Following on from my recent blog,
“GDPR – What’s it all about and how does it affect Independent Schools” I’ve had requests from several schools asking for more information, so I thought it would be useful to elaborate on some of the issues that GDPR raises for Independent Schools.
I wanted to start by further exploring the importance of understanding what personal data you hold and where that confidential data is stored. Bear in mind personal data can be as simple as a pupil, teacher or parent’s name or email address.
This may sound like an odd topic, as I'm sure many of you are thinking you know exactly where all your schools’ data is held. But do you really?
The scary reality nowadays is that your school’s precious data may already be widely scattered. Yes, some of it will certainly be residing (hopefully securely) on your in-house servers. But what about the proliferation of school, staff and pupil owned portable devices such as laptops, tablets and smartphones which now hold school data or emails? Or data that has been copied to removable media such as USB sticks? Or data that has been shared with business partners and other third-parties? Or copies of data taken for backup purposes?
Then there is the cloud. The cloud has revolutionised the way many schools store their data, but in doing so has also globalised the way data is stored, with many public cloud providers distributing data across servers worldwide in order to optimise costs.
So do you really know where all your data is held? And does it matter?
Well in terms of GDPR it certainly matters, as you need to be able to demonstrate that you are protecting your data and using it appropriately. The more widespread and less controlled your data is, the more vulnerable you leave your school to a breach of data security. So understanding what you have and where it is forms the first step towards compliance.
If, on reflection, you realise that your school’s data is already widely scattered, you may wish to bring it together in one secure, central repository in order to make it easier to control and manage. Luckily nowadays there are technologies that facilitate this; for example we have built our very own EducateIT desktop platform for schools, which is an onsite private cloud solution which allows a school to bring together all their data in one secure, central, onsite repository, where they and their authorised partners can access it securely wherever they are, without the source data ever leaving the security of the school. For other schools, where data is generally central, but perhaps also resides on some mobile devices too, we work to implement processes and technologies to prevent data leakage and manage mobile devices.
Either way, it is paramount to put the school back in control of its data, knowing both where it is and who has access to it. This in turn needs to be documented, both so that the senior leadership team team have understanding of, and control over, their valuable data and also in order to provide documentation for compliance and audit purposes. This not only puts schools back in control of their data, but minimises the risk of a security breach and takes the first step towards preparing for GDPR compliance.
Once you have this understanding, the next step is to understand how you secure your data. This broadly falls into two categories – access control (effective security for authorised users) and cyber security (protection against unauthorised access).
Today I am going to talk about the former, as having good access control systems lies at the heart of successfully protecting your school’s data, and forms an important part of preparing your school’s information systems for GDPR compliance.
GDPR places accountability on schools to have in place policies, procedures and documentation that demonstrates the personal data they hold is stored securely. Bearing in mind that schools hold a vast array of personal data, much of which is about children, whom the GDPR identifies as “vulnerable individuals” deserving of “special protection”, and it becomes clear that the legislation is likely to cover the vast majority of a school’s data.
Therefore, for each of your computer systems, it is important to understand, and have documented, who has access to that system and what level of access they have. Bear in mind that it is best practice to give each user the minimum access they require to the system. Allowing wider access to systems puts you at greater risk of a data security breach or data loss through incidents such as accidental deletion, a ransomware attack or malicious insider threats. As well as having SOPs in place to handle the ICT access control requirements of new starters, it is equally important that there are procedures in place to cover leavers (both pupils and staff) and what happens when somebody changes role within the school.
Password policies are always a bone of contention and an area where a fine balance needs to be struck. Policies that are too lax lead to easily guessable passwords which may not demonstrate due care of data under GDPR. On the other hand, policies which demand highly complex, long passwords which change frequently, may lead to dozens of forgotten passwords and/or the temptation to record passwords on sticky notes, which also certainly doesn’t demonstrate due care of data!
Nowadays, it is also likely that third parties such as freelancers, suppliers and of course parents will have access to some of your ICT systems or data. In this case this needs to be secured in just the same way, so you are clear who has access to what parts of the system, why this is needed and how it is controlled. There also need to be procedures in place to review, amend and remove access for third parties, as relationships evolve and change.
Mobile and remote working present a whole additional set of challenges to ICT security, with the potential for copies of data or emails to be residing on all kinds of devices, both school owned and personally owned, which do not necessarily conform to school security standards. So developing policies around mobile working and ensuring there is not leakage of data or unauthorised access to data form a critical part of compliance. Policies and technologies also need to be implemented to protect against data breaches from mobile devices that are lost or stolen.
Finally, bear in mind that it is not just your main school-wide IT systems that fall under the GDPR. Any indexed system that contains personal data is subject to the legislation, so do make sure you are also including in your access control procedures all those little databases or spreadsheets that have been developed by an individual or department and which contain personal data.
I hope this has given you a useful insight into some of the key areas to consider around readying your school for GDPR compliance. If you need help preparing for GDPR, or indeed with any element of your ICT system, please do not hesitate to contact me on 0330 002 0045 or email schools@entrustit.co.uk
