Our sponsor SchoolPro TLC provides guidance for schools and MATs following the recent infringements by a primary school in relation to the Article 5 (1)(f), Article 24 (1) and Article 32 of UK GDPR.
The unfortunate data breach has emphasised the importance of robust Data Protection practices in schools, colleges and MATs.
The Information Commissioner's Office (ICO) publicly reprimanded Parkside Community Primary School for infringements of the UK General Data Protection Regulation (UK GDPR).
Whilst this is clearly a concern for the school and data subjects involved, it also provides a valuable opportunity for all schools to reassess their Data Protection strategies.
The incident involved the inappropriate disclosure of personal and special category data in a classroom setting, affecting four data subjects including three children. According to the reprimand published, key contributing factors to the breach included insufficient Data Protection policies, inadequate guidance around email security, and a lack of explicit procedures regarding the use of a case management system.
SchoolPro TLC delve here into the key lessons to be learned from this unfortunate event, and provide a checklist to ensure that you are adequately protecting the personal data of your pupils and staff.
Lessons to Learn
The reprimand presents several key lessons that could apply to other schools in the UK:
1. Ensure Adequate Data Protection Policies
The reprimand highlighted that the school lacked detailed Data Protection policies, specifically on the safe handling of personal data over emails and the usage of a specific case management system.
Policies should clearly outline the procedures for maintaining data security and confidentiality, especially when it involves sensitive or special category data.
Schools should have policies specific to high risk software and platforms they use, created in conjunction with risk assessments or Data Protection Impact Assessments (DPIAs).
2. Provide Clear Procedures and Guidance
The lack of written guidance for employees was a significant issue.
Clear instructions need to be in place for using security and confidentiality classifications on emails, and for the usage of any case management system or software.
Guidelines regarding when and where to open sensitive emails, and how to operate electronic devices securely (like electronic whiteboards), should also be clearly provided.
3. Staff Training
Regular and thorough training for staff is necessary to ensure compliance with Data Protection regulations.
This should include training on the operation of specific software or systems, data breach reporting procedures, operation of electronic devices, and general Data Protection principles.
4. Incident Reporting Mechanisms
In this case, staff failed to report the data breach internally.
An effective incident reporting mechanism should be in place, and staff should be well aware of the process to follow if a data breach is suspected or has occurred.
5. Sensitive Data Handling
Emails or alerts containing sensitive information should be appropriately labelled and only accessed under safe conditions (e.g., not in the presence of children or during teaching hours).
Controls should be in place on who can access highly sensitive information and when.
6. Policy Enforcement and Review
All staff and stakeholders should be familiar with the school's Data Protection policies.
Policies should be reviewed and updated regularly, especially in response to incidents, and staff should be required to affirm their understanding and acceptance of these policies.
7. Testing and Audit of New Processes
Any new processes or procedures introduced in response to a data breach should be tested to ensure they are effective and embedded within the organisation.
Action Plan / Checklist
Taking those lessons into consideration, what key actions can a school, college or MAT take to reduce their data breach risk and improve practice?
Policies and Procedures
Review your Data Protection policies and procedures, ensuring they cover all aspects of data handling, including specific written guidelines for using software and systems that process sensitive data.
Training and Awareness
Develop a regular training schedule on Data Protection for all staff.
Emphasise what constitutes a data breach, the importance of reporting breaches promptly, and the consequences of failing to do so.
As a guide, staff should receive Data Protection training as part of their induction to the organisation, and refresher training should be completed at least biennially if not more frequently.
Annual refresher training would be best practice.
Implement security measures for emails that contain sensitive data, such as security classifications or labels. Provide clear guidelines on when and where such emails can be safely opened.
Where possible, use alternative methods of communicating sensitive data such as access-controlled, secure, shared folders, or internal secure data transfer systems if available to your school.
Software and System Security
Review the security measures for all software and systems that process sensitive data.
Ensure staff are trained on how to use these systems securely such as the use of strong passwords and multi-factor authentication.
Also, include procedures, guidance and training for those systems that could be used to view sensitive data such as electronic whiteboards and screen-sharing from staff members' electronic devices.
Monitoring and Review
Regularly monitor and review your Data Protection measures to ensure their effectiveness and make improvements where necessary.
By following this checklist along with your existing practices, and continually investing in data protection, you can better protect the personal data of your pupils and staff, and ensure compliance with the UK GDPR.
The incident highlighted by this ICO reprimand serves as a stark reminder of the potential repercussions of insufficient Data Protection, and the importance of making it a priority in your school, college or MAT.
Stay safe and healthy.
Report by the SchoolPro TLC Team
SchoolPro TLC is led by a committed team of former school and education leaders and Governors with over 60 years combined experience across all stages of education and in a variety of contexts who worked to improve educational provision.