Being online is an integral part of children and young people’s lives. Social media, online games, websites and apps can be accessed through mobile phones, computers, laptops and tablets – all of which form children and young people’s online world.
At the time of writing, due to the ongoing pandemic, most children’s learning is also being done almost exclusively online. This makes online safety a high priority for every school and governing body.
Digital learning is without doubt essential and invaluable. It would be naïve to think that these apps and platforms are 100 percent secure and not potentially prone to the malicious intent of hackers.
In fact, due to a significant increase in the use of online learning platforms, research suggests they are more susceptible to exploitation by cyber criminals than ever before.
What this article covers:
- How schools can keep students’ data safe
- Understand where data is stored and/or transferred
- Your options and using products that transfer data to the USA
- What else you can do to reduce risk
- Tried and tested remote teaching and learning platforms
Below, we’ll look at what schools and parents or carers can do to help ensure the systems children and young people are using are as safe as possible. No platform is 100 percent secure, however, E-safety is as much about communication skills as it is technology. It’s not enough to protect children from online harm by simply banning sites or installing firewalls and filters.
Schools, staff members, parents and carers must promote and maintain an open and ongoing dialogue about online safety at school and at home. A key part of this – and one of the easiest ways to quickly mitigate risk – is to only encourage the use of reputable, well-established apps with strong data storage and security measures in place.
How schools can keep students’ data safe
Check whether the provider has ISO 27001 certification, PCI certification or others, such as Cyber Essentials or Essential+. Providers with certifications such as these offer assurance that robust steps have been taken to protect individuals and organisations against a whole range of the most common cyber-attacks and uphold high levels of data privacy protection.
It’s also important to check whether data is encrypted at both rest and while being transferred. This ensures that even if the data is intercepted, it cannot be read. Data is considered at rest when it resides on a storage device and is not actively being used or transferred, such as via email or uploading homework assignments to an app.
Understand where students’ data is stored and/or transferred
Data should only be transferred and stored in countries that are assessed as ‘safe’ for data protection. So check whether the countries storing data have the same expectations as the UK about data security and protection. For example:
- Do they have equivalent enforceable data rights for data subjects?
- Is there an Information Commissioner’s Office (ICO) equivalent in place to enforce students, parents and staff members’ rights to see the data that is being processed? And will the company providing the app/platform help should a data breach occur?
- Will the provider of the app/platform help you gather data for a subject access request? This may well be crucial as GCSEs and A-levels are currently being teacher assessed and parents could request the teaching/marks awarded in classroom settings and/or for homework assignments.
It’s useful to note that some companies offer the option of data storage in a particular data centre. For instance, Microsoft does this with certain applications in Azure.
Be sure to study the terms and conditions and/or data processing addendum to see exactly where data is stored and what terms are in place relating to the data. For example, as processors of your students’ data, the provider must:
- Not take any control of the data – the provider must do only as you instruct them
- Transfer and store the data in a country with equivalent standards of security and data subject rights as the UK or EU
- Have sufficient technical and organisational measures in place to ensure data security and to uphold data subject rights
- Ensure that they will assist with any data breach and data subject access request.
For a full list of terms that must be in place for a data processor, see Article 28 UK or EU GDPR. More information is available on the Information Commissioner’s Office website.
Your options and using products that transfer data to the USA
Under UK GDPR and the Data Protection Act 2018, data controllers must not transfer personal data outside of the UK or European Economic Area (EEA) unless the country to which data is transferred offers an adequate level of protection.
The most robust option is therefore to choose a provider that processes data in the UK, the EEA, or a country that the UK regards as safe, such as Canada, Japan, New Zealand and Israel. The EU and the UK have also deemed these countries to be adequate. For more information, visit the European Commission website.
While many providers are US-based (Google, Apple, Microsoft), in terms of data transferred to the USA, the Privacy Shield scheme you may see in the terms and conditions or addendum was ruled as inadequate in 2020.
You can, however, still transfer data to the USA. Currently, the most common method is via Standard Contractual Clauses (SCC), by which the company ensures adequate data protection.
This method does not override the fundamental issues with US data protection, but it is the only viable option for most data transfers and seems – albeit with a certain amount of pragmatism – currently to be accepted as OK.
What else you can do to reduce the risk
In simple terms, make sure all malware protection and other necessary software is installed and up to date and that all operating systems on IT equipment supplied by the school are running to the latest versions. The school should make it clear that that is also the expectation for all staff, student and/or family-owned IT equipment.
Wherever possible, use or encourage the use of apps that require two-step authentication or some other form of secure log-in, such as Microsoft Teams and Google.
Ensure everyone is fully aware of the risks and knows how to stay safe online. Your school’s IT security and/or e-safety policy should cover this. But, as mentioned, e-safety is as much about communication as it is technology.
Tried and tested remote teaching and learning platforms
Currently, Microsoft Teams, Google Classroom, Zoom, Skype and YouTube, are seen as offering sufficient security if used correctly.
All these platforms provide record options with robust systems and processes in place, specific to each platform. It is essential, however, that your staff members know exactly how to use these systems and act in accordance with the school’s Remote Learning Policy.
Storage for these platforms is mainly cloud-based and accessible only by those who have been authorised by the school to access records.
If you are using Open Google, be aware that anyone with a link could potentially access content, so make sure students cannot be identified. Google Workspace – formerly known as G Suite – is a system which only allows those inside the school to access information.
There are, however, a number of other credible platforms gaining popularity. For example: Socrative, Showbie (both Canadian-based), Blackboard Learn, Adobe Captive and Elucidat. But remember to check how safe these systems – and any others – are by running through this checklist beforehand:
- Where is the data stored? If it’s the USA, then check for Standard Contractual Clauses
- What security is in place? Check for ISO and/or other certifications
- Is the data encrypted? Check who has access to content created on the platform
- Is log-in secure? Does it require two-step authentication?
- Does the data processing clauses accord with those set out in Article 28 GDPR? For example, will the provider help you if there is a data breach?
And finally, it’s worth repeating: ensure that all operation systems and malware protection on school-owned IT equipment is up to date, and that parents and carers understand that this is an expectation for any other IT equipment that may be used at home.
By Antonia Noble, Barrister and Founder, Carter Noble
Carter Noble provides individuals and organisations – including schools – support and advice across the full spectrum of GDPR, data protection and privacy issues. To find out more, visit carter-noble.co.uk or email Antonia, firstname.lastname@example.org.