How to take control of school data

Data protection legislation comes into force next year through the General Data Protection Regulation (GDPR)

Posted by Alice Savage | June 04, 2017 | Technology

• #data-protection
• #gdpr
• #adrian-brown
• #law
• #technology

Adrian Brown, Director at My School Portal, looks at the implications for schools... 

A new chapter in data management and compliance looms large

With the growth of the internet and the amount of digital data created by schools there has been a tendency to use the school website as a repository for anything and everything. At one time, teacher contact details, the parent directory, school newsletters and upcoming parent announcements would have been hosted within the school’s website, and all potentially accessible in the public domain. This now contravenes much of the work that is being done to improve data protection and the safeguarding of children.  The move to more secure dedicated online platforms for parents removes the risk of personal data breaches, some of which occur through human error, or as a result of inaccurate coding, or poor website password control as a single generic password was often used by all to access everything. 

Data protection is without doubt one of the biggest concerns that schools face today. The upcoming enactment of the GDPR in May 2018 means that schools need to prepare for and, where needed, implement changes to their data protection to ensure compliance. 

Be proactive and take control of data and legal obligations

The amount of personal data that schools process is vast and information is typically held across a number of hard and soft copy formats. Data is widespread and includes student and staff records, CCTV images, website photos and information, personal health information, student details on educational apps, exam results and consent forms. The breadth, format, complexity and value of data, as well as its accessibility, means its overall management is of significant importance and a serious management issue for schools.

For many schools, complying with the current data protection laws under the Data Protection Act 1998 (DPA 98) is challenging, even when considering how manual records are filed, securely stored, accessed, transported (if necessary) and destroyed. Although the GDPR contains the same basic principles as the DPA 98, it will bring even more challenges with some fundamental enhancements that schools must apply to ensure compliance.

Consent and fair processing should guide school’s data management principles 

What is important to remember is that data protection law refers to the ‘processing’ of personal data. According to the Information Commissioner’s Office (ICO) ‘Processing’ refers to anything a school does with personal data including collecting, using, analysing, sharing, disposal of and even the holding of data. This is a key issue for schools where data is typically held and processed across various hard and soft copy formats.

The ICO has developed the 12 Steps To Take Now document highlighting the main changes that are coming under the GDPR. One of the changes causing the biggest concern for schools is the stricter rules around consent. Schools need to start thinking now about whether they will need to gather parental or guardian consent for the data processing they carry out. For the first time, the GDPR will bring in special protection for children’s personal data, particularly in the context of commercial internet services such as social networking. Where children are currently signing up for apps in the classroom, or for homework, schools need to think about how consent can be obtained.

We work closely with relevant stakeholders in the legislative and data fields to continually optimise My School Portal for schools; taking their advice on where to add value and ensuring the portal meets or exceeds the needs of current or forthcoming data legislation. One of our main expert contacts in the data protection space is David Taylor, from Data Protection Consultancy, who said: “My advice would be that schools should be gearing up now to have the parent’s explicit consent for all processing in place by May 2018. This is a huge task but consent and fair processing are the cornerstones of the GDPR.”

Another change and key concern is the requirement for schools to be able to delete data. Many schools use systems that currently don’t have the facility to allow the deletion of data. 

Beyond May 2018, schools will need to be more accountable and have measures in place to protect data and also be able to prove that they have done this.

Changes to privacy notices are another area that will see stricter rules. For example, schools need to explain the legal basis for processing data and detail the periods for data retention. Moreover, individuals will have a right to complain to the ICO if they think there is a problem with the way their data is being handled. The information provided needs to be clear and easy to find. Many schools are likely to host this information on their website, but that in itself brings issues where school websites are not secure. 

User-only portals ensure the right people see the right information

By separating the schools prospective parent/public website and moving all sensitive data for groups such as parents and guardians to a more restricted user-only portal ensures the right people see the right information. Schools are now able to set permissions on what information is accessible and to whom.

We have a number of schools currently using our portal and their user feedback demonstrates that they are strong advocates of the safeguards afforded by this type of data platform. Furthermore, we’re pleased that some users are claiming significant improvements in the ease and efficiency of communications between school and parents.

“At St Joseph’s College we take our data protection obligations very seriously,” said Danielle Clarke, Principal of St Joseph’s College. “We also recognise the importance of clear and effective communication between our staff, pupils and parents which is why we made the decision to invest in a parent portal solution. Parents can securely access activity details, reports, attendance records, timetables and exam results all in one place. It has transformed the way we communicate with parents and significantly enhanced how we process personal data within school.”

Act now to mitigate against future breaches

The GDPR will re-shape the way that schools communicate and share data. We will see a further shift in visibility and access to information with some data currently held on open platforms migrating to these secure, privately accessible information portals. There is no doubt that the safeguarding of children is at the forefront of any schools stewardship. Early adopters of secure information sharing platforms are now taking the steps to both meet the obligations of the new GDPR and also de-risk their exposure with regards to future data losses. 

W: myschoolportal.co.uk