In June 2014, Curledge Street Academy in Paignton, Devon, leaked private details of 200 school children. It was apparently an ‘administrative error,’ whereby the personal details of the students, including their date of birth, education needs and behavioural issues were e-mailed to the parents of the school.
The school sent out a letter of apology a few days later asking for parents to delete the attachment but to their horror, discovered that some parents had already published some of the confidential information onto social networking sites. This lead to the Information Commissioner’s Office carrying out an investigation into a breach of the Data Protection Act 1998 (DPA) by the school.
Data breaches such as this highlight the extent to which the importance of keeping confidential information safe is underestimated, as well as the serious consequences of data being leaked. This is especially true for schools when protecting the data of their pupils. Unfortunately, the incident at the Curledge Street Academy wasn’t a standalone event. The media has been inundated recently with similar stories of schools acting in a negligent way when it comes to storing confidential information.
New technologies developed for schools have helped revolutionise teaching throughout the past few years. Gone are the days of a handful of PCs and the occasional interactive whiteboard. Today, schools are using new technologies to provide students and staff with more interactive ways of learning through better connectivity, collaborative working and unlimited access to online resources and tools.
As technology is becoming increasingly more prominent in schools, administrators are under pressure to store more data than ever before. Moreover, there are growing demands to ensure data is secure and treated appropriately by technology vendors. This is a major concern for parents and administrators which should be taken seriously.
In recent years, IT has become more consumer focused, resulting in more consumer-oriented devices being used in schools. In addition, the rise of BYOD within the education sector is becoming a growing concern. Whilst providing flexible working for teachers and students is important, it presents further security complications if not handled correctly as these devices may not be encrypted and may have minimal data protection.
To guarantee the security of data, schools must ensure that they understand their legal obligations in terms of guaranteeing that pupil data is protected. The DPA attempts to ensure that if confidential information is improperly shared or not adequately protected, it will result in legal action. The DPA is enforced by the Information Commissioner’s Office (ICO).
The ICO has range of powers to enforce breaches of the 7th principle of the Data Protection Act, which is: “You must have appropriate security to prevent the personal data you hold being accidentally or deliberately compromised”. The ICO’s enforcement powers range from publicly published undertakings, to monetary fines (up to £500,000) or even criminal prosecutions. However, many schools are not fully aware of this legislation or believe that it does not apply to them.
Data leaks within the education sector are nothing new. In 2011, the University of York faced an investigation and a full review of its security systems after the personal data, including addresses and mobile numbers, of 148 students were made openly available on the university’s website. Leaks such as these continue to occur as evidenced by the number of undertakings released by the ICO.
It’s also essential that institutions fully understand the terms of their service agreements with IT service suppliers to ensure that their data collection, use and disclosure practices are in line with regulations. Being aware of how an IT service provider will store and use confidential data is important for schools as this information should not be used for marketing purposes. If a service provider scans emails or data stored in the cloud for any other reason than to provide the service, then it may result in a breach of the Data Protection Act.
Another way to increase a school’s data security is to simply educate staff, students and parents on appropriate activity. By creating respect for teacher and student privacy and providing staff with appropriate training, it will enable them to understand their role in protecting student privacy. As well as this, staff should only be given access to information they need to do their job and must not be able to share passwords.
Passwords strength should also be enforced along with a policy of ensuring that all data that leaves school premises does so in an encrypted format. Some online backup services for example, encrypt data before it leaves school devices using an encryption key known only to the school. As a result, the data protected using this service can only be decrypted by the school, ensuring complete security. Using services such as these helps ensure that confidential information is not leaked.
Schools are now storing more information than ever before. However, due to the sensitive nature of the information stored, including students’ health records and educational needs, security needs to be top-of-mind for every school and organisation. Utilising appropriate IT services as well as applying security best practice, is essential in order to achieve this.