security settings up-to-date.
6. Compliance with Data Protection Policy
Staff compliance with this BYOD policy is an important part of the school's compliance with the Data Protection laws. Staff must apply this BYOD policy consistently with the school's Data Protection guidelines.
The school cannot support users’ own devices but will offer advice to users in their use where practically possible.
The school takes no responsibility for supporting staff's own devices; nor has the school a responsibility for conducting annual PAT testing of personally-owned device.
8. Compliance, Sanctions and Disciplinary Matters for staff
Non-compliance of this policy exposes both staff and the school to risks. If a breach of this policy occurs the school may discipline staff in line with the school’s Disciplinary Procedure. Guidance will also be offered to staff to support them in complying with this policy. If steps are not taken by the individual to rectify the situation and adhere to the policy, then the mobile device in question may be confiscated and/or permission to use the device on school premises will be temporarily withdrawn. For persistent breach of this policy, the school will permanently withdraw permission to use user-owned devices in school.
9. Incidents and Response
The school takes any security incident involving a staff member's or visitor's personal device very seriously and will always investigate a reported incident. Loss or theft of a mobile device should be reported to Reception in the first instance. Data protection incidents should be reported immediately to the school's Bursar.
Appendix 1 - Risk Assessment
[populate and complete as appropriate]
Signed off by
Data being recorded/shared outside of IRIS Connect platform
Through training and Section 3 users will be instructed to use only the IRIS Connect Record app
Inappropriate use of the devices
The BYOD policy will outline the use that is permitted alongside the monitoring outlined in Section 4
Loss or damage to devices
Section 1 outlines that the school will not be liable for damage or loss and required steps for device owners to take
Use of devices will be on an opt in basis.
Data Security of recordings
Using a personal device to capture video through the IRIS Connect app is as safe using a school or IRIS Connect provided device
Data Security of phone's contents
The use of 'Guided access' on iOS or 'Screen pinning' on Android is simple to set up and would prevent students from accessing other applications or device features without entering a security code.
Section 9 covers the reporting procedure of any Data Incidents