Over the last few years there has been a disturbing rise in the number of high profile information and data-security breaches. Information such as patient records and case files on vulnerable children have been lost, stolen or inadequately protected.
A study by East Anglia and Plymouth Universities surveyed 1,059 schools. The survey revealed that t pupil records detailing addresses and routes to school, whether they have special needs, are known to social services or even if they have relatives who are on the sex offenders register are at risk of exploitation because nearly half of the schools have no policy for handling personal data. The report also showed that 45% of schools did not meet minimum requirements for password security and 40% had insufficient measures in place for the security of their computer systems again problems such as viruses.
Data protection breaches can have serious consequences for a school. In addition to the damage to the school’s reputation due to negative publicity there is a real danger of financial impact. Since April 2010, the Information Commissioner's Office (ICO) has been granted the authority to fine private and public sector organisations, found guilty of breaching the Data Protection Act, up to £500,000. So it is essential that school personnel appreciate that they are duty bound to ensure that sensitive data is protected and that appropriate procedures are followed.
What is sensitive or personal information?
Schools hold a lot of information and much of it would be classed as publically available. The information is not sensitive or personal and the release of this information would not cause the organisation or individuals harm or embarrassment, for example, the number of pupils entitled to free school meals. However, a document identifying which pupils receive free school meals would be classed as personal or sensitive data. This data must be handled and protected in line with the Data Protection Act.
The Data Protection Act 1998 requires all organisations to secure any personal data they hold. This covers data held both electronically and on paper. Personal data is any combination of data items that identifies an individual and gives specific information about them, their families or circumstances. This includes names, contact details, gender, dates of birth, behaviour and assessment records.
The Data Protection Act 1998 specifies additional data items as ‘sensitive personal data’; this includes medical records, criminal convictions and ethnic origin. Every school needs a comprehensive information security policy that details the school’s approach to data protection. The policy must set out the procedures that must be followed in order to ensure that the legal requirements of the Data Protection Act are met in relation to obtaining, handling, processing, storing, transporting and destroying personal data about current, past and prospective pupils, employees, suppliers and any other individuals with whom the school has dealings.
New data protection guidance report for schools 2012 Last September, the Information Commissioner's Office (ICO) produced a report for schools which gives practical advice on how to comply with the Data Protection Act. The report makes recommendations for schools in the following key areas:
- Notification – make sure you notify us accurately of the purposes for your processing of personal data.
- Personal data – recognise the need to handle personal information in line with the data protection principles.
- Fair processing – let pupils and staff know what you do with the personal information you record about them. Make sure you restrict access to personal information to those who need it.
- Security – keep confidential information secure when storing it, using it and sharing it with others.
- Disposal – when disposing of records and equipment, make sure personal information cannot be retrieved from them.
- Policies – have clear, practical policies and procedures on information governance for staff and governors to follow, and monitor their operation.
- Subject access requests – recognise, log and monitor subject access requests.
- Data sharing – be sure you are allowed to share information with others and make sure it is kept secure when shared.
- Websites – control access to any restricted area. Make sure you are allowed to publish any personal information (including images) on your website.
- CCTV – inform people what it is used for and review retention periods.
- Photographs – if your school takes photos for publication, mention your intentions in your fair processing/privacy notice.
- Processing by others – recognise when others are processing personal information for you and make sure they do it securely.
- Training – train staff and governors in the basics of information governance; recognise where the law and good practice need to be considered; and know where to turn for further advice.
- Freedom of information – after consultation, notify staff what personal information you would provide about them when answering FOI requests.
You can read the full report here: http://www.ico.org.uk/for_organisations/sector_guides/~/media/documents/library/Data_Protection/Research_and_reports/report_dp_guidance_for_schools.ashx
The ICO's top tips to schools on complying with the Data Protection Act
It is a legal requirement for all schools to be registered with the ICO. Be fair. A key principle of the Data Protection Act is that individuals should know what organisations are doing with their personal information, known as 'fair processing'.
This includes letting parents and pupils know why and where CCTV is being used, and taking care not to disclose personal information such as publishing images online without consent.
Keep it secure. It is essential that schools keep information secure. This means secure storage, secure usage, secure sharing and secure disposal. Schools must have clear and practical policies. Staff must be trained in the procedures which arise from those policies
Where to get more help: Prior to its closure, Becta produced a comprehensive set of guidance documentation on information security for schools including a good practice guides to help schools to secure sensitive and personal data held on learners, staff and other individuals. This material is still available at: http://webarchive.nationalarchives.gov.uk/20110130111510/http:/schools.becta.org.uk/index.php?section=lv&catcode=ss_lv_mis_im03&rid=14734
The NEN eSafeguarding tool which covers such areas as roles and responsibilities, acceptable usage policies and information classification marking schemes is largely derived from the Becta documentation and is an excellent tool for auditing a school’s e-security provision. http://www.nen.gov.uk/esafety/191/e-safeguarding-audit-tool.html
YHGfL www.yhgfl.net have produced a set of documents, questionnaires and videos aimed at different audiences (senior leaders, network managers and teachers) which will help schools comply with current legislation. www.yhgfl.net/eSafeguarding/eSecurity/Information-security
Data Protection Update! As from September 2013 schools must obtain parental consent before collecting biometric data from pupils. Where parental consent is refused schools must put in place alternative means for accessing the relevant service Schools incur £1.8m in fines for lapses in data security from the Information Commissioner over the last year (08/2011- 08/2012)
A Hampshire school breached the Data Protection Act after the personal details of nearly 20,000 individuals, including some 7,600 pupils, were put at risk during a hacking attack on its website. An unencrypted laptop containing pupils' names, addresses, exam marks and some limited information relating to their health was stolen from an unlocked office of a school in Barnet. The acting head of enforcement at the ICO, said: “The ICO's guidance is clear: all personal information, the loss of which is liable to cause individuals damage and distress, must be encrypted.”