As EdTech suppliers, it is crucial for us to determine whether we fall under the category of data processor or data controller. This distinction holds great importance for schools as they need to understand the responsibilities and liabilities associated with each role. We believe there is considerable confusion surrounding this issue in schools and even among some school suppliers.
Why is this distinction between data processor and data controller so important?
Well, as EdTech suppliers, it is crucial for us to understand which category we fall under because it determines the responsibilities and liabilities associated with each role. This is especially important for schools, as they need to know who is responsible for handling their data appropriately and correctly.
If we, as the supplier, are the data controller, then it is our responsibility to handle the data in accordance with GDPR compliance standards. The school has no liability in this case.
However, if we are the data processor and the school is the data controller, then we share the responsibility. It is vital for us to demonstrate to schools that we are managing their data correctly and in line with GDPR regulations.
So, how can we determine which role we fall under?
While there is no clear-cut rule, here are some pointers that can help both us and our client schools establish our respective roles.
As suppliers, we are data controllers for some of the data.
For example, when we ask schools for the main contact's name and details to do business with them, we become the data controller, and the school contact becomes the data subject. We are responsible for keeping that data safe. Just as a parent can request information from a school via a Subject Access Request (SAR), the school contact can exercise their rights as a data subject to ask us about the data we hold on them.
Examples of situations where suppliers are data controllers include B2B information, training organisations, and equipment and food suppliers (unless the school provides individual names for specialised requests, such as medical information for a pupil or staff member).
On the other hand, if large quantities of data are leaving the school to go to another organisation, it is likely that the school is the data controller and we, as the receiving organisation, are the data processor. Additionally, if the school is sharing more information about individuals than is necessary for us to do business with them, we are also considered data processors.
Examples of situations where suppliers are data processors include local authorities, Ofsted, examination boards, the DfE, teachers' pensions, HR and payroll systems, and school meals.
It's important to note that there are also commercial companies that act as data processors for schools. These include messaging and parent engagement systems, payment and school meals services, online safeguarding software, teaching and learning portals that require us to upload pupil or staff data, and system integrators that move data from one place to another.
Regardless of whether we are data controllers or data processors, each supplier must provide schools with evidence of our compliance for their data protection impact assessments (DPIA) or as part of their review of compliance and the school's culture of data use.
Suppliers that produce software to allow schools to process data have a responsibility to ensure their software enables schools to meet compliance, even if they do not process the data themselves. Examples of such software include local applications like Word and Excel (not Office 365 Online), locally hosted MIS, and various teaching software that is loaded locally.
It's worth noting that if any of these suppliers change their systems to an online offering or provide remote support with access to the data, they become data processors.
When schools approach us for information about our compliance or how we support their own compliance, we need to carefully consider our response. If we are purely working on a B2B basis with schools, a simple statement pointing out our role as a data controller, along with reference to our Privacy Notice and the actions we have taken to ensure compliance, should be sufficient.