Create an Account Free Trial

Why children’s digital footprints in school matter

Image by giulius licensed under CC BY-NC-SA 2.0

Why children’s digital footprints in school matter

Share this:

by Joseph Savirimuthu, University of Liverpool

Vast amounts of personal, behavioural and academic data about children are being collected, processed and used by schools, local authorities, and the government every year.

But a recent review by the Information Commissioner’s Office (ICO) in the UK of 50 websites and apps used by children found that only a third had “effective controls in place to limit the collection of personal information from children”.

There is a real risk to children that their activities online may be monitored and their personal and behavioural traits the subject of profiling by third parties. Children and their parents may have little or no knowledge of these activities or the fact that a wide range of their personal information is being stored in databases for an indefinite period.

Breaches of data protection rules and unauthorised processing and sharing of sensitive personal information expose children to privacy harms which may go unnoticed.

Schools need to up their game. On December 17, the European Union agreed on the final text of the European General Data Protection Regulation (GDPR), which includes rules that all organisations will be expected to take into account the rights of children to have their personal data protected. The regulation has to be formally approved by EU institutions in 2016 and will come into force in a little over two years time.

Information and communication technology is now pervasive in primary, secondary and special schools. Many now integrate tablets and smartphones into lessons and have taken full advantage of the booming market for educational software packages, mobile apps, cloud computing services, intranets and games platforms. New biometric technology, such as security scanners that use fingerprints, is also being tried by some schools.

Yet, it is becoming apparent that parents and schools need to be more proactive to ensure that children’s data protection rights are not overlooked. For example, it is often assumed that schools need only obtain consent of the child or parent on a yearly basis to process their personal information. This cannot be right, since a wide range of personal information covering a child’s activities will be regularly collected, used and shared widely. Digital information can also be stored indefinitely.

New information relating to a child’s weekly performances or activities may form the basis of observations and inferences made by the teachers or other third parties. Schools should reconsider whether the processing of such information is covered by getting prior consent or whether it is sufficiently different to require additional consent from parents.

Information is useful

The collection of the personal information of children has a number of positive aspects. As well as grades and performance indicators, schools collect information including age, gender, language, ethnicity and health. Information relating to a child’s health and their family’s financial circumstances can help schools provide appropriate support and services, such as the pupil premium for disadvantaged children.

Much of this data is necessary for a school to undertake its administrative duties and deliver appropriate education services. For example, processing information relating to attendance, discipline, or performances in class and tests can help inform the delivery of lessons and study support.

Local authorities and the government may also collect personal data from children to ensure that educational benchmarks are met, and also use information collected from schools to identify educational priorities and needs.

What the law says

Data protection law recognises scope for legitimate and fair processing of children’s personal data. Schools are regarded as “data controllers” – in other words, they must comply with data protection laws for personal information held by them as well as processing that is undertaken on their behalf by third parties.

Section 2 of the Data Protection Act 1998 on “sensitive personal data” imposes an obligation on schools to take particular care when dealing with information relating to a child’s “physical or mental health, their racial or ethnic origin, sexual life or commission or alleged commission of any offence, and related proceedings”.

The key point here is that while it is important that schools should have access to children’s relevant personal data, it is imperative that access, collection and processing of their information is not seen as opening the way to make use of their data for purposes without their knowledge.

Schools must ensure that children’s personal data is processed in accordance with all the ICO’s data protection principles and best practice guidelines. These include requirements that personal data be fairly and lawfully processed, kept secure, processed for a limited purpose and not kept longer than necessary.

Schools need to produce privacy policies which are accessible to children and their parents. The time is ripe for all schools to demonstrate that children and parents are provided with privacy policies that are comprehensible and not written by lawyers for lawyers. Schools must demonstrate that good information governance is an ongoing priority. Children and their parents must know precisely how their personal information is being used, for what purposes and by whom.

Joseph Savirimuthu is  Senior Lecturer in Law and Director of Postgraduate Studies at the University of Liverpool.

Questions for governing boards
  • When did our institution last audit what data it collects on children, parents and staff?
  • How do governors remain informed about what their institution is collecting on its community – are we regularly informed, or do we need to ask?
  • Are pupils, parents and staff informed about how their data is collected, stored and processed? If so, how does this happen?
  • If the school has policies and communications in this area, are any governors aware of what these are. Are they written so as to be easily understood by the school’s wider community, not just senior leaders or specialist support staff?
  • What’s our understanding of how “good information governance” relates to our role in governance? What are the strategic implications for our school in having to consider the issues in this area?

If your governing board is a Modern Governor subscriber, then the School Governors and Social Media  e-learning module contains a section to support your board in considering these issues and taking some steps to understand them if you are not familiar. Look for further modules being added to the Core Skills collections in the next term which will give governors and trustees further CPD in understanding the issues around information governance.


 

This article was originally published on The Conversation as Why your child’s digital footprints in school matter. The featured image and Questions for governing boards were added by Modern Governor.

The Conversation - logo

Read the original article.


Featured image by giulius licensed under CC BY-NC-SA 2.0

The Conversation


Share this:
1Comment
  • Modern Governor Data breaches don’t just happen to other schools
    Posted at 12:08h, 01 April Reply

    […] However, both of those beneficial examples of educational technology rely on sensitive personal data about pupils in order to work. They need to know contextual data (name, form, age, gender… possibly more) to function at even a basic level. And that’s before we take into account the data which the user (teacher or child) is creating with that app. The hyperlink above leads to the ICO’s definition of sensitive personal data, but to summarise, these are data by which someone can be identified and which no one would otherwise be able to know about them. Schools are legally required to keep these data secure. […]

Post A Comment