Schools hold an extensive range of personal data on their students and staff alike; things such as medical information, grades, behavioural reports, and images. Schools act as data controllers by determining what this data will be used for and how it will be stored. The abundance of data raises a considerable protection concern and highlights the need for comprehensive data protection training as well as reliable data policies.
Whose Responsibility is Data Protection?
As data controllers, schools are legally obliged to adhere to the data protection requirements stipulated in GDPR. Whilst data protection is the responsibility of all staff members, a specific Data Protection Officer (DPO) must be appointed to develop and maintain data policies. Ultimate responsibility for data protection lies with the school governors and trustees, who the DPO will work in association with.
Since the Data Protection Act 2018 came into force, schools have been required to actively demonstrate compliance through documentation of their personal data processes and conduction of data audits. In order to comply with the data protection principles, schools must document an explicit reason for possessing personal data and document how long it needs to be retained for. Data controllers are also required to communicate and be transparent with data subjects i.e. those your school holds personal data about (or their guardians). Creation of a high level data map, outlining the collection, storage and transfer of personal data is necessary. The map should be used to produce a data asset register. These resources can be used to identify data protection risks which should be addressed accordingly.
Special Category Data Restrictions
Personal data is any data relating to a living identifiable person. Special category data is a subset of personal data that is seen to be more sensitive and is consequently subject to greater restrictions. It includes the following: race, ethnicity, political opinions, religion, trade union membership, health information and sex life. Data relating to criminal offences does not fall into the special data category but is subject to many of the same restrictions.
Contact with Data Processors
As data controllers, schools may have contact with data processors (individuals/companies that process data on behalf of the data controller e.g. IT services). Your school is responsible for ensuring that any data processor it uses co-operates with school data policies. A written agreement must be signed between data controller and data processor.
The use of photographs within schools is common, however the data protection regulations surrounding use can be confusing. Some common examples of how photographs are used in schools are outlined in the table below.
Can be considered essential but must be deleted once the child leaves your school
Display within school
School trip photos
Permission should be sought to retain the image after the child leaves your school
Specific informed consent must be sought
A data protection breach within your school could generate catastrophic effects for both your school and your students. Individuals whose data is breached may have their rights and freedoms compromised, whilst your school could suffer an immense knock to its reputation.
In February 2018, it was discovered that four UK schools had fallen victim to cyber-crime. Hackers had infiltrated the schools' CCTV system and started to stream it live on US websites. From this event we can appreciate that poorly secured CCTV cameras compromised the privacy of thousands of school children. It highlights the need for well secured surveillance systems and strong password protection.
Meanwhile, in May 2018 Stowupland High School in Suffolk suffered a serious data protection breach. Sensitive student data, including information within the special data category, was mistakenly sent to the parent mailing list instead of staff. Alongside the student information was logins and passwords to numerous teacher platforms, therefore additionally compromising any data contained on these platforms. The school was proactive and complied with regulations by reporting the breach to the Information Commissioner's Office within 72 hours of discovery. Parents reacted to the breach with disgust and stated a subsequent lack of trust in the school. The school's reputation has suffered as a consequence, understandably.
Data protection is one way in which schools are responsible for ensuring child protection. With increasing levels of accountability and widespread repercussions for data breaches, adequate training of all your staff members is a necessity. Data protection training can ensure your school adheres to data protection legislation whilst preserving simpler privacy.