May 25 has come and made its mark on education regulation. The new General Data Protection Regulation (GDPR) is now in force and – similar to the passing of the millennium – life goes on. Steve Forbes, security, compliance and online safety specialist at RM Education, considers life post-GDPR implementation
After years of anticipation, and months of planning by companies and organisations of all sizes, the new General Data Protection Regulation (GDPR) legislation is now in force. By now, you should be quietly confident that policies and procedures are in place to sufficiently protect your school data.
However, GDPR is an ongoing process and to make sure your school stays compliant you must stay responsive. Below are key points on how to stay on top of GDPR policies and what should happen if a data breach occurs in school.
Primarily, you need to educate all your staff. A good place to start is for senior management or your data protection officer (DPO) to educate teams on the importance of data protection and how the law translates to each individual department. If your users don’t understand the impact of not following processes, or how to use the technology or policies you have implemented for GDPR then any investment is wasted. As with most training and procedures, a little common sense is required, and data privacy should never jeopardise student safeguarding.
Ensure your staff know where your processes are stored. It is also best practice to have an incident response plan, this ensures that if you do have a serious data breach you have a plan that you can quickly put into action and reduce the amount of time to respond to the breach. Part of the incident response plan should be to have a pre-prepared statement that the school can use if they get questions from parents or the media about the data breach – this removes the need for your staff to think on their feet at what could be a stressful time.
Your DPO is under obligation to maintain a breach register where all breaches, no matter how trivial, are recorded and monitored. Therefore, should the unanticipated occur, it is a good idea to ensure all staff members know to inform your DPO. Under GDPR you will have an obligation to report a serious data breach within 72 hours. It is important to note, from a time perspective, because a lengthy form and process are involved when reporting a breach to ICO, with information that needs to be gathered from all individuals involved.
GDPR doesn’t mention specific technologies to help you secure your data, it is technology agnostic because technology changes so fast, however there are tools available to turn all this information into easily understandable and actionable insights. What GDPR does state is that you must have appropriate security based on the type of data and the risk to that data. Remember when any new technology is introduced, your DPO must review and sign off the Data Privacy Impact Assessment which considers any risks associated with implementing the new technology.
Mitigating data risk in school
Fortunately, in schools, we don’t often have the threat of a malicious insider trying to steal confidential company information for commercial gain, and most data breaches in education come from human error. The points below examine some of the key issues and how a school can mitigate against a potential data breach risk.
Data sent to the wrong recipient by email
Below are a few steps you can follow to make email communications less prone to accidental breach:
- Turn off autofill in your e-mail: many of the mistakes come from programs such as Outlook or Gmail automatically filling the address field with the most commonly or last used email addresses. Whilst it can be a handy feature, it is also a risk and so turning it off will help to mitigate that risk.
- Enable BCC by default: most client emails don’t have BCC available by default, so if the user doesn’t know how to activate it they may be tempted to put all the email addresses in the CC field. This means that every recipient of that email can see the other recipients. This could be an issue if the subject of the email is sensitive, for example, if you were emailing all parents whose children receive pupil premium funding or have attendance issues.
- Mail encryption: this may prevent email messages being intercepted and read whilst in transit to the recipients. This is good practice where you are sending potentially sensitive data via email.
- Data labelling: you can use the advanced functionality in Office 365 and now G Suite to label your documents and emails with a sensitivity label. This prompts the user to think about what they do with those documents or emails. You can also prevent documents or emails with certain labels from leaving your organisation. You can also prevent the document from being copied or printed – this stops sensitive data from being left on printers for unauthorised people to find and read.
Loss/theft of paperwork or devices
You should challenge the necessity to have paperwork leave secure areas within the school when digital forms of data are far easier to secure and are more portable. Devices that leave the school should have more security than devices that stay within the school gates and should only be accessed by those authorised.
Again, encryption is one of the easiest ways of doing this – encryption technology such as BitLocker on Microsoft devices can ensure that should the device be lost or stolen it would be extremely unlikely that anyone could access the data on the device.
If you allow your users to access school data from their own device then you may want to consider additional controls, so data can’t be downloaded directly onto the devices. Office 365 and G suite allows users to access the data they need from any device but ensure that the data remains within the cloud ecosystem and never resides locally on the device. Realistically, schools should carefully consider how their users access data from devices that they do not have any control over. Do you want data on devices that may not have the latest security patches, have any anti-virus solution or outsiders have access to?
Insecure disposal of paperwork or devices
You must ensure that any confidential paperwork that you dispose of is done so in a secure way, either by use of a cross shredder or a secure disposal service. Any devices or computer equipment should be disposed of using an approved supplier and you should get certification to demonstrate that the equipment has been disposed of securely.
What should happen if privacy and data security is breached?
The main issues to consider in a data breach process are:
- Identify who is at risk
- What the risk is
- What data is at risk
You can then make the decision as to whether the breach is likely to result in a ‘risk to the rights and freedoms of individuals’ and serious enough for your DPO to report to the Information Commissioner’s Office (ICO) and the individuals themselves. The key question to ask is what impact the data breach will have on the individuals and your school – if it is likely to have an adverse effect and impact negatively then it should be reported without due course.
There has been a lot of media and noise about the increase in fines under GDPR and we are likely to see an increased focus on the data protection practices in education establishments given the sensitive information that they are responsible for. We are already starting to see an increase in breaches that are reported, just recently the University of Greenwich was fined £120,000 for a serious data breach whereby the personal data of 19,500 students was placed online. This media interest could be the prompt for schools that have made little changes in their data protection practices to realise that the GDPR is to be taken seriously.
New regulations and policies can be difficult for schools to adapt and comply with, however, GDPR was not designed to confuse and alarm schools. It was aimed at bringing businesses into line with the digital era and ensure large amounts of data are stored in a more transparent way.
You will probably need to accept that it is going to take time to change your school’s entire culture around data, it is an ongoing journey for all organisations. When you have instilled that culture, you will be fully meeting the new regulations, but like safeguarding, GDPR requires continued training, awareness and communication to maintain compliance.