School Enterprise
Ludwood Interactive
AboutContactMedia PackSubscribe to EnewsLegal
Latest News
Fundraising Insight
Strategic Insight GovernanceLegalMarketingRisk ManagementStrategic Planning
Financial Insight
Academies
The Directory
connaught education
Fundraising Ideas for Schools
Legal

Data security

The subject of schools and data security has been in the news recently following a number of high-profile incidents. Doug Locke and Andrew Gallie look at what can happen when things go wrong and what schools can do to mitigate the risks

A school in Oldham was reported to the Information Commissioner (the UK's data protection and privacy regulator) after the theft of a laptop containing unencrypted information from a teacher’s car.

A college in Surrey allegedly emailed private medical details of more than 300 students to an entire year group. According to press reports, the email included information about a student with anorexia and another student with mental health problems. The Information Commissioner has launched an investigation.

Information security has always been a difficult area for schools as they hold a substantial amount of personal information about pupils, staff and others which they often have to share with staff or with third parties on a daily basis.

In light of this, it is no surprise that some schools have run into difficulty and that the Information Commissioner is taking such a proactive role in monitoring and enforcing compliance. The Information Commissioner now has the power to fine organisations up to £500,000 for serious breaches of the Data Protection Act and it may only be a matter of time before a school is fined.

Fines will only be imposed where the organisation has seriously contravened the data protection principles and the contravention was of a kind likely to cause substantial damage or substantial distress. For example:
A County Council was fined £100,000 for faxing details of a child sex abuse case to the wrong recipient.
Numerous organisations have been fined for losing laptops containing personal information. Fines range from £60,000 to £80,000.

While the Information Commissioner decided not to fine the school in Oldham, it remains to be seen what action they take against the college. At first glance, the college's alleged breach appears to be more serious than some of the laptop thefts described above which have attracted a fine.

As well as having to pay a fine, a school that has breached the Data Protection Act may also have to pay compensation to affected individuals. Information Commissioner involvement can also attract adverse publicity.

Out of the breach
Set out below are examples of what schools can do to reduce the chances of information security breaches occurring:

Staff training: The majority of breaches can be prevented if schools and staff take more care when handling personal data. So, for example, staff should not leave laptops containing unencrypted personal data unattended and should make sure that they use the correct address when sending faxes and emails. These issues can be covered in staff training sessions.

Personal information held on computer: Personal information held on computer should be protected using appropriate measures such as passwords, file encryption and hacking / virus protection Schools should also have in place procedures for ensuring that personal information which has been deleted is permanently erased (it is often possible to retrieve information even after it has been "deleted").

Personal information not held on computer: Personal information should be kept under lock and key and should be disposed of securely (for example, through using shredders). In addition, particularly sensitive information should be kept in a secure location (for example, in the headmaster's office).

Limiting access to personal information to a "need to know basis". Schools should not, for example, disclose information about a pupil's medical condition to a teacher unless that teacher needs to know that information
Risk assessments: schools should carry out risk assessments to identify and mitigate risks. Fresh risk assessments should also be carried out when the school changes how it handles personal information (eg if it were to purchase a new IT system).

Investigations: schools should have in place procedures for investigating possible breaches of security.
Responsible person(s): a senior person (such as the bursar) should be given overall responsibility for data protection compliance.

Sharing information with third parties: Extra steps should be taken where the school allows a third party (such as an IT contractor) access to personal information. The school should obtain the appropriate guarantees regarding information security and ensure that it has a written agreement in place which will adequately protect personal information. This is an important issue as the school would be liable should the third party mishandle the personal information.

Policies and procedures: Policies should set out the overall framework under which personal information will be managed by the school. Procedures should set out in more detail how the school will deal with “day to day” issues and the school's response if something goes wrong. For example, how to keep personal information secure and how to respond to a request for information. Staff should be able to refer to these procedures for guidance. As well as providing practical and legal assistance, good policies help reassure parents that their children's personal information is in safe hands.

Doug Locke is a partner and Andrew Gallie is a solicitor for Veale Wasbrough Vizards. Doug can be contacted on 0117 314 5602 dlocke@vwv.co.uk and Andrew on 0117 314 5623 agallie@vwv.co.uk.

Return to Legal 
 

About | Contact | Media Pack | Subscribe to Enews | Legal