Keeping schools compliant with data protection law
The Information Commissioner’s Office has issued new guidance after reprimanding a school. Is your school in compliance with data protection law? Vicki Bowles looks at the key issues.
At the end of May 2023, the Information Commissioner's Office (ICO) issued a reprimand to a school following a data breach involving a whiteboard, and the inadvertent sharing of sensitive information whilst using it.
The ICO, in publishing its findings, provided some useful guidance for schools about some specific measures that need to be in place to ensure compliance with data protection law.
Some of the issues that the school in this case faced, related to missing guidance for staff on some key areas that assist with keeping information secure. We suggest reviewing your own policies and procedures to check that the following are covered, and review whether additional training might be required:
Sharing sensitive data internally
Schools should ensure that there are clear systems in place for staff to follow when sharing sensitive information internally. This might include an email classification system, which flags to the recipient that an email might be sensitive. Staff should also understand when it is appropriate to open emails that might contain sensitive information - this might be limited to outside of the classroom, and/or when pupils are not present and may be able to see the relevant screen.
Guidance on using third-party systems
Third-party systems, such as those used to record safeguarding concerns, and technology in the classroom such as whiteboards.
Staff should understand how to use the various systems that are in place in such a way that data is safeguarded. For example, if using whiteboards, the implications of screen sharing should be explained, and guidance provided on how to do this without compromising information held on the device.
Reporting of breaches
Staff should understand how and when to report data breaches, and near misses, and should be encouraged to do so. A clear process for reporting should be provided to staff, and regular reminders about the importance of reporting could be provided to encourage reporting.
Regular reviews of policies and training
Policies and training should be reviewed and updated on a regular basis to meet the requirement of accountability. Any changes should be communicated to staff in such a way that it is clear what has changed. Records should be kept of the changes made, and how these were communication.
Whilst compliance with data protection law can seem burdensome, one of the main purposes behind the legislation is to protect the information that organisations hold and use about people, to ensure that it is safe and respected. Regularly reviewing policies and procedures, and updating these to meet the latest guidance and requirements is key to assisting with this, and making sure that your employees understand how they can help.
Vicki Bowles is a Data Protection Partner at VWV.