ICO & UK GDPR Compliance

How Robyn addresses this

Schools must have a valid lawful basis for using Robyn Robot. We've structured our service to align with the most appropriate bases:

• State-funded schools: Article 6(1)(e) – Public Task. Processing is necessary for performing a task in the public interest (the provision of education). Schools have a statutory duty to provide education, and Robyn Robot assists in fulfilling this duty.
• Independent schools: Article 6(1)(f) – Legitimate Interests. The school has a legitimate interest in providing effective teaching support to pupils, balanced against individuals' rights. Our Data Processing Agreement includes guidance on conducting a Legitimate Interests Assessment.
• No consent required: Schools don't need individual parental consent to use Robyn Robot for core educational purposes when relying on public task or legitimate interests. However, transparency is still essential (covered below).

We document the lawful basis in our Data Processing Agreement and require schools to confirm they've determined the appropriate basis for their institution.

How Robyn addresses this

We've designed Robyn Robot to collect only the minimum data necessary for its educational purpose:

• No pupil identification: The system doesn't require pupil names, dates of birth, or any direct identifiers. Devices are shared and anonymous from the system's perspective.
• No accounts or profiles: Pupils don't log in or create accounts. There's no user profiling or tracking of individual children across sessions.
• Purpose-limited capture: Audio and images are captured only during active lesson time when the teacher device is recording. The system doesn't run continuously.
• Pseudonymisation: Where identifiers are necessary (like device IDs for technical purposes), we use pseudonymised references rather than real names.
• Teacher authentication only: Only teachers access the web portal, using their existing school Google or Microsoft accounts. We don't create separate identity databases.

We advise schools not to use Robyn Robot in lessons where highly sensitive personal information might be discussed (such as PSHE or pastoral sessions).

How Robyn addresses this

We process data for one purpose only: providing AI-powered teaching assistance in the classroom.

• No commercial reuse: Your school's data is not used for marketing, advertising, or any commercial purpose beyond providing the Robyn Robot service to you, and using a small number of anonymized conversations to show prospective schools examples of Robyn at work.
• No model training: Lesson content, student questions, and pupil work are never used to train AI models. The large language models we use (OpenAI GPT-4, Azure OpenAI, AssemblyAI) process your data under strict contractual terms prohibiting training on your content.
• No data sharing: Each school's data is logically segregated. School A cannot see School B's data. We don't aggregate or combine data across schools for analysis.
• Limited system improvement: We may use anonymised, aggregate technical data (crash logs, performance metrics) to debug and improve the system, but this never includes identifiable lesson content or individual pupil information.

These restrictions are documented in our Data Processing Agreement with clear contractual obligations.

How Robyn addresses this

We apply strict retention periods to different categories of data:

• Automatic deletion: Raw recordings don't persist indefinitely. Once transcribed and processed, the raw files are automatically purged.
• On-demand deletion: Schools can request deletion of specific lessons, dates, or all data at any time. We comply within 30 days.
• Secure erasure: Deletion uses industry-standard sanitisation methods to prevent data reconstruction. Deleted data is also purged from backups within 30 days.

How Robyn addresses this

We implement multiple layers of security to protect your school's data:

• Encryption everywhere: All data is encrypted in transit (HTTPS/TLS for network communications) and at rest (encrypted storage on Google Cloud Platform and Microsoft Azure).
• Tenant isolation: Each school's data is logically segregated. Access controls ensure School A cannot access School B's data, even accidentally.
• Authentication and authorisation: Teachers authenticate using their school's existing Google or Microsoft accounts. Device access is controlled through secure tokens.
• Minimal staff access: Only authorised Robots For Schools Ltd personnel can access school data, strictly on a need-to-know basis for technical support. All access is logged and traceable.
• Infrastructure security: We use Google Firebase (ISO 27001 certified) and Microsoft Azure (ISO 27001, SOC 2 certified) as our infrastructure providers, benefiting from their enterprise-grade security controls.
• Cyber Essentials certified: Robots For Schools Ltd holds Cyber Essentials certification, demonstrating compliance with the UK government's baseline cyber security standards.
• Monitoring and logging: Automated monitoring detects suspicious activity. Security logs are retained for audit purposes.
• Incident response: We maintain an incident response plan to contain, investigate, and remediate any security breach (see Data Breach Notification below).

How Robyn addresses this

We support schools in being transparent about Robyn Robot:

• Privacy notice template: We provide suggested wording for schools to include in their existing privacy notice, explaining what Robyn Robot does and how data is processed.
• Parent communication template: We provide draft text schools can use when informing parents about Robyn Robot's arrival in the classroom.
• Clear Terms and DPA: Our Terms of Use and Data Processing Agreement are written in plain language (for legal documents), not impenetrable legalese. They're published openly for schools to review before signing up.
• Teacher portal visibility: Teachers can review all student questions and Robyn's answers through the web portal, ensuring transparency about what's being captured.
• Visual indicators: The teacher device shows clear on-screen indicators when it's recording audio or capturing board images.
• In-classroom communication: We advise schools to tell students and any other adults in the room when Robyn Robot is recording, so no one is unknowingly captured.

The school (as Data Controller) is responsible for providing this information to pupils, parents, and staff. We provide the tools and templates to make this straightforward.

