From 25 May 2018 the Data Protection Act is superseded by the EU General Data Protection Regulation (GDPR) , which is a significantly-stricter regime to protect personal information online. I have recently completed our GDPR review.
The two critical changes are
- Explicit consent is required for processing sensitive personal data.
- Parental consent will be required to process the personal data of children under the age of 16 for online services.
What counts as sensitive personal data?
- Health and genetic data
- Biometric data
- Racial or ethnic data
- Political opinions
- Sexual orientation
Of these, only (3) is relevant to Yacapaca. In order for our analytics module to continue to report results broken down by ethnic origin category, we would need written permission from the parent or guardian of every child in the school.
That game, I’m afraid, ain’t worth the candle, so as from September that metadata category has been withdrawn. If you use that analysis, you will need to export the raw data and re-import it into a service such as SIMS that still stores this data.
We are also in the process of removing student email addresses from the system. Although this is not strictly required by GDPR, it will make it easier for school GDPR compliance officers to monitor our service.
On the roadmap to full compliance are
- Updated Terms of Service 21/5/18
- Standard Data Protection Contract (PDF) for your GDPR Data Protection Officer to download, complete and return. This is required for any school or MAT for which we hold student data, 1/5/18. Some stragglers still outstanding as of 1/9/19.
- Individual consent requests to every teacher. We only hold very limited data about teachers, but it still requires consent. Now built-in to Yacapaca and up to date for any teacher who has signed in since 21/5/18.