In the midst of the pandemic, updating data compliance policies may not have been at the top of many school leaders’ to-do lists. Unfortunately, the need to fully comply with the data protection legislation has not gone away in light of the coronavirus. If anything, Covid-19 has only made the situation more complicated.

New practices, such as remote learning, have raised specific data protection considerations that most schools had never encountered before - and some of the changes to how schools operate are likely to remain in place for the foreseeable future.

So, what do school leaders need to know about data protection law in the age of the coronavirus? Here are some of the main considerations that they will need to take into account now and continue to think about over the rest of this academic year and into the next.

1. Remote learning

While the vast majority of students are now back at school, remote learning is still being used to support those who have to self-isolate as a result of a positive test. And while we hopefully will not see another national lockdown, we cannot rule out the possibility that schools may need to return to this way of teaching at some point in the future.

However, remote learning raises a number of data protection concerns. Teachers will most likely be processing some form of personal data and leaders need to consider how that data is handled.

For instance, many schools are using apps that allow work to be uploaded and returned digitally. Some apps will track a student’s development and share this with parents, requesting personal data of students and/or parents in the process. There has been some confusion about whether consent is required for this or whether it comes under what we call “public task” (according to the Information Commissioner’s Office, “you can rely on this lawful basis if you need to process personal data ‘in the exercise of official authority’… or to perform a specific task in the public interest” ).

When introducing any new data processing system, schools and colleges should consider the extent of personal data being processed and whether the same goal can be achieved without processing all the data.

Some apps will permit the school to retain the personal data and give students code names to limit the amount being processed. Such apps can usually be used under the public-task condition, on the grounds that they are providing education.

However, if an app requires full details of the student and/or parents, then leaders should consider whether this is really the most appropriate tool to use - and consider asking for consent if they do decide to use it. This, of course, brings its own complexities, as some parents or students may refuse consent and schools may then need to resort to paper learning packs or communicating through emails, so this is something to be aware of and prepare for.

2. Live lessons and video meetings

Virtual video meeting software has become a normal part of how many schools now operate. Such programmes allow you to see anyone in their home unless cameras are switched off.

But leaders should consider the amount of personal data that needs to be processed and balance this against the benefits of using video meeting software to host live lessons or meetings with staff.

Many schools have already put in place a “code of conduct” for students and staff to ensure that live lessons are safe. These might include a dress code and thinking about what is visible on camera behind you - avoiding photographs or other individuals appearing in the background, for example.

Leaders also need to consider the benefits of recording live lessons or meetings. Will these be shared with anyone? How will the recordings be stored and accessed? Should members of staff be able to use recorded lessons on their own social media channels?

The implications under data protection need to be considered here, and only where processing of this personal data is absolutely necessary should it be taken forward. Risk assessments should be undertaken and thought given to how data can be further minimised, for example, by muting attendees and focusing the recording on the whiteboard.

The same considerations should apply to virtual meetings or hearings (such as for complaints or exclusions hearings) where face-to-face meetings cannot take place.

Unfortunately, in a remote meeting, it is not always possible for attendees to see everyone else who is present and whether any covert recording is being made. But schools should set out clear rules for any meeting or hearing before it takes place, so that all participants are aware of the need to confirm attendance and not to record without permission.

3. Covid-19 testing

Institutions need to ensure that they process personal data relating to positive Covid-19 cases in line with data protection requirements, both when reporting to agencies and when making others aware of their need to self-isolate. This means minimising the data shared and taking care not to name individuals.

4. Teacher-assessed grades

As schools are, once again, being asked to provide grades for students in place of their sitting exams, leaders will need to consider what personal data will be processed for this purpose and the records they will retain.

Bear in mind that students may ask for further information about how grades have been determined, or make full subject access requests for all their personal data. Schools should consider this possibility in advance, thinking about what information they can share and when, in line with guidance from the government and examination boards.

If schools are aware that they are likely to receive a number of such requests, leaders may wish to be proactive on results day and share additional data with students by default, to avoid a flurry of requests during the holiday period.

Alternatively, it might be helpful to have a process set out (which all staff and students are aware of) for how the school will respond to requests in a timely manner, permitting any challenges to grades to be made.

Daljit Kaur is a senior associate in the education team at law firm Browne JacobsonThis article originally appeared in the 14 May 2021 issue under the headline “Pandemic has had profound impact on data protection”