Check out the courses we offer

Safeguarding Student Data: The Importance of Data Protection in Schools

[modified_date]

Safeguarding student data is of fundamental importance in schools and all educational organisations, including nurseries, colleges and universities. Schools have to routinely capture and process large amounts of data about pupils, parents, staff, volunteers, visitors and other stakeholders. 

This includes information such as:

  • Personal information (including names, addresses, DOBs, family information etc)
  • Academic and behavioural records
  • Details about attendance and absence
  • Health information
  • Biometric information (e.g. fingerprints to allow students to access their funds to buy items in the canteen or take books from the library)
  • Safeguarding information (including SEN, status of ‘looked after’ children etc)

In this article we will examine the critical role data protection plays in schools, the important legislation that underpins it and some effective strategies for keeping student data safe and managing any breaches that may occur. 

The Importance of Data Protection in Schools

Data protection in schools refers to the safeguarding of private and personal student information and the handling of such data in a safe, secure, compliant and confidential manner. 

All schools have an obligation to comply with data protection regulations including data processing agreements, data subject rights and data breach recording.

Personal data has to be collected, handled, stored, processed, shared and deleted in a way that is lawful and in line with law and best practice

Good and compliant data protection practices in schools is extremely important:

  • To keep everyone’s data safe
  • To ensure privacy and confidentiality
  • To guarantee compliance (as far as possible) with current legislation, guidelines and regulations
  • To minimise the chance of a security breach occurring
Regulatory-compliance-papers

Each school requires:

  • A data protection policy
  • An appropriate policy (for Special Categories of Personal Data and Criminal Offence Data)
  • A Data Protection Statement

In addition, schools require three separate privacy notices:

  • Privacy Notice – Pupils and Parents/Families/Carers/Legal Guardians
  • Privacy Notice – Teaching Staff
  • Privacy Notice – Non-Teaching Staff

Your school’s Privacy Notice for Pupils and Parents/Families/Carers/Legal Guardians is standard across all schools. Policies for teaching and non-teaching staff will be specific to your school type. You can find templates for all three published by the Education Authority (EA) here.

If data protection principles are not followed and a breach occurs it could have serious consequences, for example:

  • Identity theft and fraud
  • Serious safeguarding issues for children if their personal information, such as their address, is accessed by an unauthorised third party
  • Stress, upset and embarrassment for all concerned
  • Organisations, including schools, can face reprimands including fines of up to £17.5 million or 4% of global turnover if they fail to adhere to data protection regulations

Earlier this year, an academy trust in Coventry faced a ‘reprimand’ from the Information Commissioner’s Office (ICO) for failing to secure their systems and implement previous guidance which resulted in multiple IT hacks. Issues included:

  • No multifactor authentication
  • The reuse of passwords
  • Inadequate lockout procedures

The trust’s failures resulted in the exposure of the personal details of over 1,800 people. Although a reprimand is not a financial penalty it is a way to name and shame offenders. 

Legal and Regulatory Framework

The General Data Protection Regulation (GDPR) is an EU regulation that came into force in 2018. It sets out how organisations, including businesses, charities and schools, can use people’s personal data, including whether they can capture, store and share personal data with others. 

The Data Protection Act 2018 is the UK’s implementation of the GDPR. The Act requires everyone responsible for using personal data to adhere to strict rules known as data protection principles. As of January 2021, most EU law no longer applies in the UK due to our exit from the European Union. As a result, the GDPR was passed into UK law known as the UK GDPR, although the basic principles remain the same.

Under the UK GDPR, the only supervisory authority (data protection regulator) is the Information Commissioner’s Office (ICO); this applies to schools and all other data processors. The ICO’s website provides key guidance on data protection. 

In line with data protection regulations, schools must ensure that personal information is:

  • Used fairly, lawfully and transparently
  • Used for specified, explicit purposes
  • Used only in a way that is adequate, relevant and limited to only what is necessary
  • Accurate and, where necessary, kept up to date
  • Kept for no longer than is necessary
  • Handled in a way that ensures appropriate security, including protection against unlawful or unauthorised processing, access, loss, destruction or damage

There is stronger legal protection for more sensitive information, such as:

  • Race
  • Ethnic background
  • Political opinions
  • Religious beliefs
  • Trade union membership
  • Genetics
  • Biometrics (where used for identification)
  • Health
  • Sexual orientation

There are separate safeguards in place for personal data that relates to criminal convictions and offences. 

