An increasing number of schools are taking steps to monitor the online activity of their pupils and staff, both inside and outside of school premises and hours. Reportedly, up to 700,000 children, students, and teaching staff could be affected by monitoring undertaken by a company called eSafe.

eSafe is contracted by schools to boost safeguarding provisions and uses what it calls ‘advanced detection software’ and ‘expert interpretation and assessment’ to monitor electronic devices for safeguarding risks, such as ‘grooming, paedophile activity, child abuse and sexualisation, female genital mutilation (FGM), homophobic, biphobic and transphobic (HBT), racism, bullying and harassment, self-harm/suicide, radicalisation, threats of violence, terrorist activity, trafficking, and gang culture’. The service operates 24 hours a day, 365 days a year.

Such a service has clear benefits for schools. Since the publication of the Department for Education’s guidance on Keeping children safe in education and implementation of the ‘prevent duty’, schools are under increasing obligations to ensure the online safety of pupils and to have due regard to preventing people from being drawn into terrorism. However, this must be carefully balanced against privacy rights and the security of the data being collected.

Given the integral part technology now plays in our daily lives and the rise in the use of school-owned electronic devices by pupils both in class and at home, eSafe has brought to the fore the question of privacy, the data protection implications of such a service, and what schools should be aware of when they use it.

Data protection implications

Electronic devices such as tablets and smartphones are inherently personal. The monitoring activities employed by eSafe not only involve processing personal data (information from which a living individual can be identified) but will most likely also entail processing sensitive information.

Sensitive personal data is information about ethnic origin, political opinions, religious or similar beliefs, trade union membership, health, sex life, criminal proceedings, or convictions. Due to the inherent risk attached to unlawful processing of this data, there are greater legal restrictions on the processing of such information. Schools, as ‘data controllers’ under the Data Protection Act 1998 (DPA), must ensure they comply with the eight data protection principles when processing any kind of personal data.

Where eSafe is employed by a school, this does not contract out a school’s own duties as data controller. It must still ensure any processing (be it the initial instruction to eSafe or subsequent data sharing) complies with the DPA. Failure to do so risks enforcement action and compensation claims from individuals.

The best way for schools to ensure they are compliant is to undertake detailed due diligence on any service provider and carefully choose their partners. Schools must put in place a written contract with the service provider which allows the school to monitor, review and audit any processing undertaken.

As part of compliance with the DPA, schools must also consider whether the monitoring they want to do via eSafe is fair, lawful and proportionate. This means a careful balancing exercise needs to be undertaken to ensure the privacy of individuals will not be unduly prejudiced.

Key questions for schools

A service such as eSafe will certainly be attractive to schools which endeavour to comply with their extensive safeguarding obligations, so what questions should schools ask when they engage such a service provider?

  • Is the purpose for which data is collected clear?
  • How will staff and pupils be made aware of the purpose for which data is collected and the extent of the monitoring involved?
  • Does this notification comply with the DPA and the more stringent obligations in the forthcoming General Data Protection Regulation?
  • How will the service provider monitor and use the data?
  • Is the level of processing necessary, adequate, and relevant for the purpose?
  • What security measures are in place to protect data?
  • Who will data be shared with and on what legal basis will this be done?
  • How long will data be kept for and what are the procedures for the deletion of data?
  • Will consent be sought for the processing? If so, is parental consent required?
  • Can the school document this thought process and, if called upon by regulators, demonstrate compliance with data protection laws?

Schools should not hesitate to seek specialist advice when dealing with matters such as this.

This article originally featured on the Solicitors Journal