Jade Short 14th March 2022

How the Data Protection Act affects schools

As an education provider, you have a responsibility to protect your students, staff and school. But the responsibility isn’t just with protecting the physical form – it also comes down to the protection of any information or data you hold...

The DPA 1998 states that:

“Anyone processing personal data must comply with the eight enforceable principles of good practice.”

Not familiar with the principles? We’ve outlined them below for you:

Used fairly and lawfully
Used for limited, specifically stated purposes
Used in a way that’s adequate, relevant and not excessive
Accurate
Kept for no longer than is absolutely necessary
Handled accordingly to people’s data protection rights
Kept safe and secure
Not transferred outside the UK without adequate provision
You can find out more about these in the ICO’s guidance.

Educational establishments, by their very nature, store tonnes of data. That data can be anything – student exam results, lesson plans, medical history, home addresses, contact details. The list is endless.

As a holder of such information, under the DPA it’s your legal obligation to ensure that this data is protected.

Whilst there will be a change in legislation when the GDPR comes into force in 2018 – the Data Protection Act is still in the here and now and you should be doing all you can to ensure you remain compliant.

For me, there are two major questions that unfold from this:

Exactly how does the Data Protection Act affect schools?
What measures need to be in place to remain compliant?

Having done a bit of digging round – this is what I’ve found:

How does the Data Protection Act affect schools?

This one’s easy.

First off, failure to comply with legislation can see fines of up to £500,000 imposed by the ICO.

Second, your Ofsted rating can be severely impacted. Over the last few years in particular, Ofsted have really started to come down heavy on any educational establishment that doesn’t have the right policies in place. So much so, we’ve seen school ratings drop from Outstanding to Special Measures because they haven’t followed the right practices.

In a world where you’re competing with other schools for the intake of pupils each year – nobody wants to be dragged down into Special Measures (or even face fines of up to £500,000) because there wasn’t a clear policy in place.

How do you ensure you remain compliant?

Policies & Procedures

Under Ofsted and ICO regulation, all education providers must have adequate policies and procedures in place.

Such policies typically include:

E-safety
Data protection
Acceptable use
BYOD

Having these policies in place will ensure that staff are aware of what to do, how to use technology both inside and outside of school and understand the implications involved with non-compliance.

Policies and procedures must be made readily available – not only for staff but for parents and students too. Because after all they’re entitled to know what information you’re holding about them as well.

Training

It’s all well and good having these practices in place. But if staff aren’t fully aware of them or how to put them into effect then it’s going to be pretty useless!

So, best practice would be to provide ample training on the policies you have in place. This training should be continual – so if there’s ever any changes, your staff are up to speed with everything that’s going on and have no excuses for non-compliance.

As a Data Controller it’s up to you to ensure that everything your teachers do is in-line with your school policies for the protection of not only themselves but your students too.

It’s also good practice to make your students aware of regulations relating to data protection and e-safety. First off – as we mentioned earlier – they have a right to know what data is stored about them and secondly it’s also part of the curriculum!

Security

It goes without saying that technology plays a huge role within education. Whilst this is great, you need to make sure that the technology you’re using and the way you’re using it doesn’t breech DPA legislation.

Be it BYOD, e-mail systems or general use of the internet to help students with their tasks – you must have security measures in place to ensure that a) you’re complying with the DPA, Ofsted and the ICO and b) your students (and data) don’t come to any harm.

Such security measures could be:

Using an approved email service within school (i.e. not personal Gmail or Hotmail accounts)
Set boundaries of use for BYOD provision (i.e. through an Acceptable Use policy)
Firewalls
Encryption

IT Asset Disposal

When it comes to that time to refresh your IT estate, what you do with your redundant, end of life hardware is something you need to consider carefully.

There are far too many ‘cowboys’ (or white van men as we like to call them!) out there who offer a safe and secure service but actually deliver nothing but problems and ultimately non-compliance with the Data Protection Act.

Making sure you’re choosing the right partner to work with when it comes to IT asset disposal is key.

Working with an accredited Data Processor will ensure that any end-of-life data bearing equipment is disposed of and destroyed in a safe, secure and compliant way. These partners will also ensure there’s a legally binding contract or SLA in place to determine the formal processes involved. This provides complete traceability of what’s happened to your tech and accountability should anything go wrong.

There are many IT asset disposal partners out there who can help, who hold accreditations such as ADISA with Distinction, Blancco, ISO 27001 etc., so that you can be safe in the knowledge that your assets and data are in good hands.

There’s no doubt about it that the main force behind data protection and data security is the Data Controller.

Ofsted and the ICO come down pretty heavy on any education provider who doesn’t follow legislation – make sure you’re not one of them.