Evidence suggests that breaches occur largely as a result of weak systems, processes or procedures in the school. In many cases, the breaches that occurred could have been avoided had schools more fully understood their obligations, had more rigorously embedded policies and had clearer information about how to protect their data. Headteachers have a complex role and have often progressed from being a teacher through leadership structures into becoming a Headteacher often with minimal support, especially in data protection. Teachers (and other professionals) are not, nor should they be expected to be, specialists in recruitment, finance, law or data protection. If a pupil needs support, the school will look to educational psychologists or lawyers in the event of a legal challenge. But, in the case of data protection, there's neither consistency nor clarity for where schools should look to for advice.
It's made rather more complicated when you begin to consider the move towards cloud computing. Schools have been migrating data away from school servers or computers for many years now. The low (or zero) cost of cloud storage services such as Google Drive or Dropbox make these an attractive proposition. But without clear guidance, policy and advice, schools may, unwittingly, be putting data at risk. This isn't just pupil data, but staff data too. Basic errors can have significant consequences for users and the added complexity of the withdrawal of Safe Harbor further puts cloud storage at risk.
What all of this leads to is a rather confusing, complicated and risky area for schools. It's certainly the case that no school wants to intentionally place data in a vulnerable place, or put their pupils or staff wellbeing at risk. But the reality is that, for good intentioned reasons, this is happening all too regularly.
This is where the South West Grid for Learning (SWGfL) comes in. As part of our work as the lead partner in the UK Safer Internet Centre we have offered a self-review toolkit,
360 degree safe. Now in its seventh year, the popularity of this tool has grown with nearly 31 per cent of UK schools using it to review eSafety policy and practice. Building on this highly successful tool, SWGfL is proud to announce the launch of a new tool,
360data.
The tool will guide you step by step through the journey to data compliance and beyond while supporting you in assessing your current data protection posture through a maturity model. Schools are given 16 ‘aspects' of data protection to review, using a 5 to 1 scale (5 nothing in place, 1 aspirational practice). By using a ‘best-fit' approach, schools can select how advanced they are in each aspect. The tool will automatically suggest next steps for improvement, provides sources of good-practice guidance and includes legally-produced template documents for policies and usage.
Over time, 360data will become a living, breathing development plan that maps your strategy towards the safe and responsible use of information and data.
Usage of the tool is not limited to schools however. While written with schools in mind, the language of the toolkit does not exclude business from using it either. For small businesses, data protection can be far down the list of priorities. 360data aims to make this accessible, manageable and achievable.
It is expected that 2018 will see a significant shift in the
European Data Protection legislation which will place further demands upon businesses (including schools) to appropriately process data about their data subjects. The tool has already been written in such a way as to pave the way for compliance with the as yet unknown legislation. Once enacted, the new legislation will be incorporated into the tool.
If you'd like to make Data Protection a central part of your school or organisation, then visit
www.360data.org.uk and take our free 30-second quiz.