3.a Understanding and engaging with legislation, policies and standards

An image of wires that represent data

Rather than the usual account of attending training and being mindful of legislation I am going to put together a more honest and narrative driven response this section. These descriptions and reflections I hope evidence this area well enough.

GDPR / Data Protection : an honest account

The largest change of the past two years of my career has been the sudden and all encompassing focus on data protection. To me, the flurry of activity around GPDR served to highlight the need for it. Most of the processes or practices we had to change were actually not permitted under the previous data protection regime either but GDPR had made the organisation take it more seriously.

So what did I do in the great GDPR war of 2018? Well I lobbied many of the groups internal to the University of which I am member of. Governance groups and communities of practice. I participated in many scoping exercises mapping out processes from the digital learning endeavors of the University. Being a manager I encouraged my staff to attended the necessary training and bring to me parts of their work that they thought harbored a risk of non-compliance. We doubled checked on our more risky projects (most of them PebblePad related) and settled in for the coming storm… then nothing happened for a while.

In this period leading up to the legislative implementation the most important element I had to deal with was lifting the blame culture around data protection reporting. I had a few conversations with junior members of staff where their main concern was ‘not getting people into trouble’ rather than reporting the issue. Now the way the legislation is enacted there is no time to equivocate about whether something is or is not a breach or whether the risk of the data leak is of a serious enough a nature to risk someones career. I made sure we reported anything with even a small hint of a breech via our internal data protection processes before the legislation came in. By ensuring that this wasn’t always a big deal and getting into that habit there was less of a stigma attached to doing this.

Sure enough the deadline came and went and we have reported many of what were mainly clerical error related breeches since. We highlighted issues in the relevant fora when the term ‘Sorry, data protection’ began to have a chilling effect on doing our job and we struck up a better understanding as to the nature of learning and teaching endeavors with our organisation’s data protection officer. So he could make better decisions regarding risk. Data protection has become an important part of our conversations around digital learning yet the institutional response past reporting almost disappeared over the six months following its implementation and even the official working groups began to meet less often and were cancelled at the last minute. . New policies and advice seems to have trailed out of sight. Possibly I have just missed its release.

What it has highlighted, especially in digital learning, is the lack of forward thinking leadership and governance. So many groups never really got past the ‘terms of reference’ stage. We were late to the issue and it flared into an acute issue rather than a chronic one. This has become an unfinished revolution at UWE.

The Learning Technologist Community of Practice has done its bit and has tried to move forward certain parts of the agenda. For example, a quorate of learning technologists (including myself) from across the University got together and shared concerns around the myriad of polling tools selected by our staff body. This risk was seen as too high to ignore and attempt were made by this group in conjunction with the DPOs office ameliorate the risks by working towards an approved and supported tool provided by the institution with the relevant DPAs and DPIAs in place. For those who didn’t want to use this tool, for whatever reason, there was resource developed to help practitioners triage their use and selection of alternatives for data protection risks. This has been held up by the main support site redevelopment and purchasing processes but it is an example of bottom up leadership in lieu of any of other kind.

However there are many areas where the lack of a strong centre and proper governance has left gaps in our response to the new legislation:

Example 1: PebblePad. There is no support model or hegemonic best practice for this system. The official help desk takes no responsibility for the system and Faculties have had to develop make shift help desks. We have close to 3500 students in our Faculty alone using a system which is inherently risky(being that it revolves around the flows of personal data into the community). Lots of the processes are variable, ill defined and by its nature involve sharing data. Even the act of someone requesting a new supervisor is not codified and we are merely in a perpetual holding pattern. No DPIA has been written on the system as of 01/07/2019.

Example 2: A worryingly high amount of our core tools do not have DPIAs, The ones that do only have them for the simplest of processes attached to them and avoid the more risky processes in entirety whilst promising to revisit these at some point.

Example 3: Content creation processes have been left in a weird grey area. Our Faculty use a lot of stakeholders as part of our content creation. This can be service users, staff, students, drama student actors etc. We can put them in Learning Objects that are cloud based and dynamically editable(e.g. xerte, Adapt LearnPool etc) or publish and store on a server as the finished article with no ability to change that LO without republishing the original product(Camtasia, iSpring). We tend to manage under the basis of consent. There will be a time in the future where someone involved wants to withdraw an asset that contains their personal data, namely their image. We are woefully under prepared for the damage this could do and I am reluctant to give good practice for content generation tools.

Lady using magnifier to

Accessibility : a rising tide lifts all ships

In 2019 a new regime to enforce accessible online content at public institutions and the was/is introduced in a phased manner. I am lucky enough to have within my team someone with a passion for accessibility in digital learning environments. We had seen this change from further away than most and I had found the money to allow this individual to develop in this direction. This has enabled us to forewarn our Faculty early.

As a manager I commission more than I do these days. Some of the evidence of the units labour:

Video 1 authored by Ghizzi Dunlop

Video 2 authored by Ghizzi Dunlop

Video 3 authored by Ghizzi Dunlop

I was presenting on the existence of Blackboard Ally from June 2018 and lobbying for it to be purchased by the institution.

Committee working towards a better future

Interestingly in this instance we were able to use this advanced knowledge in the period after the implementation of GPDR to push against some of its more draconian affects. Whilst also introducing this new accessibility legislative regime. To put it in narrative form:

I asked the question to our DPO ‘Are we allowed to use youtube?’. The answer came back as ‘No’.

I alerted our governance committee that we weren’t allowed to use youtube and this would be a major problem if we didn’t organise a massive push back. The most senior digital learning professional in the organisation looked into the issue.

‘We can use youtube as consumers but not put anything up there’ to which I replied ‘How do you suggest we generate .srt files for our closed captioned content?’ … a month passes ‘We can use youtube for closed captioning’ to which I replied ‘Oh so how are we going to address this type of thing under the new accessibility rules?’ … ‘ What new accessibility rules?’.

Sins of the father

One of the biggest problems will be legacy. We are currently waiting for the institutional Ally report but we know a few things:

  • We had problems with when moving to our new PowerPoint branded template as it didn’t port the title and content over properly. So this is likely to be an issue.
  • Our institutional title font if a Serif font
  • We have never engaged with this before. So there is bound to be bad practice.
  • Our event capture products are not captioned.
  • People sometimes refuse to mike up to not be captured by Panopto.

So we are starting from a bad place. There is now a big pan university project to deal with this agenda. It ties in nicely to our existing inclusivity agendas. There is one thing I have been very strident about:

Turn it on an walk away

The fact the Blackboard Ally product exists and we have bought is has led to some conversations about the new agenda as being synonomous with that particular product. It shouldn’t be. Ally will help us to do some stuff well but inclusive practice is more than one tool and it is pervasive across all practice. This sometimes gets forgotten. I am personally very invested that we learn from other intiatives and do not just turn it on and walk away thinking ‘job done’.