Data protection is essential: it means privacy and respect, and freedom from manipulation. This statement is never more pertinent and pressing than when it refers to schools, the data they hold, and the systems they use to keep it safe from loss, theft and exploitation.
Here, I’ll walk you through the different types of data and data categories, and the systems you can use and steps you should take to keep data safe.
By Antonia Noble, Barrister and Founder of Carter Noble
Data and data categories explained
Schools hold an incredible amount of data across a range of sensitive data categories. Below I’ve outlined what this information might look like.
- Pupil/student data, including general information, health, and biometrics (if schools use fingerprints for lunchtime payments or device log-ins, for example)
- Staff, including passport numbers, verification of DPS, performance, health, payroll, bank details, biometrics, images for ID cards etc.
- Agency staff (as above)
- Parents, including contact details and potentially bank details for payments and medical information for events
- Volunteers, including names, contact details and possibly DBS details and medical information
- Governees and trustees (as above)
- Contractors and consultants (also as above, i.e. bank details for payments and possibly DBS details, depending on what it is they do
- In limited circumstances, details of childcare disqualifications may also be recorded.
Single central register
All schools must have a SCR, as required by Ofsted, the Department for Education, and as part of a school’s wider safeguarding responsibilities.
It will include an array of information relating to teaching, support, governors, volunteers, agency staff, identification documents details (i.e. passports and driving licences), rights to work, including all pre-employment checks, qualifications, and s128 checks (where relevant). It may also contain other information, such as medical details for staff and contractors.
This document should remain fully up-to-date, such as when new staff join, and protected by high levels of security.
Potential threats to data
A number of potential threats to data exist, many from those with malicious intent but others due to malfunction or even natural disaster:
- Online and emails, including phishing emails, worms, viruses, trojan horses, and ransomware (amongst others)
- Theft of data online
- Loss of data stored in the Cloud
- Loss of data from hard drives and/or servers (for example, power outages, fires and floods)
- Mobile device theft or loss (for example, a staff member may leave his or her laptop in a public space, potentially exposing sensitive data)
- Use of data by predatory adults
- Inappropriate access to data by staff, visitors and/or contractors (amongst others)
- Malicious use of data
- Potential state interference (i.e. Homeland Security in the USA)
frequency of different types of breaches or attacks. For example, fraudulent emails or being directed to fraudulent websites accounted for 86 and 91 per cent of breaches or attacks in the 12 months 2019-20 for primary and secondary schools, respectively.
Onsite school systems
- All operating systems must be safe. Schools use a wide range of systems to hold and keep information safe. All of which must provide robust security against loss, theft and/or exploitation. These systems include SIMS and Integris, for example, but also systems used for general processing and access to the internet, such as Microsoft, emails and HR systems. The security of these systems must be checked thoroughly before signing up to them. It’s imperative you do your own due diligence, rather than just relying on outside sources.
- Remember: any and all data stored any medium, including the Cloud, is your responsibility. So what can you do to keep it safe? Look for suppliers that are ISO 27001 (or equivalent) or Cyber Essentials-certified. These are both solid indicators of trust.
Research and identify systems that offer encryption both at rest and in transit and are based in countries with adequate protections. For example, the European Economic Area (EEA), New Zealand, Canada, the UK, or any other region/country contractually obliged to provide a high-level of protection for data, data breaches and data subject rights. This is particularly significant for suppliers which transfer and store data inside the USA.
The above guidance is also applicable to information management systems, emails, HR systems, apps and wherever else data is held and/or processed.
- Keep systems up-to-date. Your school’s IT team should keep all computers fully up-to-date and any notifications from software providers, like Microsoft, should be actioned immediately. This includes patches and/or fixes and any updates that detect ransomware. These updates are not only important for privacy and security reasons that affect you personally, but the wider schools community generally.
- Think about data loss in terms of what can be stolen and/or hacked, but also lost in a power outage, fire or flood. There are a number of different ways in which data can be compromised, not all of which are due to malicious intent. So ensure you have a robust back-up supply and that your data is never stored in just one place.
- Access controls. These must be in place so that only those who need access to or to know data can access it.
- Auto-lock systems. When and if possible, all systems should auto-lock when left idle and be locked away if being left unattended for a prolonged period of time (i.e. overnight).
- Passwords. Passwords must not only be strong and safe, but regularly updated. And if you can use two-factor identification, then all the better. For example, a robust system would be an eight-plus character password alongside a two-factor authentication process.
