Lessons learned from FERPA in schools
For several years, Facit has worked with schools in the USA to help them comply with The Family Educational Rights and Privacy Act (FERPA). FERPA is designed to protect personal privacy that gives parents the right to access their child’s education record, the right to have the education record amended, and the right to have some control over the disclosure of their child’s personally identifiable information (PII).
While FERPA regulations historically covered paper and computerised education records, the regulations now encompass digital records such as video.
When a video contains multiple students FERPA requires the educational institution to allow a parent of a student to inspect video in which their child appears. However, the institution is required redact or segment third-party images in the video footage prior to providing the parent with access.
Data privacy breaches are on the rise in UK schools
In the UK, the Education sector was the second worst-hit by data breaches in 2021, and the number of breaches reported is increasing. Only the public sector suffered more publicly disclosed data breaches in the same year.
The concern for schools is that most data breach incidents relate to children, whose data is subject to specific protections under GDPR.
Ransomware was the most common cause of breaches among schools, accounting for 41% of all incidents.
Another common cause of data breaches at schools was internal error. Some examples of school data breaches include: a school sending personal data to the wrong person via a letter, email or another form of communication; and revealing a student's sensitive medical information to members of their class that might lead to bullying or discrimination.
ICO data protection advice on photographs and digital images in schools
If someone can be recognised from a photograph or video clip, it is generally considered their personal data.
The ICO provides a lawful basis checker to help people decide which basis is right for taking photographs or publishing video at a school. There are two categories for taking or publishing image: ‘Public task’ and ‘Legitimate interests.’
However, schools completing the ICO’s lawful basis checker multiple-choice thread might frequently arrive at an ‘inconclusive’ result.
The ICO is far from alarmist in its coverage of images in schools. The Commissioner provides concrete examples which suggest that, in most cases, schools can proceed with low risks of data breaches.
However, a core component of compliance – as for any organisation – is that “You must tell people upfront what you’re going to do with their personal data so they know what to expect from the beginning.”
People should be given the chance to opt out. If there is an intention to use students’ photos for promotional purposes, the ICO expects you to offer an opt-out to parents or to students who are old enough.
What happens if someone changes their mind about image use?
The ICO advises that once a parent or pupil changes their mind about the use of an image, it is best to agree that the image will not be used in future materials or in any digital media.
The image should probably be removed from websites, but it is not necessarily the case that paper copies, brochures or prospectuses need to be recalled, unless child welfare issues are involved.
As always, let people know what to expect
It is best practice to inform people how their data will be used. In the case of schools, it is recommended to disseminate data protection policies for recording and using photographs, and to communicate about events where the school will capture images, together with details about how to opt out.
Store files securely and train your staff
When it comes to children’s data, particular care must be taken to keep it safe and prevent access to all but those who are authorised.
As we highlighted in a previous blog post, make sure that your school keeps a record of safeguarding procedures and train staff regularly to avoid the risk of a data breach.
Failure to publish data protection policies and train staff will almost certainly lead to an ICO reprimand or fine, damage to the school’s reputation, and a break down of trust with the community and parents.
Data protection does not cover personal use
People can take photographs and video recordings for personal use, such as for a family album. However, your school may decide that it is not always appropriate to allow photographs. You can choose to ban video and photography as a school, but the ban would not be on data protection grounds.
Similarly, schools may ask parents and guardians not to post photographs on social media of other people’s children. This is a sensible policy, but it is not a data protection issue because the law does not cover private social media posts shared with friends and family.
Conclusion: take expert advice, pool resources and look for privacy compliance economies of scale
Ransomware has been the biggest threat to schools’ data privacy to date. As we have discovered, some aspects of data privacy associated with images and video in schools are either ambiguous or hard to control. Yet, with the rise in schools’ data breaches, it is inevitable that an image or video will become the subject of breach investigation.
At Facit, we advise on data protection and provide technical solutions to assure data privacy compliance. In the UK, schools associated with multi-academy trusts have a significant opportunity to pool their resources and maximise compliance budgets by talking to Facit about estate-wide solutions.