Podcast | Season 1 | Episode 14: Privacy and Data Protection in Schools
In this episode Jen Persson (Defend Digital Me) shines a light on how schools can fairly collect children's data and the need for awareness on how commercial organisations use them.
📎 Who Needs to Be Told What? What Schools Must Do to Meet Their Duties on Data Protection and Privacy
- What does a day-in-the-life of a datafied child look like at your school, and can you explain it?
- Do you understand how the National Pupil Database works and what you need to tell families?
- What impact do emerging technologies have on your data processing duties?
- Case studies from legal challenges and regulatory enforcement Security and privacy: How not to be the next news story
💡 Jen Persson, Director, Defend Digital Me
🏫 This session was recorded live on 14th November 2019 in the Schools Improvement Summit of the Schools & Academies Show at the NEC in Birmingham.
Everyone, welcome. Thanks for coming. Sorry if I gave you a bit of a shock. I don't know how loud I am in the back because it's all right. Good. Okay. Alright. Well, you might have more shocks this afternoon. I hope not. What we're hoping to do is take you through about 10 minutes of some of the things that you might or might not be doing in your own schools. And if you if you're happy to give me a rough show of primary school, secondary, further, something else other Okay, so got a rough idea. Which I tailor it a little bit. And also, I want to try and leave 10 minutes. So almost half the session for questions that have to be short and sweet if you've got more than a few, but let's do what we can. So top tasks are telling families about data policies in schools and why it matters. And we've just finished writing a report for the Council of Europe Data Protection Committee 108, one of the global data protection legislations, it's not just about GDPR, we've all had data protection legislation in the UK and around the world for many, many years. GDPR has actually changed very little. So if you're just coming to data protection and privacy as issues in schools, we might have some catch up to do. There's some things have changed, but not a lot. Most of what you should be doing today is something we should have been doing since 1998 1995. And long before.
What does the day in the life of a child look like? So one of the things we'll go through, we've put some flyers out, you'll see it on the back. Can you explain it. Can you explain to families what actually happens once the school census has been collected? Where the national people database comes from? Do you know that it's 25 different databases from collections in schools from children age 2 t0 19, joining up everything from their name, date of birth, all your testing, early years, key stages, all their attainment, behavior, special educational needs, all joined together, all given away by government to commercial companies, researchers, academics and others. We talk about emerging technologies. We've got some fascinating things on display today. Here at the show. We've also got some absolutely shocking stories from around the world. Things like brain scanners being employed in China. But don't think all the high tech stuffs in China where there's got even fewer human rights than we have respected here because of facial recognition biometrics, fingerprinting in schools with a world leader, I think here in the UK, you have normalised the fact that we use fingerprints in schools for library books for campaigned for cashless payments. Even the US does not use that technology. So we've got lots of case studies and things that we'd like to see avoided. And this is where we're moving towards the better picture we want to see built. What does a day in the life at your school look like? Have you ever thought about it? I was a mother. I still am a mother, but five years ago, knew absolutely nothing about how my child's data was processed in school. I've spent two years mapping it of what this data flows into, across and out of the education system look like. And I was really pretty horrified once I put this picture together when you think that but at the breakfast table, you're getting home school communications on mobile phones saying don't forget this something great on good news. Don't forget the homework. Kids maybe got a message on Google Education. At 8:30 they're crossing into the school playground reps on a body cam on your local crossing patrol across into CCTV across the playgrounds, lots of controversy right now, but they've been putting them into school toilets. We've just in fact been talking to Jeremy Vine and Mark Lehane was on talking, obviously not really understanding how the law works, because some of that's deeply invasive and not lawful. And by eight o'clock, nine o'clock, you're back in school classroom, you registered, you're on the Sims register, what is CapitalSims or other companies do with that data? Where does it go sitting in the cloud? We've now got millions and millions of children's records sitting with commercial companies. Do you know exactly how they get used? There's very little transparency around it. You're logging on to Google platforms to Microsoft other significant companies. Perhaps you're using a web monitoring software. Some of them are here today InfoPro, NetSupport, e-safe and others. They're monitoring everything children type, sometimes matching up to 20,000 keywords from libraries. Did they type cliffs and get flagged as a suicide risk that they type black rhinos and get flagged as a potential gang member? If you think they sound absurd? These are two case studies have come to us this last year. Where teachers have said, these software have a huge error rate. They create tons of workload, but we've got no transparency, how good it is and what it's actually doing. Some of these companies send the data to the States, some of it about rainy owned, we really need much more transparency around it. Perhaps