It is only a matter of time before schools become engulfed in scandals over breaches of their pupils’ data, a leading expert has warned.
The claim comes amid a growing number of schools reporting data breaches to the Information Commissioner’s Office.
Ross Anderson, professor of security engineering at the University of Cambridge, outlined fears that the education system was at risk of the sort of high-profile failings that have hit the NHS in recent years.
Power of data: Christmas Jumper Day cancelled after poor pupils revelation
Quick read: Half of schools ‘not fully compliant with GDPR’
Advice: How schools can protect their pupils’ data
“There are gazillions of companies using all sorts of computerised learning materials and schools are inhaling this without much pause for thought,” he told Tes.
“There are a number of issues: the first is quality control and market regulation and now it is a huge free for all. Companies are also selling this data to all and sundry, even when it is personal health information. Surely there are concerns there?
“The first thing [schools] must do is understand and have a list of all the personal data they keep and for what purpose, and figure out in advance what the lawful justification for that is, and is it something for which you need consent.
“Eventually, there will be a scandal, perhaps fairly soon.
“Exactly the same risk applies to systems in schools [as in the NHS] which set out to collect what amounts to health data. What is it doing sitting on a server in Taiwan?
“It will take a while for the penny to drop but eventually it will be on the front of the Daily Mail and there will be a huge outcry. They [schools] have no idea what is being done to the data or where it is.
“You have to look very closely under the hood to who gets the data and what are the secondary uses.
“Are they proposing to put Google ads in front of your kids? If so, you should probably run them out of town.
“There are a lot of people selling complete crap to a lot of complete suckers.”
Professor Anderson has particular concerns about biometrics “being used aggressively for everything in schools, from libraries to lockers, but do we want the kids to be indoctrinated into the idea that biometrics are a good thing?”.
He warned that many apps used by schools were “extracting personal health information, such as recognising whether children have special needs or are autistic”. “Firstly, what is the robustness of these tests, and secondly what about the control of this information?” he said.
Unless the school retains ownership of the data, it can be sold on, with the school having no idea who is using it and why. Although GDPR has made schools more aware of privacy issues, Professor Anderson said there was still a long way to go.
“I suspect that if a rigorous GDPR audit was given to the average school in England and Wales they would fail by a mile,” he said. “They often have no clue what is being hoovered up, by whom and to what use it is being put.”
The academic said that schools needed to be savvier about what they were using.
“Lots of schools buy all sorts of crap because they don’t understand it,” he said. “They think it is going to help but it doesn’t. If you are going to use it you have to understand it. If you haven’t been on a chainsaw awareness course, don’t buy a chainsaw.”
But Duncan Baldwin, deputy policy director at the Association of School and College Leaders, told Tes that schools were “very good at storing data and understanding what needs to be done with it”.
He added: “GDPR means that their relationship with other providers has had to be more clearly understood. Schools have always had a responsibility for data and GDPR has made things more transparent.
“I don’t think as far as schools are concerned it is substantially different from five or 10 years ago.
“There will be formal arrangements about data sharing in place with any providers they use, so the ownership of the data is clear.”
Mr Baldwin said that “there are so many benefits that outweigh concerns about where the data is held and so on”.
He cited the use of biometric data such as fingerprints to allow pupils to claim free school meals discretely and avoid stigma.
He added: “Data on pupils is held securely on a school’s servers, in conjunction with their management information providers, and it has always been thus. Information has always been held like that.
“Schools are more vigilant about access to data, making sure that it is secure and encrypted.”
To read the full investigation on data in schools, see the 31 May edition of Tes magazine available in all good newsagents. To download the digital edition, Android users can click here and iOS users can click here.
