The introduction of the General Data Protection Regulation (GDPR) has drastically changed the landscape of data privacy around the world. Introduced in May of 2018, these stringent regulations have far-reaching implications for organisations on a global scale, both private and public, and will continue to influence the way we comply with data protection for years to come.
In this blog post, we will be reviewing why GDPR is important for schools, its effects on previous data protection regulations, and how you can identify gaps within your school system to prevent data breaches in the future.
First, let’s assess the types of data that schools have access to, and how these regulations aim to protect this sensitive information.
How sensitive is school data?
Imagine you have a new student enrolling at your school. In order to process the student’s application we must first collect the following basic information:
- Name
- Contact information (Including at least 1 next of kin)
- Home address
- National curriculum and examination results
- Medical information
- Special education requirements
Obtaining and storing this data is essential to the enrollment process, but this list of basic information can be used by external threats in a variety of ways.
When we look at recent figures we can see that, as of 2020, the education sector has accounted for over 884 million data leaks around the world; making it the 3rd worst hit industry behind technology and healthcare, with over 25% of these attacks being attributed to ransomware.
Ransomware is the practice of preventing a victim from accessing their own data until a ransom is paid. In the world of cryptovirology, the field of study related to hacking, ransomware is considered to be an easier, entry-level practice.
At this level we can already see the value of ‘basic’ information. For instance, if you were to sign up for an account with your favourite online store, you would expect to provide answers for security questions such as:
- What was the name of your first school?
- What was your mother’s maiden name?
- What is the name of the street where you first lived?
Typically, these answers can be taken from the top of any personnel files, and in many cases could be used to gain access to a number of private accounts held by the individual.
When we apply this type of thinking to the information held by school systems, particularly the information of children (any human being under the age of 18, as defined by the United Nations Convention on the Rights of the Child), it becomes clear how important GDPR is for schools.
How could a data leak in my school happen?
According to research from Stanford University, the Psychology of Human Error, figures suggest that human error accounts for over 88% of global data breaches, with 69% of schools being targeted by phishing emails globally. As with ransomware, phishing is also considered a ‘low-effort’ form of hacking, yet due to its simplicity, it is also the most common.
Most of us will have seen phishing attempts before. If you take a look at your ‘spam’ folder you will likely find a number of phishing emails piled up – they’re usually the ones that say ‘Dear Customer’, ‘Dear valued member’, or feature a request for login details or the transfer of money.
It is through these avenues that data most frequently falls into the wrong hands, so when we talk about ‘human error’, we are partly referring to the increased possibility of data breaches through a lack of understanding of best security practices.
How is GDPR enforced?
Your school or institution is required by law to appoint a Data Protection Officer (DPO), who will assist you in complying with the GDPR.
These officers should:
- Inform and advise on your data protection obligations.
- Provide advice on Data Protection Impact Assessments (DPIA).
- Act as the point of contact for data subjects and the Information Commissioner’s Office (ICO).
- Maintain adequate resources to ensure high standards of protection are held.
In addition to this, a Data Protection Officer should usually only be assigned jobs relating to their role as a DPO – particularly if other tasks might be prioritised above their duties as DPO.
Read our guide to find out more about appointing a Data Protection Officer for your school: Who needs a DPO under the GDPR?
Do schools have to comply with GDPR?
EU regulations on GDPR (Article 25) demand that data protection must now be considered ‘by design and by default’. This means that all data protection principles must now be considered from concept to execution, in any new product or activity.
In addition to your appointed Data Protection Officer, it is now paramount that all staff members within the school or institute demonstrate an understanding of GDPR.
Schools and institutes are advised to have a robust information security policy which is actually adhered to throughout the business. This means that demonstrable knowledge, and practice, of your organisation’s Data Protection policy is the best way to show your school is GDPR compliant.
Why is it important that school employees receive data protection training?
Employees of your school or organisation must be able to demonstrate an understanding for best GDPR practices, this applies to all staff, regardless of their position.
Any personal information related to a school child must be considered sensitive.
Even simple information such as a students’ name can be used to breach data in the wrong hands. For this reason, it is paramount to remain vigilant when discussing or sending data relating to a child, or indeed any member of staff.
In most cases, any penalty related to data breaches under the GDPR will be applied to the organisation as a whole, but it should not be concluded that individuals cannot be subject to fines as well
It is important to be confident in your staff’s awareness of best practice for data protection, and ensure standardised training throughout your organisation.
That is why we offer tailored GDPR Staff Awareness training delivered by JSIG experts. Discover more about our GDPR Staff Awareness Training services here.
Is GDPR important for Online Schools?
As the need for home learning has increased over recent years, so too have the risks of data breaches; particularly those relating to students’ information.
With this modern change to the educational format, it is more important than ever to understand the new risks presented to schools and students, and to ensure compliance with GDPR when communicating online.
In 2021, the Italian Data Protection Authority (DPA), issued fines of €200,000 (roughly $211,376) to Bocconi University, for breaches in data protection related to online exams.
This breach of the GDPR was the result of monitoring software being used to invigilate online exams during the Covid-19 pandemic, which would audio-visually record the behaviour of students to process at the end of the exam.
In this instance, it is easy to see where the breach in data protection was – the nonconsensual gathering of audio-visual data for use by a third party. For clarity as to how the law could have been respected if consent was not obtained, the university should have relied on other legal grounds allowing data processing.
If your school or institute fails to comply with GDPR, you may be subject to fines and penalties.
Penalties of non-compliance to GDPR
As of 2022, over 900 fines related to failures in GDPR have been issued, with Amazon being the largest fine at €746 million (£645,685,380).
The regulations on penalties state that failure to comply with the GDPR will result in ‘fines of up to €20 million (roughly £17,310,600), or 4% of worldwide turnover for the preceding financial year – whichever is higher.’
What happens if a school breaks GDPR?
If your school fails to comply with the GDPR new data-protection requirements and is responsible for a data breach, the Information Commissioner’s Office (ICO) could sanction or fine your school. Therefore, compliance with GDPR is crucial for protecting your pupils.
What Are the 7 Principles of the GDPR?
The 7 principles of the GDPR are:
- Lawfulness, fairness and transparency.
- Purpose limitation.
- Data minimisation.
- Accuracy.
- Storage limitation.
- Integrity and confidentiality (security).
- Accountability.
It is important to understand these principles and how they relate to your school.
GDPR for schools checklist
We hope that this guide has provided you with enough insight into why GDPR is important in schools.
For more information, try our useful GDPR for schools checklist.
Our GDPR services for schools
With our knowledge, expertise, and industry-leading solutions, we can guide your school towards GDPR compliance and enable it to move forward with confidence – we know what it takes to get there.
Learn how to protect your school, including evaluating your compliance position. Our experts have helped countless organisations to navigate the complexities of data protection regulations, and achieve compliance with the GDPR and DPA 2018.
Discover our broad range of Data Protection and GDPR services including Consultancy, DSAR Support, Third line of defence DPO Support and Staff Awareness Training.