Schools collect and store an abundance of data – everything from exam results and the personal information of students and staff, to sensitive financial information – and it’s your legal obligation to ensure that this information is protected. For October’s issue of Education Executive, we caught up with some security experts to talk GDPR-compliance and cyber-security
In recent years the amount of data held by schools has increased; how it’s mined and stored has become more sophisticated, and its applications more diverse. Further, the use of technology to facilitate teaching, learning and management has increased tenfold; the internet of things (IoT) is well-established and the school community is working more collaboratively – connected to the internet (and the cloud) via more and mobile devices – creating potential vulnerabilities which hackers can exploit.
It’s not surprising, then, that in May this year the Data Protection Act (DPA) 1998 was superseded by the General Data Protection Regulation (GDPR) – it was time that regulation caught up with technology. Adjusting to stricter regulation has required schools to take a managed approach to protecting systems and data from breaches or illegal tampering.
70% of the education professionals believe they couldn’t evidence their policies and procedures if they fell victim to a data breach
Documented: procedures and policies
In the lead up to the introduction of GDPR you’ll have put in place robust data protection procedures and policies; but are these correctly documented? The documentation process is a new requirement under GDPR and requires you to maintain a record of processing activities – such as processing purposes and data sharing and retention. According to a recent NW Security Group survey, however, 70% of the education professionals who responded believe they couldn’t evidence their policies and procedures if they fell victim to a data breach.
“Even with the correct policies in place, if there isn’t documentation to back them up you can be deemed non-compliant – risking reputational damage and fines,” Nigel Peers, security and risk management consultant at NW Security Group, warns. The Information Commissioner’s Office (ICO) has outlined best practice in the documentation of processing activities.
The weakest link: eliminate it
What is a data breach? According to the ICO, it’s a breach of security leading to the ‘accidental or unlawful destruction, loss, alteration, unauthorised disclosure of, or access to, personal data’. While external cyber-attacks are a major concern, there are various, innocuous ways a breach can occur internally; for example, if personally identifiable information (PII) is divulged in an unsecure space – maybe an overheard ‘phone call or an email sent to the incorrect recipient, leaving visitor sign-in sheets open on the reception desk, or even keeping hard copies of students’ allergies or dietary requirements accessible, but unsecured.
“The GDPR doesn’t require that actions critical to a job don’t take place, only that the procedures surrounding that activity are thought about with data protection in mind and executed securely,” Nigel explains. Keep data protection in mind, and ask, ‘Has a laptop been left in a car?’ or, ‘Is that USB stick encrypted?’
Investing in your first line of defence: staff
Your staff should be your first line of defence, Nigel advises; if they can’t correctly identify a breach – or the threat of a breach – then the likelihood of achieving GDPR compliance drops and the chance of a breach increases. Staff must understand the regulation and the policies and procedures in place, as well as the risks attached to non-compliance – for both the school and themselves in terms of disciplinaries.
Training’s essential and should be specific to your school – staff should be able to relate to the policies in place and be willing and able to comply. Training should be documented and the best way to do this, Dai Durbridge, partner and education specialist at Browne Jacobson LLP, recommends, is to have staff complete a test to check and demonstrate their knowledge following any training undertaken. He also notes the importance of ensuring that staff are up-to-speed with everything that’s going on – a review process is good practice. Students should also be aware of regulations relating to data protection and e-safety.
Cyber-security: safer systems
The public sector isn’t exempt when it comes to cyber-attacks; last year we saw a ransomware cyber-attack on NHS Trusts and phishing scams in the education sector – the need for regular review of security systems is clear.
IP-connected devices – such as internet-connected tablets – are commonplace in education and the British Security Industry Association has warned that precautions need to be taken to protect against hackers gaining access to an organisation’s wider computer network through these devices. “Protecting data from breaches is becoming increasingly challenging, but innovations in technology and following best practice can help organisations to protect against, or detect, a data breach and mitigate the damage should one occur,” Ryan Wilk, vice president at NuData Security, says.
The responsibility, then, lies not only with the manufacturer to ensure device security, but you too must show caution – for example, changing default credentials and updating firmware, the software pre-installed on a device. Again, staff have a role to play in this – they need to be security conscious. Password security is one simple security strategy; passwords should be unpredictable – using a mix of symbols, capitalisation and numbers – and they should be changed regularly and be different for each account.
Ensuring security software is up-to-date on all devices will also boost cyber-security. One innovative way of securing such devices, Ryan suggests, is to implement intelligent ways of authenticating users so that PII alone is not enough to access an account, such as behavioural-based authentication methods which analyse human characteristics. These are based on patterns of behaviour – for example, typing rhythm or voice – are proving to be extremely efficient in tackling this threat and keeping users’ accounts safe, he says.
As the digital revolution continues schools will need to focus more on effective security systems and be able to demonstrate a structured approach to managing risk. How security-conscious is your school?