Why must the education sector protect data?
In recent years, data protection has become a MUST have in all educational establishments. The protection of education data is enforced by regulations such as the UK’s Data Protection Act 2018 (DPA2018) that sits alongside the “UK GDPR. These regulations set out the rules that define how to handle personal data on staff and students, securely and confidentially.
The types of education data that are covered by these regulations are extensive. Schools and other educational establishments collect and process a lot of personal data including names, ages, addresses, and photos of students, as well as data on teachers, other staff, and governors. These data are personal and often sensitive, and data protection regulations require specific levels of privacy and security to be applied when handling education data.
What do data regulation requirements mean in practise?
The UK GDPR and the DPA2018 are based on seven data protection principles:
- Lawfulness, fairness, and transparency
- Purpose limitation
- Data minimisation
- Storage limitation
- Integrity and confidentiality (security)
These principles have practical implications:
Stick to the bare minimum of data
Data minimisation is a foundation stone that helps to reduce the burden of the other principles of data protection. Only collect data necessary to carry out your school business.
Be open and transparent
By being honest about why data is being collected and what happens to it during processing, a school can help in accountability and fairness. Being transparent also helps to build trusted relationships and build confidence.
Data management reciprocity
Data protection regulations have many nuanced aspects, including allowing students, parents, governors, teachers, etc., access to data. Allow access to data and ensure that access provides the tools and processes to securely modify mistakes or delete data (as rules allow).
The tools of data protection
The integrity and confidentiality of data are enforced using the tools and processes of the security trade. Put measures in place, such as encryption and robust authentication to protect data across its lifecycle.
Having the ability to notify the correct authorities when a breach does occur is a vital part of compliance with DPA2018 and UK GDPR. Certain breach conditions under UK GDPR require that notice is made within 72 hours of the breach being discovered. Even if the breach occurs during a school holiday the 72 hours notification window must be met.
The education sector has long been a prime target for hackers’ intent on causing harm and stealing data. During the month of July, the UK/Ireland/Isle-of-Man region experienced a 142% increase in weekly cyberattacks targeting the education sector, which, as a whole has been under sustained pressure for some time. As a result, the UK’s National Cyber Security Centre (NSCC) has ongoing investigations into cyber-attacks against education and has put out a warning to all education establishments stating:
“In recent incidents affecting the education sector, ransomware has led to the loss of student coursework, school financial records, as well as data relating to COVID-19 testing.”
Education data and sharing
Schools and other educational establishments are data-rich environments. The data lifecycle of a school is a complex web of information that flows throughout school life and across the student school experience. Some example areas where data regulations dovetail with education data include:
This includes personal data of students, parents and guardians, teachers and trainee teachers, governors, and other staff:
- Financial information
- Recruitment information
- Attendance and behaviour
- Test results
- Report cards
Sensitive data (special category)
Sensitive data requires additional care under the data protection regulations. Under DPA2018 and UK GDPR, sensitive data is known as ‘special category data’ and includes data related to:
- DBS checks
- Medication and medical conditions (including mental health)
- Special educational needs
- Safeguarding needs
- Trade union membership
- Criminal offences
- Disciplinary actions
Some activities require that consent be taken and managed, this includes:
- School trips
- Social media use
- Parental communications, including apps and learning platforms
Children aged 13 and over should be offered the option to give consent regarding data protection, but parental input should also be sought where appropriate.
Sharing with others
The movement of children between schools means that often sensitive data must be transferred securely and within the remit of the DPA2018/UK GDPR.
Who is responsible for data protection in schools?
Data security is everyone’s responsibility. A teacher, for example, must ensure that they take responsibility for any personal and special category data on students they have access to. However, a school, or group of schools or academies for example, should assign an individual(s) with the necessary skills and experience to uphold data protection policies, procedures, and measures. This individual is a Data Protection Officer (DPO).
- A Data Protection Officer (DPO) is a legal requirement under the UK GDPR for all public authorities. This includes state schools, colleges, universities, and childcare provisions. If a private school processes a lot of data, it must employ a DPO.
- A DPO is an individual with the right level of knowledge to help an educational establishment to monitor internal compliance as well as inform and advise on data protection obligations.
- A DPO acts as a contact point between individual data subjects (e.g., a parent) and the Information Commissioner’s Office (ICO).
- A DPO can be an existing employee or a specialised organisations that offers this facility as a service.
- A DPO is an essential part of demonstrating compliance and showing that an establishment takes accountability seriously.
The UK GDPR came into effect on January 1st, 2021. The UK version is based on the EU GDPR (General Data Protection Regulation), replacing it when the UK left the EU. If your educational establishment has EU students, you may need to comply with both the UK GDPR and the EU GDPR. In addition, any European data collected before January 1st, 2021, is known as ‘legacy data’ and subject to the EU GDPR as of 31 December 2020.
Back to school? What to do next
Wrestling with data protection responsibilities can quickly become overwhelming, especially when you consider everything outlined above. JSIG has a depth of experience in the education sector working with schools, academy groups, colleges and universities. To find out more about how we can support you through our outsourced data protection services, please get in touch using the form below and we’ll get back to you as soon as we can.