Under the Data Protection Act 2018, you have the right to find out what information the government and other organisations store about you. These include the right to:

  • Be informed about how your data is being used
  • Access personal data
  • Have incorrect data updated
  • Have data erased
  • Stop or restrict the processing of your data
  • Data portability (allowing you to get and reuse your data for different services)
  • Object to how your data is processed in certain circumstances

You also have rights when an organisation is using your personal data for:

  • Automated decision-making processes (without human involvement)
  • Profiling, e.g. to predict your behaviour or interests

All maintained schools and academies are required to appoint a Data Protection Officer (DPO). The DPO will have the knowledge and skills required to help schools remain compliant with data protection laws and keep student data safe. 

The Data Protection Officer is allowed to cover more than one school, and their main responsibilities are:

  • Advising school leaders and staff about their data obligations
  • Monitoring compliance
  • Conducting regular data audits
  • Developing and updating data protection policies and procedures
  • Monitoring who in the school has access to personal data
  • Advising when data protection impact assessments are needed
  • Answering data protection enquiries from staff, parents and pupils
  • Making sure privacy notices are regularly reviewed and updated
  • Supporting and advising staff who have data protection queries
  • Communicating with the Information Commissioner’s Office (ICO)
  • Reporting to the governing board or trustees about data protection
  • Updating the governing board or trustees on data protection risks
  • Advising on and coordinating responses to information rights requests
  • Making sure all assets containing personal data are secure and managed appropriately
data-protection-review

Source: (“Data protection in schools – Role of data protection officers … – GOV.UK”)

All schools have the same data protection compliance requirements. For example, under the UK GDPR there are six lawful bases under which data can be processed. Your reasons for processing data must satisfy at least one of the following:

  • Consent – individuals are given a real choice about the use of their data
  • Contract – when using data is necessary for a contract the school has (or will have) with an individual
  • Legal obligation – where using someone’s data is necessary for legal compliance
  • Vital interests – when using data is fundamental in protecting someone
  • Public interests – when using someone’s data by the school for something that is genuinely in the public interest
  • Legitimate interest – when processing someone’s data is necessary for the school’s legitimate interest (or the interest of a third party). This can be overridden if there is a good reason to prioritise protecting personal data over those legitimate interests

Best Practices for Safeguarding Student Data

Everyone working within a school setting has a role to play in protecting student data, although some people will have more responsibility than others. Your DPO will be a significant port of call for any questions or issues relating to data protection within the school; however, all staff who deal with student information require training on data protection. 

Schools need to take proactive security measures to protect the data that they have on file, including conducting risk assessments, educating employees and keeping up with emerging threats and new technologies. 

Data protection in schools should include:

  • Encryption of all electronically stored personal information
  • Installing up-to-date firewalls and anti-virus software and ensuring it gets regularly updated
  • Scanning documents and attachments before opening them
  • Limiting access to personal information to authorised personnel only
  • Collecting and processing data only within specified guidelines and in line with the school’s data protection policy

The ICO has put together guidelines on how to prevent personal data breaches in schools. It includes some of the following advice:

  • Double-check information when sending out personal information
  • Disable autofill in your email settings
  • Ensure all staff have received the relevant training (both during induction and as part of regular refresher training)
  • Use technical controls to limit only authorised personnel to access information that is necessary to them
  • Create a culture of professionalism and confidentiality
  • Keep data secure (securely protecting computers, locking away files, ensuring offices and places where data is kept are safe and secure)
  • Keep IT systems up to date by regularly installing security updates, performing scans and using anti-virus software
  • Use ‘blind carbon copy’ techniques (BCC) when sending emails as standard. This ensures that all recipients of the same email are not visible to one another

Incident Response and Data Breach Management

A personal data breach is some kind of security breach that results in the accidental or unlawful destruction, loss, alteration, or unauthorised disclosure of, or access to, personal data.

