This is a summary taken from Judicium’s DPO ‘Sofa Session’ from the 8th of June, with Data Services Team Leader Parminder Nijjar, LLB (Hons), L.P.C., PC.dp GDPR and data protection consultant Jessica Gant, LLB (Hons).

This session was focused on: social media and the role of Data Protection, social media use within schools, and risks associated with social media and how to use it responsibly.

Social Media and the Role of Data Protection

What is social media? 

Social media is any digital tool or channel that allows users to create and share content, ideas, or information with other users (friends, family or the wider public).

The popular social media platforms include:

• Facebook
• Instagram
• Twitter
• Tiktok
• Pinterest
• Linkedin
• whatsapp

Your website is also considered to be a social media platform.

The display and sharing of personal data via social media raises various data protection implications, and is thus regulated by the UK GDPR and data protection regulations.

Why use social media?

Businesses and schools use social media applications to market and promote their products and services by:

• Creating a public profile which may include school interests, hobbies and your current activities.
• Sharing photos, videos and posts.
• Sharing links to content relating to education, which has been produced by third-parties (such as sharing a news article).
• Commenting on photos, videos and links shared by other schools or parents and third-parties.
• Interacting with third-party applications and providing personal data to these third-party applications.

Social Media Use Within Schools 

Schools may use social media to show parents what they are doing, such as a running newsletter.

Schools also use social media channels to promote themselves by publishing photos, videos, or even schoolwork.

But schools must remember social media tends to be privacy intrusive. It allows these platforms to capture and, in many cases, process and use the information.

NB: Individuals who are posted on a school’s social media page tend to be identifiable, therefore it is considered personal data, and should be processed in line with data protection principles.

TOP TIP: Before publishing this kind of data, schools need to ensure that they have a legitimate reason for doing so.

The school should act with caution when using social media, as the risks associated with it tend to be much higher. For example if a picture of a looked after child is put on social media, it becomes a safeguarding issue as well as a Data Protection issue and will likely need to be reported to the ICO.

Consider how best to protect your online privacy at the start by considering the personal data you share and reviewing the privacy policy, terms of use and cookies of platforms you sign-up for.

You should also review your personal data being collected. NB: This includes apps that make use of social media log-in services or ask for permissions to access your social media profile and your personal data.

Lastly, review and revisit privacy settings and controls of any social media service that you use.

What is the legal reasoning?

Social media use does not fall within the school’s public task so the majority of schools gain consent from parents or pupils before publishing their personal data on their social media pages.

NB: To do this speak with your DPO. Get them to review your consent form to ensure it is explicit/specific enough to meet data protection criterion.

4 key steps for schools considering social media use

1. Decide what are your objectives behind the use of social media
2. Establish the advantages of social media to achieve those objectives
3. Consider what level of consent is required and responsible users
4. Weigh the pros and cons

What are the pros? 

• Allows you to both communicate and engage with your community - informing individuals what everyday life would look like for pupils who attend.
• Can be used as a newsletter to keep parents updated on the goings on in the school.
• Helps the school to stand out and builds your online presence.
• Used as a promotional tool, showing what makes your school special.
• It’s Free!

What are the cons? 

• Schools cannot rely on their public task to upload pictures and names, and would need consent to do so.
• It is difficult for individuals to withdraw consent.
  • Once content is uploaded the pictures/names are out there, and the school can delete it, but they can’t necessarily get it back.
• Breaches can be more severe when they involve social media so the risk tends to be much higher.

Risks Associated with Social Media

We are focusing on the risks with schools using their own social media pages.

These risks include:

• Anyone being able to access social media accounts – the school cannot limit their audience.
• Images can be stolen and used on other websites.
• You have no control over what happens to the images and names uploaded onto social media.
• The risk tends to be higher when a breach occurs – usually social media breaches are reported to the ICO.
• Mistakes happen easily! Its often easy to forget children who do not have the appropriate consents.
• Parents may upload their own photographs to social media, which means photographs of children who do not have the appropriate consents can end up on social media.
• Online scams can happen easily. The school should be prepared for this and have procedures in place should this happen.

How to mitigate against the risks

The first step any school can take is to discuss any concerns with their DPO. We can spot any potential gaps but also advise on practices for future use.

Key Advice:

1. Have a detailed Social Media Policy to use in conjunction with an electronic communication policy.
2. Carry out a Data Protection Impact Assessment (DPIA)
3. Ensure children in school are not using social media when in school and staff do not use their own social media to post pictures of children or information surrounding the school.
4. Social media pages are included within Subject Access Requests (SAR) so schools must be able to search through media pages to identify posts identifying individuals.

Responsible Use of Social Media

Who should manage the social media page?

 We recommend there is one trusted user to access and to review the social media weekly. This will ensure that any data related requests are dealt with, and also it will help ensure that accidental uploads do not happen.

How do we know who should or should not be posted?

The school should have an updated list of consents, which is reviewed annually.

The school shouldn’t use children’s names with photographs unless they really need to. When posting pictures of certificates children have gained, they should ensure that the names are blank.

Can someone make a data request through our social media page?

Yes. They can make it to any part of your organisation, and they do not have to direct it to a specific person or contact point.

NB: We advise disabling private messaging on social media to hopefully reduce any data requests received via this channel. 

The Future of Social Media

Social media will continue to adapt with new platforms becoming popular.

Schools will need their DPO to understand the challenges they are likely to face as a result of using social media.

Key areas of change:

• Tougher restrictions over data ownership will be enforced – you will likely already see this through social media apps you currently use making you aware of cookies you now need to accept or decline.
• Users of social media want higher levels of control over how their personal information and internet data is used
• Users want to limit the level of personal data we share with social media platforms
• Being able to communicate via encrypted channels and safe platforms

Key Points to Take Away:

1. Consult your DPO if you are thinking of using social media as part of the school
2. If you already have an official/unofficial social media page in place, consult with your DPO whether a DPIA is necessary
3. Consider what level of information is currently published and who has access
4. Make sure there is a specific Social Media policy in place
5. When you receive a data request, speak to your DPO.

Helpful Information:  

UK GDPR - https://uk-gdpr.org/

Cyber Security Summary Notes: https://www.judiciumeducation.co.uk/news/DPO-cyber-security

DPIAs Summary Notes: https://www.judiciumeducation.co.uk/news/GDPR-Say-Hello-to-Data-Protection-Impact-Statements

Judicium also offer a range of GDPR e-learning  INCLUDING Social Media training designed for schools. You can see current course availability here.

Follow us on Twitter: @DPOforSchools and @JudiciumEDU