In the lead up to the 25th May, it seems like everyone is talking about GDPR. Processing student data is our bread and butter at Assembly, and so we’ve put this blog post together to help our partners and connected schools understand how we’re handling GDPR compliance.
Our hope is that by summarising our key actions in one place, we are reducing the burden on schools by outlining clearly and concisely the key points to be aware of.
To make it as easy as possible to digest, we’ve tied our readiness activities to GDPR’s six data processing
1. Personal data should be processed lawfully, fairly and in a transparent manner.
We were already well-placed for GDPR as we had designed our systems to comply fully with the Data Protection Act. We’d also built in our own good practice that has ended up matching closely with the requirements of GDPR. Specifically:
We are transparent about our policies, spelt out in our Privacy Statement. GDPR requires that communication about how we process data is both concise and comprehensive. We aim to strike this balance by clearly articulating how we store and process data, and the lawful bases for doing so.
Data is stored in the cloud, using the Dublin data centres of Amazon Web Services (AWS, who have put in place comprehensive measures to ensure their own GDPR compliance). We never use school data for direct marketing; we transfer data only to EEC / approved countries; we have agreements in place if transferring to third parties. How we use data is outlined in our terms of service. We are also ready to comply with subject access requests to make personal data available to anyone who would like to know what information we hold about them.
2. Personal data should be collected for specified, explicit and legitimate purposes.
We process the data received from schools for the purposes of education and school improvement only. In our privacy notice and contracts with schools, we clearly stipulate the service that we provide, and we only process data in order to fulfil this obligation. We also articulate the role of schools as data controllers and Assembly as a data processor. The responsibilities of each party are clearly outlined to ensure that we are complying with the new legislation.
In order to transfer data from a school to a partner, we need a Data Access Request to be made by the partner and authorised by the school. This help article explains that process in more detail. Our platform can only collect the relevant data from a school and transfer it on to a partner app once a data access request has been authorised. Schools can also use our dashboard to deauthorise an app at any time.
3. Personal data should be adequate, relevant and limited to what is necessary.
This principle refers to the concept of data minimisation in particular. In our work, we first ask ourselves why we need the data and how we are going to use it. We do not collect, store or process more data than what we need to fulfil this purpose.
To ensure that only the minimum data required is transferred, our Data Access Requests (described in point two above) use granular permission scopes. Scopes are narrow and specific - e.g. “Student date of birth” or “SEN needs”. What’s more, apps are able to define scopes as either “required” or “optional”, meaning that you can choose not to opt in to “optional” scopes, if you do not think your school will use the functionality associated with them.
4. Personal data should be accurate and, where necessary, kept up to date.
The Assembly Platform can sync with school systems as often as once per hour, and the frequency is typically set to run a sync at least once per day. This ensures that the data we’re holding and transferring is always accurate and up-to-date.
Our terms also state that we ensure the data we hold about our partners is correct. We trust the sources of the data that we hold, and we work closely with our clients to respond to any accuracy issues with our data, should they arise. We are also available to respond to any requests to make sure we have correct information and delete any inaccuracies.
5. Personal data should be retained only for as long as necessary.
We limit our data storage by deleting information that is out of date. As stated in our terms, we only retain data for as long as required to fulfil our purpose for processing data. This could include legal requirements, to fulfil our contracts with schools, or we have consent to hold this information. We delete all data if you ask us to do so, or after a period of 12 months of inactivity. We will also delete data for students five years after they have left a school.
6. Personal data should be processed in an appropriate manner to maintain security.
GDPR requires that we take technical and organisational steps to ensure information security. To assist with this, we’re in the process of securing ISO 27001 certification from a UKAS accredited body to help us demonstrate the strength of our security processes. ISO 27001 is a specification and standard for an information security management system (ISMS). An ISMS is a framework of policies and procedures that includes all legal, physical and technical controls involved in an organisation’s information risk management processes.
As part of ISO 27001 and GDPR compliance, we also conduct data protection impact assessments at the start of new projects. By integrating data privacy into our change request process, we ensure data protection by design and by default across our work.
Assembly uses specific security measures: modern and best practice encryption technologies, including Secure Socket Layers (SSL, and specifically, TLS 1.2) for encrypted data transfer over the internet. We also encrypt all data at rest, and have additional field-level encryption on certain personally identifiable data. All users have password-protected identities, and we conduct penetration testing periodically to get an external perspective on our platform’s ability to defend against unauthorised access.
These measures all protect us against data breaches and any risks to data subjects, but in the unlikely event that one occurs, we also have in place a clear GDPR-compliant process for reporting and responding to them.
A final word about accountability
As an overarching principle, GDPR requires accountability through detailed tracking of all the steps we are taking to comply with these regulations. With this in mind, we have conducted comprehensive training with our staff and appointed a Data Protection Officer. In the absence of a formal code of practice on GDPR implementation for schools, the DfE has published Data protection: a toolkit for schools, which we summarised in a blog. We have also completed the DfE Cloud Services self-certification tool, to answer some more detailed questions about what we do, and we will participate in any future DfE initiatives of this nature. Finally, we engage with data protection and privacy campaigners to get their perspective on the robustness of our approach.
We’re in this together to support schools, which means taking data protection very seriously, to uphold the rights of the students we all serve. In this ongoing process, we are happy to respond to questions and comments - please let us know what you think!