School Enterprise
Ludwood Interactive
AboutContactMedia PackSubscribe to EnewsLegal
Latest News
Fundraising Insight
Strategic Insight GovernanceLegalMarketingRisk ManagementStrategic Planning
Financial Insight
Academies
The Directory
connaught education
Gov book order
Legal

The personal touch

Schools handle a lot of information about pupils, parents and staff. New technology brings new challenges and often it can be difficult for schools to know whether they are complying with the law when handling personal information. Doug Locke reports

Quite apart from any damage or distress caused to affected individuals, getting the law wrong can have serious consequences for a school. The Information Commissioner (who is the regulator responsible for compliance with data protection and related law) has been given the power to fine organisations up to £500,000 for serious breaches. The following are examples of circumstances in which the commissioner may impose a fine on a school:
• a pupil gaining access to records about child protection incidents stored on a school computer;
• a teacher taking home a laptop containing unencrypted emails relating to an allegation made against another teacher. The laptop is subsequently stolen; and
• a pupil finding an unencrypted memory stick belonging to the school containing information about pupils’ medical conditions.

Compensation
A school may have to pay compensation to individuals who have suffered damage as a result of the school’s breach of data protection law.

Criminal offences
A school or its staff could be committing a criminal offence by handling personal information without consent (such as where a school looks at a pupil’s text messages without permission).

Investigations
A school may become the subject of an investigation by the commissioner. An investigation would take up a lot of management time and could look at all aspects of the school's personal information compliance (not just the circumstances giving rise to the original investigation).

Publicity
A serious breach of data protection law could lead to adverse publicity. Data protection is a subject of increasing concern to parents and the media.

How to address these concerns
Schools can do a lot to reduce the chances of these risks materialising (and to mitigate the consequences when things go wrong). Some practical examples of the measures schools can implement are set out below. These measures are often referred to as an information governance programme. It should include the following:
• pupil education: a school could be liable if it does not respond appropriately where it has become aware that a pupil has misused computer equipment (such as where the pupil is using social networking sites to bully other pupils (cyberbullying)). Schools should educate pupils on the dangers of cyberbullying, hacking or other misuses of computer equipment. Not only will this help protect the school, but it may also prevent the pupil from committing a criminal offence (such as harassment or computer misuse offences) and from harming his or her own reputation; and
• risk assessments and privacy impact assessments: these can help a school understand the risks associated with handling personal information. For example, a school planning to give laptops to its pupils should undertake a risk assessment so that it understands the risks and how to mitigate them.

Policies and procedures:
• policies should set out the overall framework under which personal information will be managed by the school. For example, they will state who has overall responsibility for information management; and
• procedures should set out in more detail how the school will deal with day-to-day issues and the school's response if something goes wrong. For example, how to keep personal information secure; how to respond to a request for information; and how to respond to cyberbullying. Staff should be able to refer to these procedures for guidance.

Checklists
Schools are required by law to register with the Information Commissioner (and to keep their registrations up-to-date) and should usually serve "privacy notices" on the individuals whose personal information they handle. Checklists help to ensure that none of these requirements are missed.

Staff training
Breaches of data protection law are almost always caused by staff not being aware of their obligations rather than a deliberate attempt to break the law. The training should cover a number of issues, including the following:
• keeping personal information secure (using passwords etc);
• regulating who may access personal information. In particular, when a teacher may share it with her colleagues;
• deciding what to do and who to tell if something goes wrong; and
• taking the extra steps necessary when personal information is taken off the school premises.

Consent forms
These can give a school certain rights which it would not otherwise have. For example, they can allow a school to examine a pupil’s laptop or mobile phone. Without consent, the school may be committing a criminal offence. Consent forms can also be used to place restrictions on how pupils use computer equipment.

Information security measures
By law, a school must ensure that personal information is adequately protected against unauthorised use or disclosure. The more sensitive the information, the more the school must do to protect it. So schools will need to do more to protect information about pupils’ medical conditions than they will information about their ages. Schools should ensure that any sensitive personal information is encrypted and access to it should be on a need-to-know basis. Schools should also put procedures in place so that they can periodically check that these measures have been implemented.

Doug Locke is a partner at Veale Wasbrough Vizards. Doug can be contacted at dlocke@vwv.co.uk or on 0117 314 5602.

Return to Legal

About | Contact | Media Pack | Subscribe to Enews | Legal