by one o'clock, you've already logged into an AI platform, perhaps using VR or AR. Some of these collect data locally, some of them are sending them into the cloud, some of them might store it forever, anonymise it, they say, it's very hard to anonymise data, really hard to do it well. So if you've got companies saying to you, in part of your data sharing agreements that you have to click because if you don't click it, you'll get not get to use the service tomorrow. Be very wary of saying it'll be anonymized. We're using multiple apps in the classroom throughout the day. By the afternoon they probably already used the biometric system for buying the lunch. Perhaps using it for borrowing library books, then again, after school clubs, a lot of them are integrating with schools information management systems, again, leaving school body cams, CCTV, etc. Going home that they're looking into the Google Classroom perhaps, may or may not be tracking through YouTube, depending how you've got it set up using the same login system. And all that data, then potentially, the stuff that's been put into the classroom management apps, the CPOMS and so on and so forth, is then being processed overnight by all these companies. And if once a term you're sending data, as you're required to belong to the school census, is then going to government and they give it away on a daily basis to thousands of places, and it's not anonymous. Can you explain that to a child?
Okay, so there's no requirement to ask for consent to capture child's biometrics in England True or false? So we'll say true. Don't need to ask consent. Okay, Scotland, is it true no requirements to ask for consent? Don't know, ok. So, in England and Wales, children are protected under protection of freedoms act 2012 piece of legislation put in with a specific paragraph saying you must have active consent. It's not something you're locked out of. It's not you have to use this system we'd really like you to please don't say no. And it's you have to get freely given voluntary consent. That can't be unlike my own daughter, a two year waitlist for her to be able to use the canteen because there was no other system in place. You have to be able to offer an alternative. Scotland and Northern Ireland, that piece of legislation doesn't apply. They don't have the same protections. It's one thing we'd like to see change. We'd like UK wide the same protections for all children to be in place.
When we carried out a survey last year 38% of the parents who said we are using a biometric system in schools said they hadn't been asked for consent. There's a big gap here between what should be happening and what is happening in reality. Children are in school for the most part. compulsorily. It's not a consensual process. My kids, I'm delighted to say love going to school. Some children are in much more difficult situations and don't, or they get really challenging situations why they're not. There's lots of reasons that data are collected about children for their welfare for their well being. And it's really important that we do it well and safely. So they trust coming to school, and they keep coming to school. But other places, they're starting to enforce against GDPR. So Sweden, the Data Protection Commissioner in Sweden has fined a school community in central Sweden, almost 20,000 euros for employing a facial recognition system. It wasn't connected to the internet. They locked it in cabinets overnight. It was extensively with consent. The big problem with that the Data Protection Commissioner said, there is no really genuine freely considered given consent in a school for something that you're making a requirement to walk in and out of the door with. It's very hard to say you've got consent, it's not a tick box exercise, you can't just sign a piece of paper and say parents have agreed consent has to be freely given.
France again, just put a ban in the south of France for schools who have adopted facial recognition technology, lots of debate around this in the public domain at the moment as well. Insufficient organisational and security measures, something that's being picked up in schools in Denmark. New York, the states has very different laws, and how they manage things is quite interesting. Because we're not telling our children very much about how their data process in schools, we're not very good at it. This form on the right and it was a bit small, but you're welcome to get my slides from me afterwards and I'll post them on our website which you can get from the flyer. If you tell children something simple, like your internet use will be monitored. And you have a company that is collecting every single thing they do on the internet, building a profile, recording that data, potentially putting in flags of terrorism and then sending that data to the States. This one liner, I understand my internet will be monitored is completely inadequate and unlawful processing, both by you and by the company. So we need to fix these things. children have rights in schools. I love when my kids go to school. My teachers are brilliant, and I've just been on Jeremy Vine saying although it was about toilet, CCTV. Teachers in this country are overstretched, underpaid, undervalued, and really, I think almost at breaking point sometimes around putting in some technology just because they think it will be a better fix than the shortage of staff you've got right now. Can we put stuff in that has an app that does it the parents can do their own admin because we haven't got backs back office stuff anymore? Can we do this classroom monitoring thing? Because we haven't got a TA anymore? Can we, you know, effectively make up for not having humans enough staff around by technology. We have to make sure that when we're thinking about these things that we're actually realistic about, what do they deliver? What do they cost long term, and they don't erode the fundamental rights to privacy that children have.
