Best Practice

Tackling data protection challenges in primary schools

Legislation and guidance Governance and management Whole-school issues Safeguarding
From subject access requests to cyber-security and data breaches, schools must be on top of their data protection duties. Hafeeza Joorawan from the Information Commissioner’s Office offers some pointers
Image: Adobe Stock

From contact details to exam results, schools collect and process a large amount of personal data, which often belongs to young people and includes sensitive information. This can raise unique challenges for the education sector when it comes to protecting this data and responding effectively to situations that may compromise it.

Responding to subject access requests, inappropriate disclosures of personal data and combating cyber-breaches are just some of the key challenges facing schools.

Everyone has a responsibility for data protection so schools must ensure that everyone involved with handling personal data has the training and support that they need to get it right.

At the Information Commissioner’s Office (ICO), we offer a wealth of advice and resources to educate staff on these responsibilities. In this article, I would like to offer some practical steps that primary schools can take when it comes to navigating data protection legislation.

 

Dealing with SARs

If someone asks you for a copy of their information, it is called a subject access request (SAR). By law, you have to respond, because it is their right to request copies of their information. 

These requests must be answered within one month (or three if the request is complex) and schools often struggle to meet this timeframe, especially during the holidays. They also face the challenge of considering a child’s best interest when the requests are made by parents.

Although there are not any age requirements for submitting a SAR, it is likely that parents or guardians may submit a SAR on the behalf of children aged under-12. 

  • Plan ahead: Make a robust plan for how you will deal with SARs. Your plan could include who is responsible for responding, the timeframes you need to meet and your methods for sending information. It is a common mistake for schools to send out other pupils’ data when responding to SARs, such as a whole spreadsheet, and a robust plan can help to minimise these errors. 
  • Practise good records management: If you know what information you hold about pupils, where you keep it and how you can search for it, you will find it easier to handle your next SAR. It is also helpful to make sure you don’t hold on to information for longer than you need it (we have advice online of practical methods for destroying documents that are no longer needed – see further information). Good records management is about more than files, letters, and emails. When responding to a SAR, you need to be able to create and send copies of it securely.
  • Train your staff: As they frequently interact with parents and carers of young children, teachers should be trained to recognise any SARs made to the school so they can spot them early. Often, these requests can be missed if they are received verbally or in the middle of an email with a different subject matter. Parents, pupils, and employees whose information you hold all have subject access rights – but they might not use those exact words when asking for their information. The person doesn’t need to provide a reason or to reference data protection law as part of their request. And it does not matter whether they make the request in person, by phone, letter, email or on social media.
  • Check you’ve understood: You must check that you understand exactly what the person has asked to see. If you have misunderstood either the sort of information they are after or how they want to receive it, you could end up wasting valuable time.

 

Inappropriate disclosures 

The most common data breaches that occur in schools include data sent to the wrong party and discussing pupils’ personal data in front of other pupils or parents.

It is important to understand what can constitute an inappropriate disclosure of personal data – for example, publishing the reasons for staff absence online, or forgetting to use BCC (blind carbon copy) when sending bulk emails. You can minimise the risk of a data breach significantly by handling personal data with care.

  • Store personal data securely: You have to keep personal data safe and make sure no-one has access to it without your authorisation. Some simple security measures could include storing paperwork in a locked cabinet and putting strong passwords on all your devices. 
  • Have a clear desk policy: Staff should not store paperwork on their desk or in their workspace. Make a policy to help minimise the risk of sensitive information being left unattended. Similarly, try not to check your emails when your laptop is connected to a classroom projector.
  • Take care when redacting data: When responding to a request for information, you will often need to send people copies of their data. You may need to remove or redact information about other pupils. When doing this, be thorough and check the information cannot still be seen or recovered.
  • Be mindful when talking to others: Be careful not to talk about personal matters where you can be overheard and do not tell a person something they are not entitled to know. Consider what information you put in a child’s school bag, particularly if they are being collected by someone other than a parent.

 

Improving cyber-security 

The education sector has been hit hard by cyber-attacks recently (see Headteacher Update, 2023), which can have a devastating impact on affected schools. It is crucial that schools contain and minimise any damage to their networks in the event of a cyber-attack. 

  • Back-up your data: You should back-up your data regularly. If you are using an external storage device, keep it somewhere other than your main office – encrypt it and lock it away. That way, if there is a break-in, fire or flood you will minimise the risk of losing all your data.
  • Use strong passwords and multi-factor authentication: Make sure you use strong passwords on smartphones, laptops, tablets, email accounts and any other devices or accounts where personal information is stored. Where possible, you should consider using multi-factor authentication, a security measure to make sure the right person is accessing the data.
  • Be wary of suspicious emails: You need to know how to spot suspicious emails. Look out for signs such as bad grammar, demands for you to act urgently, and requests for payment.
  • Install anti-virus protection: And keep it up-to-date! Anti-virus software can help protect your device against malware sent via phishing attacks.
  • Watch out for ransomware: Given the sector is also a target for ransomware attacks, schools may find the ICO’s ransomware guidance helpful (see further information). Ransomware is a type of malicious software or “malware” designed to block access to computer systems and the data held within them by encrypting files. A ransom note is left by the attacker requesting payment in return for restoring the data. 

 

Responding to a data breach

If your school suffers a data breach as a result of a cyber-attack, you should report this to the ICO within 72 hours of becoming aware of it, unless you can show that the breach is unlikely to pose a risk to individuals’ rights and freedoms. You don’t have to wait for 72 hours – the sooner you contact us with detailed information the better (see further information).

Hafeeza Joorawan is a senior policy officer specialising in the education sector at the Information Commissioner’s Office.

 

Headteacher Update Autumn Term Edition 2023

  • This article first appeared in Headteacher Update's Autumn Term Edition 2023. This edition was sent free of charge to every primary school in the country in September. A digital edition is also available via www.headteacher-update.com/content/downloads 

Data Protection Practitioners’ Conference

  • On October 3, the ICO’s Data Protection Practitioners’ Conference will offer practical workshops on a number of data protection issues affecting schools. Run by ICO staff, the event is an opportunity to improve knowledge about data protection principles and learn about resources. Registration is free and the event can be viewed online as well. There is also an e-newsletter for further helpful advice. For details, visit https://dppc23.orcula.co.uk/home 

Resources from the ICO