Data privacy in schools
Neerja Singh
The world today is data fuelled and driven. We are creating and storing and sharing information at an ever-expanding rate. And the more we share online, the more we expose ourselves to multiple risks. Learning how to protect oneself from compromise, corruption, and loss has therefore become a crucial self-preservation skill.
But what is data privacy and where do schools stand on this?
Data refers to pieces of information and the concept of privacy involves the ways in which this information should be managed. Data privacy typically applies to personally identifiable information (PII) and personal health information (PHI). In schools, this could include names and dates of birth for both staff and pupils, images of staff and pupils that confirm their identity, addresses of staff and pupils, recruitment information, financial records such as tax information and bank details, information relating to pupil behaviour and school attendance, medical records including doctor’s names and medical conditions, exam results and class grades, and staff career reviews.
Data privacy is important because a data breach at school could put students’ PII in the hands of identity thieves. Schools are a treasure trove of an incredible amount of personal data. Legislation on this subject is in various stages of evolution around the world. There is the Data Protection Act (DPA) which was updated to the General Data Protection Regulation (GDPR) across Europe in May 2018. In India the Personal Data Protection (PDP) Bill, 2019 is being reframed against contemporary digital privacy laws and comprehensive frameworks. These regulations cover the processing of personal data stored on school websites, paper, servers, and databases. Every time schools upgrade their software, or change their IT infrastructure, or introduce new technology that involves personal data, they are expected to undertake stringent data protection impact assessments. Precise documentation proving effective management of all information systems are now obligatory for schools, inviting penalties over non-compliance.
As a first step, while collecting information from a parent, child, or staff member, schools are expected to explain how it will be processed and used. Clear privacy notices are mandated to present and summarize what information the school needs, why it is being sought, and which third-parties shall be privy to such data. Even the subsequent storage of this data may not happen without the full consent of the individuals involved. And given that the data requirements of primary and secondary schools may differ, there is scope for specific policies while covering the key areas such as transparency, intentions, computer security, information on third-parties involved, encryption details, procedures for data loss, and fair data processing. Recommendations include publishing of privacy notices on all enrolment documentation and on forms used to collect any personal information. A clear privacy notice is expected to be uploaded onto the school website. It is also suggested by the authorities concerned that schools send a digital copy of their privacy notices to all students and parents at the beginning of each new school year.
The seven significant GDPR principles that school data protection is based on are: lawfulness, fairness, and transparency; purpose limitation; data minimization; accuracy; storage limitations; integrity and confidentiality, and accountability.
This brings us to security measures that schools can adopt to ensure their data is protected and private. These security measures could potentially include the use of strong passwords; encryption of personal information stored electronically; installation of virus checking software and firewalls in school computers; turning off all ‘auto-complete’ settings; limiting access to personal information wherever necessary; holding telephone calls in designated private areas; ensuring that all papers and devices containing sensitive information are stored securely; checking all storage systems for security; keeping digital devices locked away securely when not in use and shredding of all physical copies of confidential waste. Memory sticks and SD cards can be easily misplaced and are best fully encrypted and password protected. Additionally, hard drives must be securely erased by a technically capable professional if they are being discarded.
Annual audits are the way to guarantee that all information has been vetted for accuracy, stored for the time it is relevant and then in a secure manner. This will happen when school staff has received adequate traning on the confidentiality of personal information. The school Data Protection Policy ought to highlight on how individuals can use the school intranet, internet and email for private communicaitons. This would include guidelines on security issues that will come up when staff and pupils access the school intranet from outside of the school campus on a smartphone, tablet, laptop, or desktop device. Breaches of data could happen through a school’s internet, intranet, and email systems. Evidence of inadequate data protection practices or guidelines includes lack of internet monitoring or filtering, little or no e-safety education in place, and students with no awareness of how to report data-sensitive problems.
The new educational technology (“edtech”) platforms that emerged during the pandemic present additional challenges. Schools using these have responsibilities as data fiduciaries. Data Protection is an emerging vocation in educational institutions. These officers ensure internal compliance in schools and alert the relevant authorities around issues of non-compliance. The role of a Data Protection Officer is dynamic, given the consistent evolution of technological innovation and data protection laws.
The bottom line in the new data economy is that if your organization generates any value from personal data, you will need to change the way you acquire it, share it, protect it and profit from it. Entrenched habits, routines and networks will have to be broken to begin anew. In this new world, data gathered with meaningful consent will be the most valuable data of all. We have new technology now that makes it possible to acquire insight from data without acquiring or transferring the data itself. Insight will no longer need identity in other words. Once all human data has meaningful consent and insights are gained without transferring data, information and digital forces can flow together instead of being at odds.
The world is moving towards a data-sharing future economy based on consent, insight and flow. The answer is not in hoarding data assets but in investing them with fewer privacy and security risks and for better returns and services. Schools too need to quickly become trusted hubs for their community’s personal data.
The author is a former teacher/journalist, published author and professional speaker on generational diversity with a background and training in media, having worked in advertising, public relations, documentary film making, and feature journalism. She is a TEDx speaker and represents the Professional Speakers Association of India on the Global Speakers Federation Board. She can be reached at neerja@neerjasingh.com.