The amount of potentially sensitive pupil data collected by schools is growing exponentially.
But there are some sensible measures that schools can take to reduce the risk.
Investigation: Schools heading for pupil data scandal
Power of data: Christmas Jumper Day cancelled after poor pupils revelation
GDPR for schools: How to become compliant
United Learning, one of the country’s largest multi-academy trusts, is in the process of encouraging its schools to move to cloud-based storage.
The trust's group director of technology, Dominic Norrish, told Tes that while a school-based server may seem more secure, this is an illusion.
“The major security risk is that you can’t get to that data when you are outside school,” he said. “This drives unintended behaviour, such as teachers taking data out of the system and putting it on a memory stick and taking it home. Very rarely has anyone encrypted memory sticks, and very often they are lost.”
Keeping data secure
Storing data in the cloud means that it can be accessed securely, there is never an excuse to remove data and the equipment is regularly updated. It also means the school does not have to employ someone to do that for them, operate server rooms or replace the servers every few years.
It also means the school is less vulnerable to ransomware, with robust firewalls keeping out or limiting the impact of malicious attacks, and that sharing data involves granting access – which can be revoked at any time – rather than sending an attachment, which cannot be recalled.
“A fundamental principle of data protection is you don’t move data, you grant access, and you rescind access,” Mr Norrish said.
Schools should carry out a data protection impact assessment (DPIA) when partnering with any third party provider, he added. This should look at how they will protect the data, where they are storing it and the strength of their password policy.
Data stored in the EU is subject to strict EU laws, although this does not necessarily mean storage outside the EU is less secure. Companies can undertake to treat it as though it were stored within the EU even when it’s not, Mr Norrish said.
Risk assessments should also be carried out any time data is shared. “Unless you ask the right questions, data could be shared with people who do not have sufficient security, and that creates a risk,” he said. Also crucial is making sure staff are aware of the dangers.
“The majority of data breaches happen when someone accidentally emails a file to the wrong person,” he added. “One of the most important things you can do is to educate the human beings. Showing people real examples of emails you have received can be very powerful."