What's all the fuss about data protection in schools?

  • Awareness
  • 29/06/2017
  • UK Safer Internet Centre

Andrew Williams, Information Security and Online Safety Consultant for SWGfL (South West Grid for Learning, partner in the UK Safer Internet Centre (SIC)), shares some perspectives on data protection in schools.

In tackling cyber-risk, resilience is a key word.

Many of you may recall the recent WannaCry attack which affected many organisations across the globe, including the National Health Service (NHS) in the UK. And while the NHS recovered, for a period, services were seriously impacted. Imagine if this happened to your school.

Data is at the centre of our world, we rely on technology and internet connections to deliver services and information. If something goes wrong, how long will it take you to resolve the issue?

What are the threats?

Broadly speaking, threats fall under one of these categories:

  • Non-malicious – user error, being careless or poor training.
  • Malicious – a wide range of threats… fraud, sabotage, cyber-crime, phishing, and so on.
  • Natural threats – earthquakes, floods, fire, and so on.
  • Man-made threats – civil disorder, wars, terrorist attacks.
  • Technology-specific vulnerabilities – software, hardware, networking equipment.

In the case of the WannaCry attack, the software (Windows XP) had a security "flaw" (vulnerability) which the attack exploited to gain access to the system and encrypt users' data.

General Data Protection Regulation (GDPR)

By May 2018 the UK (and the rest of the EU) will have stricter new data protection regulations which will apply to schools, so it's vital that schools have robust data protection procedures in place.

What can I do about it?

All schools have a variety of technology, policies, infrastructure and contractual relationships to help secure their data. You may have disaster recovery plans, but these can overlook your data and may never have been tested. If your system goes down and you discover a problem with your back-up, you have no way of accessing your school's core information. That's a big deal.

However, there are some things everyone can do to improve data protection.

  • Training
    A 2016 report by SWGfL and Plymouth University showed that schools recorded staff training as a consistently weak area of online safety. Your staff have access to some of the most sensitive data about children and need regular training to re-enforce the importance of good data protection procedures.
  • Auditing
    Make sure you know where your data is stored. Ask your staff if they know. If you know what data goes where, then you can begin to control the threats.
  • A clear data protection policy
    Staff need to know what their obligations are and how to perform them. This can be invaluable in securely protecting your data. Ask yourself these questions:
    • Do we have a data protection policy?
    • When was it last reviewed?
    • Have all staff been trained on it?
    • Have all staff read it?
  • Involve your governors
    Governors can be a great source of support and expertise. Not only that, but as part of the senior leadership team, they too have a responsibility for school data.
  • Technological solutions
    Things like passwords, anti-virus/malware protection, monitoring of hacking attempts, asset management and encryption are vital.
    Make sure you have a good technology partner that is supportive and responsive. If you don't, perhaps you need to rethink how much budget goes towards this.
  • Get back-up
    The importance of a carefully considered back-up routine cannot be over-emphasised.
  • Incident management
    Developing an incident management plan and a response process can avoid a lot of stress and headaches. Make sure this includes data loss scenarios.
  • Cyber-risk insurance
    Check your cyber risk insurance policy works for you. Check the policy provides sufficient cover to meet your requirements. Using a large, reputable firm is a good idea.

Moving on

It's only really possible to scratch the surface of a topic as broad and complicated as data protection here.

Developing an action plan is a good first step towards protecting your school from a costly cyber-attack. To help, SWGfL has developed 360Data - a new tool to help schools and SMEs review their data protection and information security.

Find out more about the work of the UK Safer Internet Centre, including its awareness raising, helpline, hotline and youth participation services.

Alternatively, find the contact details for your national Safer Internet Centre here.

Related news

Roundtable meets to discuss the GDPR

On Friday, 23 June 2017, legislators, Data Protection Authorities (DPAs), industry, education stakeholders and civil society representatives from across Europe met in Brussels, Belgium, to discuss the General Data Protection Regulation (GDPR) with a particular focus on its implications for children's rights.

Raising awareness of data protection

Data Protection Day (or Data Privacy Day, as it is known outside of Europe) is a global, annual celebration marking the anniversary of the signing of the Council of Europe's Convention 108, the first legally binding international treaty dealing with privacy and data protection, on 28 January 1981. In line with this, in April 2006, the Committee of Ministers of the Council of Europe launched Data Protection Day, celebrated ever since on 28 January.

The European Handbook for Teaching Privacy and Data Protection at Schools

  • Research
  • 11/08/2016
  • Vrije Universiteit Brussel (VUB)

Under the framework of the ARCADES research project, for the past 18 months, three European data protection authorities (DPAs) – from Poland, Hungary and Slovenia – as well as the Research Group on Law, Science, Technology & Society (LSTS) at the Vrije Universiteit Brussel (VUB) have looked for best practices in teaching privacy and personal data protection at schools.

Focus on data protection

The fifth edition of the Better Internet for Kids (BIK) bulletin has now been published with a focus on the new General Data Protection Regulation (GDPR) and, specifically, whether it will help to create a better internet for children and young people. We have some great opinion pieces on the topic from a range of experts.

Debating data protection with Danish adolescents

  • Awareness
  • 30/03/2016
  • Danish Safer Internet Centre

Your digital footprints often seem to be invisible, but what are you really agreeing to when confirming ‘Terms & Conditions' in an app? With the newly proposed General Data Protection Regulation (GDPR), it is as relevant as ever to put the spotlight on the data protection and the digital identity of youth.

Data protection and ethics: bridging the gap in the data-driven world

Considering that the data driven economy is growing fast and so are its adjacent challenges, the General Data Protection Regulation (GDPR) has been placed in the spotlight especially after new EU rules on data protection aim to put the citizen back in the driving seat, according to the European Parliament's press release in December 2015.