Data Protection & Safeguarding
This domain establishes the Regional Education Data Protection Standard (REDPS), prohibits the sale or commercial exploitation of student data, sets safeguarding requirements for digital learning environments and defines breach and incident response duties.
Caribbean context
Most platforms used in Caribbean schools were built under US or European frameworks that do not reflect Caribbean law. Without REDPS, default vendor settings govern Caribbean student data.
4 provisions in this domain
- Full policy statement
All digital and AI tools used in CMSAT schools must comply with the Regional Education Data Protection Standard, which covers data minimisation, purpose restriction, parental consent, encryption, access controls, breach notification and data residency requirements. REDPS compliance is a condition of endorsement.
Guiding principlesData SovereigntyRelated roadmap initiatives
A Caribbean scenario
A vendor is found to have transferred student data for commercial profiling. Endorsement is withdrawn, the vendor is barred from re-application for two years, and Ministries are notified to terminate the deployment.
Responsibility matrix
- •Maintain REDPS and coordinate incident response
- •Publish endorsement, suspension and removal decisions
Preconditions for implementation
Where to start
- 01Publish REDPS and make compliance a condition of endorsement
- 02Stand up regional incident response coordination
- 03Issue safeguarding guidance for digital learning environments
What progress looks like
- 100% of endorsed tools demonstrate REDPS compliance
- Breach notifications are received and acted upon within defined timelines
- No endorsed tool sells, transfers or commercially exploits student data
Likely risks and practical responses
MitigationTreat REDPS as the floor regardless of vendor terms; consent language cannot override the prohibition on commercial exploitation.
What this domain looks like in the roadmap
- RI-H01NowEstablish Regional Education Data Protection and Child Safeguarding StandardsEstablish minimum requirements for lawful and responsible education data use — data minimisation, purpose limitation, access control, retention, consent, child safeguarding and protection from harmful digital and AI-enabled interactions.
- RI-H02NowEstablish national education data governance and safeguarding arrangementsDefine national roles, accountability, data stewardship, school-level responsibilities, safeguarding procedures, parent communication and escalation pathways.
- RI-H03NextEstablish cybersecurity, identity and access-management requirementsEstablish requirements for authentication, access control, encryption, backup, vulnerability management, monitoring and secure identity management across education systems.
- RI-H04NextEstablish parental consent and learner-rights guidanceProvide clear guidance on consent, data use, AI-enabled services, safeguarding, reporting channels, and the rights of learners and parents.
- RI-H05NextEstablish data-breach, cybersecurity and safeguarding incident-response proceduresEstablish procedures for detecting, reporting, investigating, escalating, communicating and resolving data breaches, cyber incidents and child safeguarding concerns.
- RI-H06NextOperationalise school-level data stewardship and safeguarding practiceSupport schools to apply data-quality controls, access management, safeguarding procedures, incident escalation and parent communication within daily operations.
- RI-H07LaterReview and strengthen protections against emerging risksReview emerging risks from new technologies, changing threats, implementation evidence and incident trends, and update safeguards and standards where required.
Jump to another domain or return to the system map.