- Paper files / records. To keep these safe, the places in which they’re held must be locked and an access control system in place, such as an alarm. This extends to unattended classrooms: make sure they’re locked when not in use. Unfortunately, it’s all too easy for a stranger – or a parent at parents’ evening, for that matter – to walk into an unattended classroom and gain access to a pupil’s personal information.
- Who you share data with and how. On a day-to-day basis schools share data with a wide variety of organisations and individuals, from the government, Ofsted and local authority (for mandatory reporting purposes), to the school nurse, educational psychologists and any persons and companies who provide IT support. For example, Microsoft, Google and online learning platforms.
Ensure that data is safe when sent to and from these individuals and/or organisations. You can do so by checking that the recipients have adequate and robust contracts, agreements and safeguards in place. Consider the following: where do they process data? Do they have independent certification (i.e. ISO or Cyber Essentials)? Will they support and help you in the event of a breach, or should a student want access to the data about them that you process?
And finally, it’s important to remember: if the school’s system can and is accessed via mobile devices or laptops, then these must have the same security as the school’s system.
Getting the right policies in place
In addition to a Data Protection Policy, schools must have a number of other policies in place to support and govern the above guidance. These include:
- Bring your own device policy. If you allow individuals to use the school’s Wi-Fi, this is particularly important, as you’ll need to control how they access it. Additionally, it should ensure users are fully aware of the school’s expectations regarding security on their devices. For example, it should provide information regarding passwords, lock times, app authorisation, and circumstances where the school may need to wipe data. As far as possible, it can also limit a school’s liability in relation to the devices that are used, i.e. viruses that a device may pick up whilst using the school’s Wi-Fi.
- Acceptable use policy. This sets out the rules for a school in relation to IT use. For example, no device can be used in such a way that would breach the school’s harassment and bullying policies, or be used to access, store or transmit illicit content.
- Information security policy. This sets out the standards expected for all school IT, communication and paper-based information. For example, consider what is expected when it comes to emails being sent and telephone calls being taken.
For more information regarding data protection policies and systems, and appointing a data protection officer, see our other blog: Your school’s data protection protocols: reassuring your governors.
Child protection and safeguarding information
This is some of the most sensitive data a school is likely to hold and therefore requires the highest levels of security. Most schools now use platforms and apps to protect this data, such as Sleuth or CPOMS, but others are available.
Some schools still insist on keeping files in paper form – this really is not recommended, for a number of reasons. Primarily because you need to have a back-up, as well as a version that all staff can readily access. Should there be a fire or a flood and all child protection and safeguarding records are either paper-based or held on IT systems on local drives, you risk losing them entirely.
And a catch-all point that’s not limited to child protection and safeguarding (although it is hugely important): all highly confidential emails should be sent and received using a sufficiently secure system, such as Egress.
Managing human prevention through training
Perhaps unsurprisingly, human interaction can often be a school’s Achilles heel when it comes to keeping data safe. Which means one thing: training. All staff members should receive robust and regular training and guidance on how to manage and process data safely. This includes:
- An understanding of GDPR. Includes what it is and what rights it gives data subjects, i.e. the general principles, which are:
- Lawfulness, fairness and transparency
- Purpose limitation
- Data minimisation
- Storage limitation
- Integrity and confidentiality
You can find more information on these principles on the Information Commissioner’s Office website.
- An understanding of general data protection. Includes what data protection is and general expectations. This is absolutely central to contextualising laws and regulations for a school environment, thereby helping staff understand how it applies to their roles.
Moreover, where possible, contextualising for your specific school – rather than schools in general – can be really useful tool sitting alongside other training. So your school’s data protection officer (DPO) and IT team should ensure that all staff are fully trained and confident about the data a school holds. This training must include:
- IT security, including apps and online learning tools. For more information, check out our other blog: Online learning: what’s safe and how do I check?
- Mobiles and laptops, at school and at home
- Paper-based systems
- Safeguarding and child protection issues
- Data breaches
- How to access support and DPO services
Take it seriously: the risks are too grave to not
Shockingly, 41 per cent of primary schools identified cyber security breaches or attacks in the 12 months 2019-20. For secondary schools and higher education instituations these numbers jump significantly to 76 and 80 per cent, respectively (Cyber Security Breaches Survey 2020, p.4).
These statistics are cause for concern. With each breach or attack comes the risk of exploitation by those with malicious intent and a potential ICO investigation. It’s why data and the systems schools use to keep it safe are so important – too important to not get right.