We want a really drastic rethinking of how we manage this in schools. And we can only do this with your help, actually. So if it's something you think you want to care about, get in touch with us afterwards. Ask your candidates if you're going to hustings because we think you actually have to change the wide variety of processing that all these companies do on a day to day basis, that they are creating their own products out of the children's data that they're analysing if their own data analytics, that they're really going far beyond what you require them to do as a school, because you engage that product from a company to deliver part of your public task, part of the education a day to day routine activities. That article six GDPR permission under public task does not extend to the company. They don't have a statutory obligation. They can agree with you under contract what they're allowed to do. But it can't go beyond what a processor is allowed to do. If the company starts becoming a data controller, that is they start deciding how they use the data, how long they keep it, what they use it for, that makes them the data controller, and they have no public task. So what basis in law are they processing on? At the moment? A lot of them the answer is none and they're unlawful. So we think we actually need a big revision of reducing back in some of what these companies are doing with children's data in schools, but also building a better system that schools have support, to be able to understand how all these systems all work, that you get some of that workload burden taken away from a day to day processing basis that you don't have to understand all this data processing going on, that you get an approved list all that together with your MAT, or your Academy chain or your local authority or wherever else that might look. You understand. We've got good trusted suppliers. We know what they're doing, we effectively kitemark them, and it would take away some of that burden that schools have to understand what's going on and give you the clarity and confidence to know that you're processing safely and lawfully. So read more about it is something you're interested in.
All of these things we've we've listed out in our brochure, here, we basically want lifetime accountability for companies because at the moment what happens is a child leaves school at the end of a day. And each of those days in the year add up, and by the time they leave school, or whatever stage you His primary secondary further, they have no idea where their digital footprint has gone. You cannot tell them where their data has been processed, how long they're going to keep it for, what's going to happen next. And the companies and the schools have an accountability obligation. You have to be able to tell people, where's the data gone? Who's got it? And why of how long and when are they going to destroy it? So we think we have to increase this accountability for a lifetime of data. So finally, don't forget to vote. Ask your candidates about these things, if you think something that matters, and let's answer your questions. Hi.
Audience Member 1
Hi, I've got two questions, if that's okay. Firstly, you're now about maybe getting a bit closer, a registration of kitemark companies essentially, to give you a lifetime protection of what they're doing with the data. Do you see that as a reality? Because I'm a data protection officer in education and everything that you've said to me will make me to sleep a little worse this evening because you've got all the different companies we've gone from Sims to SchoolPods to RM integris, where we've got the whole people record is terrifying as to what they were, what they're going to do with that data and how we can control it. So is that a reality that, you know, there will be a registration of providers that we can go to?
Audience Member 1
Just a second one. Second one is I can't wait to re listen to the Jeremy Vine piece because I want to know the outcome of whether you can put the TV cameras in the toilet and what angle they're on. Thank you. Okay.
All right. So did people hear that at the back? So right, okay.
So the first question, I think there is the infrastructure isn't there right now, we're totally aware of that. But the result of that gap is that you have a real accountability problem in schools as a data protection officer or your school's governors, you're you're responsible for the children's data for telling families and how it works. So we think what you'd like to be able to do is have an A4 piece of paper at the start of the year or electronic, and be able to say, here are the 30-50 however many companies is that we're going to send your personal data to from our schools information management system. And here is the data or the types of data that we're going to send them. And you don't get consent. But you get a recognition effectively, they say, we acknowledge we understand that that's your fair processing obligation fulfilled. You don't need consent because you process on the basis of public task. And we have to at the same time, ensure the companies all realise they have to up their game and stop processing for their own purposes. And then you do they then they then don't need consent, because they're contracted to the schools. And is it going to be a massive challenge? Will it happen in reality? I think if it doesn't happen reality, we'll end up losing more and more trust in the school system. We'll have more breaches, we'll have the CCTV you know streaming and us TV like they were in Blackpool schools last year, we're going to have enforcement action. Something that we're working on, we have parents come to us and say we really dislike x, y, z app, or platform. And we're really unconcerned about where the data is going. Something's got to give. It's not a sustainable model at the moment. And that's what we're trying to build. We haven't got the infrastructure right now. We have to see how it could be done. But it definitely needs oversight from somewhere and I think it should be better regional than it, then it would be national. And I think we lost to be honest, some of the the oversight and the support perhaps from local authorities who once had people that used to be expert in DPAs have gone I mean, we've just lost the dearth of knowledge it's going to take time, but I think there's not. I'll be delighted if you'd another alternative, but I don't think we've got a better model right now.
