Real Social Dilemma: Safeguarding & Data Protection in Schools

Many of you will have seen Netflix’s docudrama, The Social Dilemma. The film explores the alarming human impact of social media, with experts from Big Tech, including Google, Facebook, Twitter, Instagram and more warning of the consequences of their own creations.

Taking center stage is the influence that our day to day interactions with apps and technology have on our lives and the decisions we make. Although not a particularly new doomsday argument, the show’s release in the run-up to the 2020 U.S. election painted an intriguing contextual backdrop given the widely reported impact the Cambridge Analytica data scandal had on the last one.The misappropriation of data for political gain is indeed nefarious, however, what the documentary touches upon but fails to go into greater detail is the child protection and safeguarding issues relating to profiling and third party aggregation of data and where collective improvements need to be made. This blog takes a look at the issues raised within the documentary and places them within the context of schools and education.

Let's go back to school

The role of a school is to educate its pupils while ensuring their safety. Protecting pupil data should be seen as part of the school’s safeguarding responsibilities. Whilst many schools teach online safety as part of their curriculum, schools can go further to protect their pupils in school. By filtering and monitoring the internet usage of devices connected to their networks, schools can safeguard their pupils by preventing access to inappropriate content and sites which seek to exploit the personal data of users online.

Website filtering systems already form part of many schools' IT security framework; think of Smoothwall, Lightspeed, Sophos, Palo Alto, iBoss etc. Schools fully understand how children can be influenced by what they see on the internet and why filtering and blocking sites is so important to prevent harmful or distasteful sites reaching pupil devices. But monitoring internet use is often seen as a step too far and an intrusion of the users’ privacy, particularly as it will need to apply to all users of the school network, including staff.

This is where school governing bodies and their child protection staff need to fully understand the technology they have in place so that they can be confident in its application, especially when identifying children accessing or trying to access harmful and inappropriate content online.

The General Data Protection Regulation (GDPR) requires careful consideration to ensure the protection of school systems and the safeguarding of pupils is balanced against the right to user privacy. Balancing your obligations to comply with data protection, safeguarding information / cyber security legislation is a complex area - take our word for it! That’s why we are offering the opportunity to book an informative virtual workshop with us free of charge.

9ine provide free, virtual leadership training in the areas of data protection & security and systems in education. This workshop provides independent, school-specific training, the outputs will provide your school with a clear plan of action for evidencing compliance, and what best practices look like.

What are the risks for personal data online?

Schools are already aware of the harm that can be caused by social media and inappropriate content online. Inappropriate content here means material that is illegal, shows violent behaviour (such as bullying, self harm or suicide), promotes discrimination or drug / substance abuse, or is pornographic. There are, however, additional factors to consider regarding the personal data of users connecting to the school network.

Let’s start at the beginning, schools usually generate a profile for each person in their school to enable them to logon and use school computers. This allows teachers and pupils to make the online connections they need in school for study and work, connections which are often made using applications. App providers collect personal data. Sometimes it is low level but occasionally that low level personal data collection can escalate and be a viable commodity for others to purchase and exploit.

For instance, an app provider may collect the IP address of the user, their name, age and their location. This information may allow the app provider to make certain assumptions about that user by comparing the data with other users’ demographics. The user may then use their school profile to logon to the app at home using their own device. This provides an opportunity for more information to be collected by the app provider, such as a different location. This helps to build a profile of that user which can be sold to third parties who might aggregate that personal data with data collected from other apps. Those third parties may then use that data to target online inducements and advertisements to the users based upon their online behaviour, their location, or any other vulnerabilities that may have been assessed as a result of algorithms used by the app provider or third party.

The crux of the matter is that website use is perilous and data is collected and exploited online, often without the knowledge of the user. One of the pertinent quotes from The Social Dilemma in this regard was, “if you're not paying for the product, then you are the product.” Schools are in an ideal position to educate their staff and pupils about understanding the commoditisation of personal data and how to employ relevant safeguards. At the heart of this is the need to explain why filtering and monitoring website use is considered a necessity to help limit users’ exposure to the above risks.

What are the issues for user privacy?

Schools have to take into account the data protection rights of their students and staff when implementing any measures which affect their privacy. Filtering and blocking inappropriate sites in school prevents online connections being made to those sites, which helps to keep the school secure and does not affect the privacy of the user.

Monitoring sites, however, does affect the privacy of the user due to the school being able to access the browsing history of the users connecting to the school network. This will include any browser windows left open while the user was off site. For most, this will include learning / work based material. However, consider a case where the browser window contains a connection to an inappropriate site from which inferences can be drawn about the user. The filtering framework attached to the school network may prevent the content being shown in school but, because of the monitoring framework is in place, that site now forms part of the school monitoring log attached to that user. That user will have an expectation of privacy but the extent to which that expectation is reasonable will depend on whether the user’s device is school-owned or user-owned as part of a Bring Your Own Device (BYOD) initiative.