How Robyn addresses this

We assist schools in responding to data subject rights requests:

• Right of access (Article 15): If a parent requests to see what data we hold about their child, we can provide the school with transcripts, summaries, and Q&A data related to lessons that child participated in. Because we don't identify individual pupils in our system, schools will need to provide context (dates, classrooms) to help us locate relevant data.
• Right to erasure (Article 17): If a parent requests deletion of their child's data, we delete it within 30 days. As with access rights, because we don't identify individual pupils in our system, schools will need to provide context (dates, classrooms) to help us locate relevant data.
• Right to rectification (Article 16): If inaccurate data has been captured (for instance, an incorrect transcription), we can correct or delete it upon request.
• Right to restriction (Article 18): If a parent challenges the accuracy or lawfulness of processing, we can temporarily suspend processing of specific data while the school investigates.
• Right to data portability (Article 20): We can provide data exports in commonly-used formats (JSON, CSV) if requested.

We commit to responding to school requests for data subject rights within 30 days, enabling schools to meet their statutory one-month response deadline.

How Robyn addresses this

Some of our sub-processors are located in the USA or process data through US-based servers. We ensure these transfers are lawful:

• Standard Contractual Clauses (SCCs): We have executed Standard Contractual Clauses with all sub-processors that transfer data outside the UK, including OpenAI (USA), Microsoft Azure (USA/EU). SCCs are the mechanism approved by the ICO for lawful international data transfers.
• Additional safeguards: Beyond SCCs, we require encryption in transit and at rest, access controls, and contractual restrictions on how data can be used. These are the "supplementary measures" recommended by the ICO following the Schrems II ruling.
• No training on school data: Our agreements with OpenAI and AssemblyAI explicitly prohibit them from using school data to train their models. They process it solely to provide the transcription and analysis services we request.

Sub-processors with international transfers:

• OpenAI (USA): SCCs executed, no model training on your data
• Microsoft Azure (USA/EU): SCCs and GDPR commitments
• AssemblyAI (USA): SCCs executed, EU endpoint used for UK schools
• Google Firebase (USA/EU): SCCs via Google's DPA

How Robyn addresses this

We help schools demonstrate their compliance through documentation and processes:

• Written Data Processing Agreement: Our comprehensive DPA documents the roles, responsibilities, lawful basis, data types, retention periods, security measures, and all other GDPR requirements.
• DPIA support: If a school conducts a Data Protection Impact Assessment (required for high-risk processing), we provide detailed technical information about data flows, security architecture, and risk mitigations.
• Audit trail: Complete logs of all interactions are available for review. If a regulator asks "What data was processed?", we can provide the evidence.
• Sub-processor list: We maintain an updated list of all sub-processors, their roles, and the safeguards in place. This is included in our DPA.
• Policies and procedures: We maintain written policies on data retention, security, breach notification, and data subject rights responses.
• Regular review: We review and update our practices as technology and regulations evolve. Schools will be notified of any material changes.

How Robyn addresses this

We have clear procedures for handling potential data breaches:

• Rapid notification: If we discover a personal data breach affecting your school's data, we notify you within 24 hours (even faster than the 72-hour requirement for you to notify the ICO). This gives schools time to assess and report if necessary.
• Detailed information: Our notification includes the nature of the breach, categories and volume of data affected, likely consequences, and measures taken to contain and remediate the breach.
• Ongoing updates: If we don't have complete information within 24 hours, we provide an initial notice followed by updates as we investigate.
• Containment and remediation: We immediately take action to contain any breach, prevent further compromise, and fix the underlying vulnerability.
• School's responsibility: The school (as Data Controller) decides whether to notify the ICO and/or affected individuals. We provide all necessary information to support those notifications.
• Preventative measures: Our security monitoring, encryption, access controls, and regular security reviews are designed to prevent breaches in the first place.

How Robyn addresses this

Special category data requires additional safeguards. Here's our approach:

• Not designed for special category data: Robyn Robot is not intended to process sensitive personal data. We don't seek or require information about health, religion, ethnicity, etc.
• Biometric data consideration: Voice recordings could potentially be considered biometric data if used to uniquely identify individuals. However, we don't use voice data for identification purposes – we only use it for transcription (converting speech to text), which is not biometric identification.
• Guidance to schools: We advise schools not to use Robyn Robot in lessons specifically about sensitive topics (PSHE, pastoral care sessions) where special category data is likely to be discussed.
• If special category data must be processed: The school must ensure they have met the Article 9(2) conditions (such as explicit consent, or processing for substantial public interest with appropriate safeguards). This is documented in the school's own DPIA and privacy notice.

The Data Protection Act 2018 Schedule 1 provides additional conditions for special category data in the UK. For education settings, Part 2 paragraph 6 covers "statutory etc and government purposes", which may apply to state schools processing data for educational purposes.

How Robyn addresses this

While the Children's Code primarily applies to online services accessible directly by children, we've incorporated its principles:

• Best interests of the child: Our design prioritises children's wellbeing and educational benefit. The system scaffolds learning rather than simply providing answers.
• Data minimisation by default: We collect the minimum data necessary and don't require individual pupil accounts or profiles.
• Age-appropriate content: AI responses are filtered for age-appropriateness before being presented to pupils.
• No profiling: We don't build profiles of individual children or track their behaviour across sessions.
• No online tracking: There are no cookies, tracking pixels, or analytics scripts following children's activity.
• Parental awareness: We support schools in informing parents about Robyn Robot through template communications.
• Supervised use: Robyn Robot operates in the classroom under teacher supervision, not as an unsupervised app children use at home.