Research presented at the recent British Educational Research Association’s annual conference revealed that data protection and information security continues to present challenges for schools.
Schools are accumulating and processing more and more personal data in a world of increasing connectivity which presents risks – to the welfare of children, the integrity of schools’ information systems and to schools themselves.
With the Information Commissioner able and increasingly willing to impose monetary penalties of up to £500,000 for breach of the Data Protection Act 1998, schools face real financial risks if found in breach.
Research of 1,059 schools by the universities of East Anglia and Plymouth, based partly on self-assessment by schools of their own information security provisions, showed almost half had either no personal data policy or had a policy that was under development.
The survey revealed that 40 per cent were operating below the recommended level on technical security and 45 per cent in relation to password security.
These findings are consistent with those of the Information Commissioner’s Office (ICO), which issued a report in September 2012 highlighting concerns with the ability of schools to comply with the data and offering some useful recommendations that operate as a checklist to good data protection practice.
According to Louise Byers, the ICO’s head of good practice, the report “showed that while awareness of the law was broadly good, knowledge on how to comply with it wasn’t always there”. She added: “The sensitive personal data that schools handle means it is crucial they get this right.”
Schools are “data controllers” under the Data Protection Act and bear primary responsibility for compliance with that Act. Failure to comply with the data protection principles can give rise to claims for compensation, and failure to comply with any aspect of the Act can lead to a significant monetary penalty from the ICO and/or other enforcement action.
It is important that schools are aware of their legal responsibilities in this area and are able to take the necessary steps to ensure that those responsibilities are met. Adopting the ICO’s recommendations, the following are important to ensuring compliance with data protection law.
Schools should ensure their ICO notification is accurate, up-to-date and renewed on time. Where new processing activities such as biometric data or installation of CCTV are proposed, schools’ notifications should be amended accordingly.
Schools should recognise their responsibility to handle personal data in line with the data protection principles, and what this means in practice. Data protection policies and procedures should ensure as a minimum that only information that is needed is stored, access to that information is only given to those that need it, and information is stored securely. Schools must be able to identify sensitive personal data and ensure an enhanced level of protection is applied to it.
Schools should let pupils, parents and staff know what will be done with their personal information and access should be restricted to those who need it.
Confidential information should be kept secure at all times, when being used, stored and shared. Passwords should be used and renewed periodically. Where information is to be taken off school premises, it should be on encrypted devices. The removal of paper files off-site should be avoided if possible, due to the risk of accidental loss or theft. Where paper files are to be removed, the school should put in place policies for when this can take place and employ an approval mechanism to maintain control. Devices containing personal data and paper files should be kept within a controlled environment, using password protection and within locked cupboards.
When disposing of records and equipment, schools should ensure that personal information cannot be retrieved from them. The ICO has issued a number of significant monetary penalties recently where hard drives have been sold on internet auction sites and left in recycling facilities when it remained possible to retrieve personal data held on those drives.
Even where contractors had been employed to carry out the disposal, the ICO has fined the data controller where they have been deemed not to have taken sufficient care in selecting the contractor and monitoring compliance. It is vital that any data processing/disposal agreements contain terms requiring contractors to take all appropriate measures and provides for contractors to indemnify schools in the event of any breach.
Good records-management policies and procedures are crucial in helping schools comply with the Act. A specific member of staff should be given responsibility for raising data protection awareness and ensuring policies are adhered to and updated as necessary.
The ICO makes clear that the lack of effective data protection policies and procedures and the lack of clear governance arrangements which demarcate lines of responsibility for compliance are factors that make the imposition of a monetary penalty more likely.
Good data protection policies, once drafted and adopted, can be worth their weight in gold in terms of minimising the risk of breach and “hard-wiring” data protection into the workings of an organisation.
Subject access requests
Schools should have procedures in place to recognise, log and monitor these requests. An officer should be assigned to deal with them and that officer should receive training in the basic legal requirements relating to such requests.
Schools should be particularly careful to ensure that, when dealing with a subject access request for one pupil, they have regard to the data protection rights of any other staff or pupils identified by the information that would be disclosed, and to the exemptions available to the right of access.
So if a parent requests a record that identifies other pupils, information that could identify those pupils should be redacted. If those pupils can still be identified, access to the record should be declined.
Before sharing personal data with others, schools must ensure they are not breaching the rights of the pupils concerned. The Act allows sharing for certain purposes and in the public interest. Where data is to be shared, schools should ensure that only the information that is required for the purposes for which the data is being shared is provided and obtain assurances from the receiving party that the data will be kept securely, used only for the purposes for which it is provided, accessed only by persons necessary to carry out those purposes, and returned or destroyed when the purposes have been performed.
Staff and pupils should be informed what CCTV footage will be used for and retention periods should be set and regularly reviewed. CCTV images should be treated in the same way as any other personal data. Often requests will be made for CCTV images which identify people other than the person to whom the request relates. Unless the school has the technology to obscure the identities of those individuals, that request should be declined on grounds that it would be unfair to disclose personal data about those individuals as they have not given their consent to such disclosure.
Focusing on these areas will assist schools in taking positive steps to improve their compliance record while minimising risks to staff and pupils. Information security should become as much as part of operational thinking as physical security – in the interoperable world in which we live, the two are becoming increasingly connected. SecEd