The recent update to the Keeping Children Safe in Education Document obliges schools and colleges in England to “ensure appropriate filters and appropriate monitoring systems are in place and regularly review their effectiveness”.
In March 2023 the Department of Education published Filtering and Monitoring Standards: Meeting digital and technology standards in schools and colleges in preparation for the KCSIE changes.
One of the key points from the new KCSIE guidance is that DLSs now have a responsibility for "understanding the filtering and monitoring systems and processes in place". This means that DSL's should be involved in the procurement of a system and then on the implementation and decision making behind any alerts that the system generates.
Often IT technicians and IT Managers are involved in data protection as a lead when, infact, they should be the enabler to data protection and the same applies in this instance, the IT lead should enable the system and support the DSL in being able to use the system. If the system issues any alerts, it is the DLS's decision whether that is passed to any safeguarding application or processed further from a Safeguarding perspective. Procurement of the system should be with the Senior Leadership team, although it is always best to consult with the IT lead too to ensure it works with other systems already in place.
From a data protection point of view, some of these systems come under large scale monitoring - they don't just monitor internet browsing or internet searches but actual keystrokes in an application, such as Word. They also monitor staff. So with that in mind we would advise third party due diligence is completed. Review: Supplier Due Diligence Best Practice Area, and complete the
document
Supplier Due Diligence Form
(51 KB)
and send off to the third party supplier, once returned we can help you assess any risks. The system may also link to a third party safeguarding system, so review of what data is shared should be part of that due diligence. Review: ICO: Guide to Monitoring Lawfully in the Workplace, where it says you must be clear about your purpose for monitoring emails and messages and make sure any monitoring is necessary and proportionate to your purpose. You must inform workers of the purpose of any monitoring. If you are considering monitoring emails and messages, you must complete a DPIA. This is because it poses a high risk to workers’ data protection rights and freedoms and is likely to capture special category data.
Once implemented, you would need to include references to the supplier in your privacy notices about any data shared. Review: Transparency Best Practice Area.
When reviewing a product, we would advise looking at the retention period for for keeping the alerts and what personal data that might include. It may include, for example, the name of a child which could be held in the system for a period of time and so may need to be included in any subject access requests. Where an alert triggers sending information to another system, i.e. a safeguarding system, it may be best practice to remove that alert from the monitoring system so the information is only in one place, with the pupil/staff record and with other special category/safeguarding data. Review Principle (c) Data Minimisation.
Please note this relates to school owned devices inside and outside of school for both staff and students and users should clearly be notified.
Other policies in the organisation may also need to be updated to reflect use of a filtering and monitoring system.
Further support and guidance about KCSIE and filtering and monitoring:
SWGFL Filtering and Monitoring