Helping schools with data protection compliance

For many years, schools have been required to be compliant with data protection laws. Many of us that work with schools are all too aware of the difficulties they face in achieving compliance. Here at the South West Grid for Learning and the UK Safer Internet Centre (SIC), we know that schools work to achieve compliance through a variety of means. Some rely on local authority staff, or the Information Commissioners' Office for support, advice and training. What is clear is that practice remains inconsistent and that data breaches are occurring.
 
Date 2016-03-30 Author UK Safer Internet Centre Section awareness
Evidence suggests that breaches occur largely as a result of weak systems, processes or procedures in the school. In many cases, the breaches that occurred could have been avoided had schools more fully understood their obligations, had more rigorously embedded policies and had clearer information about how to protect their data. Headteachers have a complex role and have often progressed from being a teacher through leadership structures into becoming a Headteacher often with minimal support, especially in data protection. Teachers (and other professionals) are not, nor should they be expected to be, specialists in recruitment, finance, law or data protection. If a pupil needs support, the school will look to educational psychologists or lawyers in the event of a legal challenge. But, in the case of data protection, there's neither consistency nor clarity for where schools should look to for advice.
 
It's made rather more complicated when you begin to consider the move towards cloud computing. Schools have been migrating data away from school servers or computers for many years now. The low (or zero) cost of cloud storage services such as Google Drive or Dropbox make these an attractive proposition. But without clear guidance, policy and advice, schools may, unwittingly, be putting data at risk. This isn't just pupil data, but staff data too. Basic errors can have significant consequences for users and the added complexity of the withdrawal of Safe Harbor further puts cloud storage at risk.
 
What all of this leads to is a rather confusing, complicated and risky area for schools. It's certainly the case that no school wants to intentionally place data in a vulnerable place, or put their pupils or staff wellbeing at risk. But the reality is that, for good intentioned reasons, this is happening all too regularly.
 
This is where the South West Grid for Learning (SWGfL) comes in. As part of our work as the lead partner in the UK Safer Internet Centre we have offered a self-review toolkit, 360 degree safe. Now in its seventh year, the popularity of this tool has grown with nearly 31 per cent of UK schools using it to review eSafety policy and practice. Building on this highly successful tool, SWGfL is proud to announce the launch of a new tool, 360data.
 
The tool will guide you step by step through the journey to data compliance and beyond while supporting you in assessing your current data protection posture through a maturity model. Schools are given 16 ‘aspects' of data protection to review, using a 5 to 1 scale (5 nothing in place, 1 aspirational practice). By using a ‘best-fit' approach, schools can select how advanced they are in each aspect. The tool will automatically suggest next steps for improvement, provides sources of good-practice guidance and includes legally-produced template documents for policies and usage.
 
Over time, 360data will become a living, breathing development plan that maps your strategy towards the safe and responsible use of information and data.
 
Usage of the tool is not limited to schools however. While written with schools in mind, the language of the toolkit does not exclude business from using it either. For small businesses, data protection can be far down the list of priorities. 360data aims to make this accessible, manageable and achievable.
 
It is expected that 2018 will see a significant shift in the European Data Protection legislation which will place further demands upon businesses (including schools) to appropriately process data about their data subjects. The tool has already been written in such a way as to pave the way for compliance with the as yet unknown legislation. Once enacted, the new legislation will be incorporated into the tool.
 
If you'd like to make Data Protection a central part of your school or organisation, then visit www.360data.org.uk and take our free 30-second quiz.
 
Read more about the UK Safer Internet Centre.

Related news