Those who work in schools handle masses of data. And for the most part, teachers feel pretty proficient in using it. However, are teachers really well equipped to be the custodians of all this data? The answer is, largely, no. Many schools are not as good as they should be when it comes to protecting data; in fact, too many are terrible at it. Worse, a lot of headteachers don’t realise quite how poor the data handling in their school actually is.
Very soon, this will be an extremely serious problem. The joyride with personal data is hurtling towards an abrupt end. As of next year, the regulations regarding data protection will be replaced and what is arriving will make common school practices very dangerous indeed.
Are headteachers scrambling around to be ready to comply with these regulations, ripping up the rulebooks and ending poor practice? On the contrary, most heads don’t even know the change is coming. It’s time they got clued up. Fast.
More on GDPR
Understanding the new data protection regulations
How will GDPR affect my school?
Is there a data protection problem in schools?
I fear that, for many schools, the answer is a resounding yes. One of the core principles of the current Data Protection Act 1998 (DPA) is that “appropriate technical and organisational measures shall be taken” to keep data safe. I have witnessed failures to satisfy this in visits and events held at other schools, and even more examples have come out from networking conversations. A former headteacher who now works across schools in an advisory capacity confirmed my own findings: data protection in most schools, they admitted, is a mess.
One important problem area is data classed as “sensitive personal data”, which requires particular and specific consideration. For schools, this means data such as ethnicity, religion, teacher union membership, medical information, special educational needs and disability (SEND) status, looked-after children, assistance or bursary recipients and sexual orientation. You must have an operational need or explicit consent to process this data. If you don’t, then you’re already in contravention of the DPA.
Can you say with absolute certainty – and then prove – that only the people who need access to sensitive personal data can access it? If not, how can you say that you are protecting people’s data rights and have awareness of data breaches? Have you got some of this data in a spreadsheet without a password in a general access network share? Is it in your management information system (MIS) without access restrictions? Is it in an unlocked filing cabinet in an unlocked office?
'Schools will no longer be able to get away with the contraventions of the past'
These are just a few examples of contraventions and high data-breach risks.
Also of concern is the area of data subject rights, such as subject access requests (SAR). This is where someone can request all the data you hold relating to them and they are entitled to this within one month.
How many of you can say that you would be in a position to do that? How would you deal with this if it came through on the second day of the summer holiday? Who would deal with it? Would anyone even know where to start?
For the most part, non-compliance has not led to much trouble for schools. School inspection frameworks have limited data protection coverage and it tends to be rolled up with e-safety, despite being a very different area. Under the DPA there is not a legal requirement for the ICO to be notified of breaches. This means that unless a school or victim reports this voluntarily, breaches remain in-house.
In the second quarter of 2016, 40 data security incidents were reported to the ICO regarding the education sector, compared with 278 for the health sector, where notification is already compulsory. This means that incidents have been low, statistically speaking, so the action taken has been light and in the form of a managed “undertaking”, whereby the ICO stipulates preventative and corrective actions that have to be taken within a set time frame. Since 2015, only two educational establishments have had to sign up to an ICO undertaking.
Currently, non-compliance is unsurprising: most school staff have no experience or professional development in data protection. Teachers are trained to teach; manage classrooms; ensure safeguarding; and satisfy a steady stream of other changing requirements. Senior leadership have the colossal task of running the school and dealing with their own duties. Additionally, there are governance and inspection-based record requirements along with the global trend of increasing mass data collection.
It is simply an unreasonable demand to expect compliance without training, support and guidance.
What is changing and why?
Schools will no longer be able to get away with the contraventions that have quietly occurred in the past. You will have to prove compliance. There will be a broader classification for what is “personal data” and the fines are getting much, much bigger (see box, “Data protection: staying inside of the law”, below). The ICO will gain a clear and complete insight into the governance and performance of data protection in schools and this will ultimately dictate how it will respond to contraventions and repeat offenders.
This change is down to something called the General Data Protection Regulation (GDPR), and this new European Union regulation comes into full effect on 25 May 2018. The ICO and the UK government have both confirmed that, despite the referendum decision to exit the EU, the regulation is expected to fully apply and replace the current DPA.
The reason for the GDPR is to ensure that data protection rules are up to date. In July 1998, when the DPA was enacted, Google had only just got started, and Facebook and OneDrive did not exist. Work emails ran off your own mail server and most organisations kept smaller amounts of recorded data, predominantly on local servers or in physical filing cabinets.
