Take our free
Data Protection Review

When a device or external storage peripheral is encrypted it adds an extra layer of protection against unauthorized or unlawful access to the data stored on it.

Encryption is a mathematical function using a secret value — the key — which encodes data so that only users with access to that key can read the information.

In many cases encryption can provide an appropriate safeguard against the unauthorised or unlawful processing of personal data, especially in cases where it is not possible to implement alternative measures.

Principle 7 of the Data Protection Act 2018 states: “Appropriate technical and organisational measures shall be taken against unauthorised or unlawful processing of personal data and against accidental loss or destruction of, or damage to, personal data.”

There have been examples of staff storing sensitive data on unencrypted USB drives that have been subsequently been lost or stolen. These have been reported to the ICO as a serious data breach.

Encrypting sensitive data in transit as well as at rest is essential, this prevents that data being intercepted in transit and a potential attacker having access to the data.

There are free tools within Office 365 and G Suite that allow your users to encrypt emails and documents before they are sent across the internet.

Principle 7 of the Data Protection Act 2018 states: “Appropriate technical and organisational measures shall be taken against unauthorised or unlawful processing of personal data and against accidental loss or destruction of, or damage to, personal data.”

Any 3rd party that is processing data on your behalf such as cloud hosted software should ensure that adequate data protection is in place. Adequate measures may be backed up by internationally or nationally recognised certifications such as ISO270001 or Cyber Essentials certification.

Your data processors should also provide you with tools that allow you to comply with your obligations under the Data Protection Act 2018 such as the ability to respond to Subject Access Requests, ensure data is up to date and data retention policies are met by making it easy to delete data.

Many legacy systems do not allow you to comply with your obligations under the Data Protection Act 2018 and you should consider moving to a modern cloud hosted system that will allow you to.

It is also important that you have clear visibility over what data is being shared with 3rd parties and who it is being shared with.

Schools tend to have lots of data that has been built up over a number of years, the challenge is with unstructured data such as word and excel documents where it is often hard to tell how sensitive the data is within those documents without opening each file.

A complete data audit will ensure that sensitive data is identified and appropriately secured, there are automated tools available that allow you to do this.

It is important to consider all areas that data might be stored including personal devices or unauthorised cloud storage accounts such as Dropbox and iCloud.

Any data that no longer has a lawful purpose for processing should no longer be held.

It is important to ensure that only those that need access to your sensitive data have access to it, this includes ensuring that when staff leave they no longer have access to your sensitive information. As there are now many applications that your staff need to use it is important to be able to get them the access to those applications in a timely manner but also ensure that access is secure by having one identity and a method of managing passwords effectively.

Ideally an identity management solution should be used to automate all these areas as it is easy to miss an application or identity that could lead to a data breach.

When data is sent to a personal email address, your school loses control of that data. You are no longer in control over who can view that data, where it is stored or how secure it is. This is especially the case for email, this can now easily be accessed from almost any internet enabled device and therefore could potentially be insecure.

The same applies for documents that may be sent to personal email addresses, these will often be downloaded onto the user’s own device and therefore if the device is compromised then so is the data.

It is good practice to ensure that all your staff and governors only use their school email address for school business, that way you can control who has access to the email and on what devices. You can also easily revoke access if you need to.

By storing documents in the cloud you can ensure that the documents don’t need to downloaded onto personal device and this can also be enforced with settings within cloud platforms.

If you don’t provide your users with an easy way to access their files from their own devices or from home then they are likely to use their own methods to do so – often called ‘Shadow IT’. This is often seen in the form of your users transferring documents using external USB drives, sending email to their personal email addresses or using a personal cloud storage account such as Dropbox. If your users do use one of these methods then you have no control over how secure the data is and you could easily suffer a data breach without knowing it until something goes wrong.

Microsoft’s Office 365 and Google’s G Suite are free for education establishment and offer a secure way of storing documents, giving the school complete control over who has access to them in real time.

You may also consider a remote access solution for any data or applications that need to be accessed and are on servers physically in the school. These solutions give the user a virtual desktop experience so that nothing ever resides on their own device.

Whilst VPNs are a good way of securing a connection to your school network, this should only be used on school owned devices that have a baseline security configuration, by allowing users to access the network via a VPN on their own device, you could expose your network to a malicious attack if the user’s device is infected.

The principles of the Data Protection Act 2018 insist that you clearly communicate with data subjects about the information you will process about them and why you are processing that information.

You must be open, fair and transparent in your processing activities, which means you should be clear at the point of data collection about how you will handle that data and for what purposes. This information should be easy to understand for the data subjects and easily available.

This will normally be in the form of a privacy policy that is given to data subjects when you collect their data but should also be available more generally for people to view.

The new Data Protection Act 2018 has clear timelines that any data controller needs to meet for subject access requests and data breaches.

A subject access request must be responded to within 30 days and without undue delay, any serious data breach must be reported within 72 hours of the breach being detected. These timelines include weekends and school holidays, so it is essential that all your staff know what to do should they receive a Subject Access Request or suffer a data breach.

By training your staff on how to deal with these two things you will help the school comply with such requests within the required timescales. You will also limit any damage to the school’s reputation or reduce a fine from the ICO by dealing with these processes in a timely, transparent and organised way.