Schools are a hotbed of personal information. From teachers to board members to governors, administrative and grounds staff – not to mention the students themselves – there is a lot of sensitive data floating around schools. With the emergence of new data and information regulations like the GDPR and the Data Protection Act 2018, schools must have a data protection strategy in place to ensure that private information stays that way. If they don’t — like businesses across all sectors and industries — they are subject to penalties and fines, and the resulting bad publicity and potential loss of reputation.
Today we will look at the current state of data protection in education – the good, the bad and the sometimes confusing.
Both the GDPR and the Data Protection Act 2018 have been conceived and drafted with the speed of technological progress in mind. And because of this, businesses across industries are more aware of their obligations to protect their own and their customers’ personal data. It’s the exact same for the education sector. It’s important to be optimistic—here are some of the positives schools can take from the new age of data protection.
Schools have become more aware of their obligations. The hype and hysteria around the GDPR has led to a heightened awareness, which is irrefutably a good thing. We are seeing schools challenging existing data practices as well as implementing new processes to ensure they are complying with new data protection regulations.
Better data processes
More focus on sensible retention of data not only minimises the risk and scale of a data breach but also reduces costs of storage and admin for schools.
Newly appointed data protection officers (DPO) in schools are taking their responsibilities seriously, challenging the whole school and attending training to ensure they have a better understanding of data protection.
Using technology to maintain data policies
Simple and small changes are being made that can make a big difference to the risk of schools’ data through policy and technology.
While greater awareness of data protection is good, it isn’t always dealt with in the most efficient manner. We have seen an increase in data breaches being reported to the ICO and the first education institution has been fined by the ICO (£130k to Greenwich University). Here are some of the wrong turns schools are liable to make even if they are aware of this new data protection landscape.
Failure to realise the size of the task
Some schools haven’t appointed data protection officers and are behind the curve. The GDPR calls for a mandatory appointment of a data protection officer for any organisation that processes or stores large amounts of data, be it employee, student or external party data. A DPO will be required by each school. However, they can be a current member of staff who is willing to take on the responsibility.
Third-party DPO services that don’t deliver
Some schools have brought in DPO services that don’t meet their needs. This isn’t the fault of the schools, but the fault of companies that have promised to make them comply but do little more than offer a helpline.
Lack of training
There are new processes and procedures to be learned when it comes to data protection that affect every member of staff. To be successful and avoid penalties, schools must put in place regular data protection training to succeed in this whole-school approach to data protection. Yet, some schools have given little thought to actively helping staff.
The wrong mindset
Data protection is a continuous area that needs to be worked on to ensure continuous compliance. Some schools don’t understand this, or don’t give data protection the right investments. It may take a big data breach and/or fine to reawaken these schools that are burying their heads in the sand over data protection and the obligations they must face.
While some schools have used the new regulations to revamp their data protection processes, there have also been a lot of misunderstandings of data protection laws, along with bad or inaccurate advice from companies selling GDPR services to schools.
There have been stories of schools asking their pupils’ parents for consent to process the data on their children, as they believe the new data regulations require this for them to attend each day.
The nameless workbooks
In some schools there have been reports of the need to remove names from workbooks and book bags for data protection purposes. The data protection laws are there to protect personal data, not to make a school’s jobs harder.
Hiding behind data protection laws
Using data protection laws as a reason not to share data that should be shared, say, in the best interests of a student’s safety, with other organisations. Safeguarding and data protection regulations sit side by side and should, in effect, work together to keep students as safe as possible.
Invest in your school’s people
If schools are going to invest money into data protection, it’s best to invest it in data protection training and the automation of systems to help prevent accidental data breaches. If you are in doubt about what kind of strategy you need or what solutions to buy for your school, ask an expert – be it a legal firm or an IT solutions provider who help implement solutions specifically for data protection and compliance.
Ask the experts
RM Education offer data protection solutions built specifically for the education sector. Our tools help Data Protection Officers identify, secure and manage sensitive data, whilst our experts provide ongoing advice and support. We configure cloud services to ensure effective data protection and compliance, saving you time and offering invaluable peace of mind.
How protected is the sensitive data in your school?
Take our Data Protection Review and find out where you stand and advice for next steps.