Since then, our data usage has exploded. Globalisation and digitalisation have led to a world where this wealth of information is now usually electronic and is stored and replicated in dispersed locations, using external suppliers. For schools, this has meant that more and more replicated personal data is being stored locally in multiple areas (both physical and digital) and online; and is being accessed by an increasing number of people, both in school and remotely (such as from home).
It’s now a much more complex data world, and the aim of the regulation is to clarify things so that people are protected and those responsible for managing data have a clear picture of their responsibilities.
Are schools prepared?
Most don’t even know it is coming. I was recently at a business event for a major hardware supplier, full of people from the corporate world, and discussions quickly drifted to data protection. Everyone at the event was not only aware of the incoming regulation, but also the majority were clearly worried about the workload required to meet it and generally felt that preparation time was running out.
Compare this with an educational event in the same month, where most people didn’t have a clue about the regulation change. The few who did just had a vague notion of what it was, but showed little awareness of its gravitas or the urgency to satisfy it. A spot survey of around 20 heads from different phases revealed only one had heard of the regulation, but even they had no real idea of what it entailed or what it would mean for their school.
As for official guidance from education organisations, at the time of writing there have been no great campaigns to make schools aware of the changes. Along with the ICO, the Independent Schools Council has some initial guidance and useful links, but these could benefit from more prominence and promotion.
What should you do about it?
It sounds scary. You’re probably feeling slightly overwhelmed or worried. But don’t panic. Changing the way your school works is not going to be the upheaval you may expect and, really, this should be seen as an opportunity. The GDPR has come about because regulations needed updating – this is to your benefit and to the benefit of those who work and are taught in your school. Their data will be safer as a result of this, and protecting those people should be something you want to do.
To make the whole process as painless as possible, you need to start now. We’re already behind – the corporate and business world has been preparing for some time already and has got to grips with what needs to be done. We need to catch up.
Should you really be that worried?
Do not underestimate how soon you need to get on with reviewing how you operate and implementing necessary changes. My experiences with corporate leaders is that they would consider now as already being too late for them to begin this process. Companies are well into their data audits and have invested serious amounts of money and time in legal guidance; professional consultation; data discovery and cataloguing tools; contract updates; terms and conditions revisions; updating record-keeping practices; implementing impact assessment frameworks; procedure and policy reviews; and training plans.
They have a healthy respect for the potential level of fines, which is far higher by default than the biggest fine the ICO has issued to date. Schools have not yet been fined directly by the ICO, although this has happened indirectly via fines to councils for state schools. However, don’t rule out that the new insight the ICO will have into school practices may reveal high levels of contraventions and breaches that will leave it no choice but to send a message to schools in the form of fines.
Do not misjudge what is classed as personal data and how much you actually hold. Say you have a member of staff with a complaint and they exercise their rights to see the data you hold on them. This would include any data held in email conversations and attachments. Don’t forget meeting minutes; these contain personal data, too. What if this leads to the need to delete an entry under their right to “rectify” or “erasure”? This change has to apply to all copies of the data, including copies held in backups. This means your policies must also cover backups, as you need to be aware if any recovered data is incorrect or should be erased.
'Get a clear picture of all the types of personal data that you hold and where it is stored'
Does your school have any looked-after children? Or pupils flagged as being vulnerable, such as young carers, and those at risk, who also have restrictions on which of their contacts can receive certain information?
There are increases in recognised health issues with pupils and staff. And we have an influx of unaccompanied asylum seekers entering schools throughout the country. All this and more generates information that is highly sensitive and you must be on top of the management of this data and how access to it is controlled and kept secure.
In fact, after speaking to designated school staff and council-based virtual school officers, these are often areas where data protection, controls and guidelines represent good practice that can be used to build a template.
Why you should embrace the changes
As a school you are and will continue to be the data controller responsible for a substantial amount of sensitive personal data. Inherently, this is not an unmanageable or a bad thing: we all have data held by someone else and we want it to be accurate and kept safe. The key for schools is to ensure that the governance over the quality and operational management of data protection is always at a high level of excellence. To comply with GDPR shouldn’t have to be an obligation – it should be something that school leaders want to do to protect staff and students.
Toks Oladuti is the director of information systems for an independent girls’ schools trust in London. Prior to that, he consulted and managed IT in the corporate world. He tweets @t_oladuti