A school-owned device, typically, has the following elements:

• The device is bought and owned by the school
• It is configured by the school to have particular applications and settings / restrictions applied (for example, there will be no administrator access so the user cannot install applications unless authorised by the school)
• The device is allocated and given to the user
• The user logs into the device with their school network credentials and onto the WiFi using the same credentials

In contrast, a BYOD, is:

• Bought and owned by the user
• Has no restrictions or settings applied by the school
• Access to the school network / internet is configured through wireless access
• The user logs on to the wifi with their school network credentials
• The user’s access is restricted whilst connected to the school network in accordance with school requirements
• The school has no privileges to access the device itself

It is clear that the expectation of privacy concerning a user of a BYOD device will be much greater than a user of a school-owned device, and there may be some reluctance on the part of the user to access the internet using a school WiFi which is monitoring website use. Whilst the school can take little action regarding BYOD users accessing online content independently of the school WiFi, this should not be seen as a reason to avoid monitoring altogether.

Compliance with data protection law

The GDPR requires the privacy of users to be balanced against the objectives of the school and for schools, as data controllers, to demonstrate their accountability and compliance with the law.

Before any monitoring is carried out and any personal data is collected, a Data Protection Impact Assessment (DPIA) should be carried out to consider:

• The extent of the monitoring proposed and the personal data to be collected
• The reasons justifying the monitoring and whether there are any other measures that would be less intrusive for the user
• The legal basis for requiring the monitoring (this might be, for instance, that the data subject has given consent, it is required as part of the employment contract, there is a legal obligation in this regard, or it is in the legitimate interests of the school to carry out the monitoring and these interests are not overridden by the rights of the system users)
• The risks involved for the school and the system users (including the intrusion on their privacy) with and without the monitoring system in place
• How these risks can be mitigated (for instance, limiting the personnel who can access the monitoring log)

It is important that the school’s Data Protection Officer (DPO) is involved with this DPIA process. Once a DPIA has been completed and the monitoring system is to be implemented, it is important that schools are transparent about the data they collect and why they collect it. Privacy Notices should therefore be updated to explain the process of monitoring and why it is necessary.

Where consent is being relied upon as the legal basis, a written consent form should detail how the data is being collected and why. It should also document how long the consent will be valid for (e.g. for the duration of the employment contract). This should be reflected in the school’s Retention Policy.

Internal governance should also be updated, including data maps and Records of Processing Activities (RoPA) to ensure they include this processing activity and document the legal basis for processing.

Policies

A number of policies should be integrated into the school culture to ensure users are aware of the technologies that are used, how they are configured and how they are to be used. All policies should be presented to the relevant user at the earliest opportunity upon joining the school. This could be during their first tutor session as a pupil or during their induction as a member of staff. Any changes to these policies should also be communicated quickly and efficiently to all users.

It is important that policies underpin the vision and values of the school and directly refer to both safeguarding and data protection. Some important policies to consider:

• Data Protection Policy
  
  • This should determine how the data relating to a user at the school is secured and the measures that users need to take in order to comply
• IT Acceptable Use Policy
  
  • This establishes the rules that users must abide by when using IT equipment in school (school owned and user owned) both on and outside the school premises
• BYOD Policy
  • This establishes rules for users bringing their own devices into school and using them at the school. For example, it should include what systems users are able to access, which devices are allowed to connect to the network and any changes that need to be made to the device in order to comply with school requirements
• Filtering and Monitoring Policy
  • This informs the users of the technology being used by the school to filter and monitor internet and network use. This policy should explain to the user exactly what data is being monitored by the school, how it is stored and for how long

Consideration

Schools need effective monitoring systems in place to, most importantly, profile the online behaviour of children and do so at an individual risk level. Monitoring also needs to be proportionate for all users within the school, including staff - if there are any less intrusive ways of achieving the same result then these need to be considered. The challenge of implementing this though is compounded by the requirement to not ‘over block’ access to the internet and restrict what children can be taught with regards to online teaching and safeguarding.

It’s important that schools, staff and students alike are realistic about the risks to personal data online. Monitoring won’t solve everything or prevent your users from using the web independently of the school network. What’s important is ensuring the appropriate level of training is provided to staff and students to make them aware of the real consequences at stake, not just the Hollywood pitfalls laid out in The Social Dilemma. Regarding the danger posed to children, child protection and safeguarding staff within schools should be leading the way on deciding how to best use the data presented by their network filtering / monitoring solutions and ultimately decide on the specific training required for all staff.

ABOUT THE AUTHOR:

Marcus is a Senior Technical Consultant at 9ine, responsible for the on the ground management of new build / refurbishment projects. He specialises in the application and configuration of technical systems and services within schools, including mobile device management (MDM) systems. He holds a bachelor's degree in computer network management and design.