GrumbleDook for chapter and verse on this
I am looking for a pointer to BECTA or DfEE guidance on the issue of the ownership of school data that is being stored in MIS/Administrative/VLE systems. I seem to remember it came about when one of the MIS suppliers claimed that the data stored in their system was theirs. Anyone have any ideas, please.
Last edited by witch; 7th March 2013 at 08:57 AM.
I would love a MIS/Administrative/VLE supplier to public state that they own your school (MIS) data. They wouldn't be trading by the end of the week. I've heard of companies providing the data in very unhelpful CSV format as a data dump prior to them destoring any copies they have.
MIS companies should not own the schools data. The data belongs to the school, it's merely 'processed' by the MIS company.
If you change MIS, as per the IMLS Framework, the MIS company has an obligation to help you export your data in a meaningful fashion.
This goes back to data protection principles, so it is not school specific and so the ICO has chapter and verse on it. If you have a look through the "your obligations" section Data Protection Act - Guidance For Organisations - ICO it covers off most of the things you are likely to need to know.
IIRC the clarification about use / processing of data was around a vendor wanted to use 'live' data (including pictures) without agreement with the data owner / data subjects (ie parents / children (both 13+ and under 13) / staff / other data subjects).
The Data Owner (person granting authorisation to process the data) and Data Subject (the individual the data is about) are usually the same person in most walks of life. The DPA doesn't actually mention the Data Owner though ... it mentions the subject, personal data, the Data Controller and the Data Processor.
Data is held in care by someone (the Data Controller) and rather than being an assigned individual it is usually the legal body (eg the school). It has to be dealt with as specified by the Data Controller in their Notification. Within that Notification they might say they will share it with others, allow them to process it, and even allow others to do what they want with it too ... but the person who has ownership of that data is the data subject (and their legal guardian - under 13 it is covered under EU law that the minor is not the owner but the parent and 13+ it is covered as Duty of Care by the parent / guardian but open to challenge by the minor).
Simple terms. The Data Controller (the school) processes the data. They control how this is done, what other parties have access and how *they* process it, put in place the safeguards that no others can access / process it, and are responsible for ensuring that the requirements of the DPA are met. The MIS provider might say that they own it (which they don't) but they are still required to meet the criteria set out in the original Notification. If the school gives them access and the MIS provider then use it for marketing / training, and this was not one of the requirements then they are complicit in the school breaching the DPA.
The other conversations around the issues were not on public forums so I can't dig out an archive or share, but I will see what FoI stuff was around from the questions if you need any more.
The ICO is your friend in this though ... if you have an issue and you believe that a vendor is being difficult, or plain wrong in their approach, then the ICO helpline is a wonderful resource. Failing that, if you know the vendor has a copy of the data then you draft a template letter to all your parents so they can make DP requests for what data is held on them, how it is used and follow up with instructions to delete / remove. If the vendor fails to do this then you report each failure to the ICO and they risk being fined for each, individual failure.
Thank you for your help - very useful.
Would you say Microsoft owns your Word documents? An MIS is just a piece of software (or for me... a way of life!), should be treated as such. Schools own the data.
To add a clarification in here ...
There are circumstances where a vendor might say we 'own' the data, when they actually mean they own the process of what you do with it. It might be that this is a 3 way agreement between parties (eg school, solutions provider, VLE) and the solutions provider gets the data from A to B. The solutions provider could be contractually obliged to ensure that only relevant data is moved, that they are responsible at the end of the arrangement (contract, project, etc) for ensuring that data is removed from the VLE (ie the provider no longer has agreement to process the data so it has to be stripped out as per DPA principle 5) and so on.
All this should be written into contracts (including the Notification with the ICO), backed up with data processing agreements and involves clear communication.
I am sure we can all point to when one or more of the above have been a problem. Again, to put things simply, if it is not written down, a clear process and backed up by the Notification then you don't do it!
So if your data is in the cloud presumably it gets deleted if you stop paying? Even though the school owns it without doubt can someone else delete it?
There are currently 1 users browsing this thread. (0 members and 1 guests)