Yeah, if there's no more questions, going straight on to the CCTV, so, yeah, CCTV in toilets. So if you want to get to real nitty gritty The European Data Protection Board has put out a very good document on video surveillance, and the data protection implications of it. And it's case study in that document is don't put CCTV in toiletsit is an invasion of privacy, it's a step too far is not necessary. You have a necessity test and data protection legislation, you must be able to prove it was necessary that there is no other alternative method for achieving your aim. And that this data collection was necessary and proportionate to that. So we're actually carrying out a survey right now of London schools. We've got answers back from about 120 primaries and nurseries, none of them say, and it's an anonymous survey, genuinely, so none of them say they're processing with CCTV in toilets or bathrooms they do at the entrance halls. I think there's a real big risk in some of this at the moment that we sort of normalised the idea that we have to watch everything all the time, otherwise we're liable for a problem.
It was so risk averse right now. And I understand why. But it got to the point where there's no evidence, genuine evidence measured evidence from companies that provide these services that it genuinely solves the problem that you're trying to fix. It gives you other headaches because you then have the potential of risks, you know, if breaches, misuse, people watching it when they shouldn't be, or it stored and retention and lost the installation of the cameras in secret in London recently. We've got cameras going into schools, you know, that are being 360 degree cameras going into every classroom, ostensibly for teacher training. So it's filming you recording voice, both teachers and pupils being played back for teacher training. But that's a very slippery slope into teacher control as far as I'm concerned. I mean, what could be better? What would be better way of measuring your progress 8? If we get rid of all the detailed test that we just watched the teachers I mean, there's a real story slippery slope and some of this. So CCTV and toilets for us is a complete no. It should be very proportionate, very necessary and pass that necessity test. And your data protection impact assessment should show that you demonstrate that. And especially when you're processing a lot of children at high volumes, you certainly need to carry one out.
So questions on it because we've got a survey going of primary nurseries. We've got responses back from secondary schools around CCTV and toilets. And obviously, the concerns. The concerns are around bullying, mess, violence, damage and all those things. We haven't in our survey yet, and I know it's common. I know people talk about it. I think sometimes though, there is also this idea that because it's become normalised that it the idea that it's common, is actually more common reality that they're not installed in toilets that they are in the hallways that they might be in a hallway close to the toilet, but they're not actually in the bathrooms. And I think people are starting to think, oh, other people are doing it, I need to be doing it too. There's always this fear of missing out. So this is why we're trying to get a baseline right now of our people actually doing it. But I would say the solution to some of these big social problems are not zero tolerance. That's a personal private view of mine. It's not more authoritarian watching and surveillance is certainly not done through technology. It's done through people. And I think the teaching profession needs more funding and more staff to be able to have those trusted relationships in schools between you and your pupils, that if there is a problem, it's nipped in the bud. We're not going to solve bullying. There's always been bullying. I remember as a six year old one of my friends was literally I think about it was being asked for you know, pocket money for sweets after school by the nine year old as it was then and it but she could get to the head and say this was happening and it stopped. I know that's a simple scenario. But some of this is not going to solve itself. But it's not going to be solved by technology. Just by watching that doesn't do anything. You have to then understand who's watching it. is you actually going to get enforcement out of it? Is anyone going to take any action? And how would you get a culture change if it really is a significant problem?
Nothing else? Nothing tough. I think we've run over time anyway. Little bit. Okay. Listen, if you've got other questions you think about I'm here come over and ask. Otherwise, it'd be great, we've got flyers, take them away and thanks for coming.
Don't forget to register for your free place at our upcoming show on www.schoolsandacademiesshow.co.uk.