Back to School for GDPR
Whilst the pupils were on summer break, you can be certain that schools will not have taken much of a holiday when it comes to their GDPR, data protection and privacy issues. GDPR for education establishments, even more so for those with minors, has delivered a huge, (generally unwelcome), extra workload. Those in the state school sector already face pressures from ever tighter school budgets, more diverse pupil requirements, and, frequently, ageing or outdated IT equipment. These issues, coupled with typically paper-based systems still in place, don’t make their task any easier.
In 2015 sixty-six schools in the UK reported data breaches – without consequence. Now that 25th May has passed, this is a different story, with the ICO levying fines where they feel appropriate. Whilst they may not yet have been fined, in the past month or so there is quite a list of schools that feature on the Information Commisionner’s list. These include a Rochester school has reported losing an unencrypted USB stick with pupil data on – mercifully handed back in by a member of the public, but we are yet to find out if any of the data was exposed. A Scarborough sixth form college reported an email breach, whilst a college in Northern Ireland reported that employee data had been compromised in a cyber attack; additionally, a school in Suffolk that mistakenly sent an email intended for teachers, containing sensitive pupil information, including safeguarding lists, details of behavioural and health issues, to parents. Finally, a school in Dorset had an issue where an internal email was sent (allegedly by a teacher) to Yr 13 pupils, containing sensitive data about Y12 pupils.
And it isn’t just the schools themselves. Just in time for the end of term, Capita, which supplies a IT management system, SIMS, to 21,000 UK schools reported a ‘bug’ in the system, recognised in December 2017, that mixed up pupil and parent contact details. It’s reported that it may have impacted pre-admissions, pupils on roll and the records of school leavers – definitely a headache that Headteachers could do without. It will be interesting to see what happens with these cases and whether the ICO will show any leniency.
Changing face of schools
Education establishments can, of course, also benefit from GDPR. Enhanced data processing, improved data security, less cost of data storage, increased efficiency as a result of up to date, accurate data – these benefits don’t just apply to big business. With ever more schools becoming Academies, and being freed from local authority control, they must run like a business – with efficiency at the top of the list, and GDPR helping to achieve that.
And as parents are ever more engaged in their children’s education – it is not just the fee-paying parents demanding a return on their investment and that schools step up to the mark in all areas – parents seeking the good schools are paying huge premiums to move into the catchment areas of the ‘best’ ones for the same reasons.
In our increasingly litigious society, besides the threat of an ICO fine, schools really cannot afford to put a foot wrong with GDPR and data privacy.
We have helped several school clients with their data protection and information governance efforts – for more information about how we can help you, contact us for a free consultation.