Both data breaches or cyberattacks can result in sensitive personal information being accessed and/or released. Cyberattacks can also mean the loss of vital information and schools being temporarily unable to access their computer systems. This is a serious safeguarding issue and could place children and others at risk. 

If you believe a breach has occurred in your school you should report it immediately to your school’s Data Protection Officer. Having a consistent approach to reporting incidents allows for:

  • Immediate remedial action to be taken
  • Incidents to be handled sensibly and properly by trained staff
  • Accurate records and documentation to be kept about breaches and issues
  • The impacts to be understood and action taken to mitigate damage
  • Problems to be resolved quickly to allow normal service to resume
  • Evidence to be gathered and recorded in a way that it can be both internally and externally analysed
  • Lessons to be learned and appropriate changes to be made to reduce repeat incidents

The UK GDPR requires all organisations to report certain personal data breaches in schools to the ICO. This should be done within 72 hours of becoming aware of the breach. If the breach is likely to significantly compromise the individuals concerned, you must notify them as well. Records must be kept of these activities. Cyber incidents should also be reported to the National Cyber Security Centre (NCSC).

It is essential that critical data in schools is protected from:

  • Cyberattacks
  • Security breaches
  • Unauthorised access and use

Safeguards should be put in place to prevent an incident or breach from occurring, for example, data encryption, installing firewalls, using strong passwords and scanning documents. All staff in schools, especially those working within administration, require training in:

  • How to spot suspicious links or attachments and not open them
  • Using appropriate and unique passwords
  • How to perform security scans and use anti-virus software
  • How to report suspicions about unauthorised access
  • What to do in the event of a cyberattack or data breach

If you cannot access your systems or are unsure of how to proceed after a cyber or security incident and your internal IT department cannot help, get expert advice from a cyber security consultant or similar professional as soon as possible.

Technology and Tools for Data Protection

It is important for schools and academic institutions to commit to upholding best practice regarding the safeguarding of student data. This includes: 

  • Regularly assessing and reviewing their current data protection practices
  • Training all staff on data protection protocols in line with current guidelines and legislation
  • Performing relevant checks and audits
Staff-Training

Many data breaches happen by accident, for example someone’s personal details are emailed to the incorrect recipient. To mitigate accidental breaches from occurring, thorough training and safeguarding measures must be put in place (see ICO guidelines in section 4).

Tools and software can be used in addition to staff education and training to strengthen data protection protocols in schools, for example:

  • Data loss prevention systems
  • Multifactor authentication systems
  • Secure data management systems
  • Data encryption technologies
  • Intrusion detection and prevention systems (IDPS)
  • Cloud storage solutions
  • Lockout Tagout (LOTO) protection systems

New technologies are constantly emerging that can improve the administrative services within schools. When adopting new systems, processes or software, it is crucial that everyone receives the appropriate training on how to use these tools properly. 

Key Takeaways

  • The safeguarding of student (and other) data in schools is of critical importance
  • Key legislation that requires schools to have adequate data protection measures in place includes the UK GDPR and the Data Protection Act 2018
  • Data misuse, accidental error or a security breach could result in the loss, damage or access to sensitive and private information
  • Schools can face reprimands including fines of up to £17.5 million or 4% of global turnover if they fail to adhere to data protection regulations
  • All possible steps should be taken to ensure that data protection practices in schools are appropriate and compliant with UK law

Conclusion

The importance of data protection in schools cannot be overemphasised. Robust data protection protocols must be followed to show compliance and minimise the chance of a security related incident occurring. Failure to do so risks exposing sensitive information and leaves schools open to facing serious consequences. 

If you work within a school, it is crucial that you have received comprehensive training in the GDPR and general data protection principles. All educational institutions need to regularly review their data protection policies and practices to ensure compliance and to protect student data. Policies and procedures should be updated and improved as needed, especially after new legislation is passed or after a breach has occurred.

safeguarding courses

Looking for Safeguarding courses?

Complete your next CPD course with us in just a few hours.

Learn more

About the author

Photo of author

Vicky Miller

Vicky has a BA Hons Degree in Professional Writing. She has spent several years creating B2B content and writing informative articles and online guides for clients within the fields of sustainability, corporate social responsibility, recruitment, education and training. Outside of work she enjoys yoga, world cinema and listening to fiction podcasts.