How schools can protect their pupils' data

The idea that a school-based server is more secure than cloud storage is just an illusion, one expert warns

How schools can protect pupil data

The amount of potentially sensitive pupil data collected by schools is growing exponentially.

Some experts are warning that it is only a matter of time before state schools, like the NHS before them, face a "huge outcry" as the sector is hit by a data scandal.

But there are some sensible measures that schools can take to reduce the risk. 


Investigation: Schools heading for pupil data scandal

Power of data: Christmas Jumper Day cancelled after poor pupils revelation 

GDPR for schools: How to become compliant


United Learning, one of the country’s largest multi-academy trusts, is in the process of encouraging its schools to move to cloud-based storage.

The trust's group director of technology, Dominic Norrish, told Tes that while a school-based server may seem more secure, this is an illusion.

“The major security risk is that you can’t get to that data when you are outside school,” he said. “This drives unintended behaviour, such as teachers taking data out of the system and putting it on a memory stick and taking it home. Very rarely has anyone encrypted memory sticks, and very often they are lost.”

Keeping data secure

Storing data in the cloud means that it can be accessed securely, there is never an excuse to remove data and the equipment is regularly updated. It also means the school does not have to employ someone to do that for them, operate server rooms or replace the servers every few years.

It also means the school is less vulnerable to ransomware, with robust firewalls keeping out or limiting the impact of malicious attacks, and that sharing data involves granting access – which can be revoked at any time – rather than sending an attachment, which cannot be recalled.

“A fundamental principle of data protection is you don’t move data, you grant access, and you rescind access,” Mr Norrish said.

Schools should carry out a data protection impact assessment (DPIA) when partnering with any third party provider, he added. This should look at how they will protect the data, where they are storing it and the strength of their password policy.

Data stored in the EU is subject to strict EU laws, although this does not necessarily mean storage outside the EU is less secure. Companies can undertake to treat it as though it were stored within the EU even when it’s not, Mr Norrish said.

Risk assessments should also be carried out any time data is shared. “Unless you ask the right questions, data could be shared with people who do not have sufficient security, and that creates a risk,” he said. Also crucial is making sure staff are aware of the dangers.

“The majority of data breaches happen when someone accidentally emails a file to the wrong person,” he added. “One of the most important things you can do is to educate the human beings. Showing people real examples of emails you have received can be very powerful."

To read more on data in schools, see the 31 May edition of Tes magazine, available in all good newsagents. To download the digital edition, Android users can click here and iOS users can click here.

Log in or register for FREE to continue reading.

It only takes a moment and you'll get access to more news, plus courses, jobs and teaching resources tailored to you