Look what you’re doing
After GDPR – what happens next? Steve Forbes from RM Education has some follow-up advice for schools After years of anticipation and months of planning by companies and organisations of all sizes, the new General Data Protection Regulation (GDPR) legislation is now in force. By now, you should be quietly confident that sufficient policies and procedures are in place to protect your school data. However, GDPR is an ongoing process and, to make sure your school stays compliant, you must stay responsive. Below are some key points on how to stay on top of GDPR policies and what should happen if a data breach occurs in school.
Awareness
Primarily, you need to educate all your staff. A good place to start is for senior management or your Data Protection Officer (DPO) to educate teams on the importance of data protection and how the law translates to each individual department. If your users don’t understand the impact of not following processes, or how to use the technology or policies you have implemented for GDPR, then any investment is wasted. As with most training and procedures, a little common sense is required, and data privacy should never jeopardise student safeguarding.
Processes
Ensure that your staff know where your processes are stored. It is also best practice to have an incident response plan. This ensures that if you do have a serious data breach, you have a plan that you can quickly put into action, reducing the amount of time taken to respond. Part of the incident response plan should be to have a prepared statement ready for the school to use if they get questions from parents or the media about the data breach. This removes the need for your staff to think on their feet at what could be a stressful time. Your DPO is under obligation to maintain a breach register where all breaches, no matter how trivial, are recorded and monitored. Therefore, should the unanticipated occur, it is a good idea to ensure that all staff members know that they should inform your DPO. Under GDPR you have an obligation to report a serious data breach within 72 hours. It is important to be aware of this three day limit since there is a lengthy form to fill out, and the process involved in reporting a breach to the Information Commissioner’s Office (ICO) takes time because information needs to be gathered from all the individuals involved. GDPR doesn’t mention specific technologies to help you secure your data – it is technology agnostic because technology changes so fast – but there are tools available to turn all this information into easily understandable and actionable insights. What GDPR does state is that you must have appropriate security based on the type of data and the risk to that data. Remember, when any new technology is introduced, your DPO must review and sign off the Data Privacy Impact Assessment which considers any risks associated with implementing the new technology. 12
Autumn 2018
Mitigating data risk in school
Fortunately, in schools we don’t often have the threat of a malicious insider trying to steal confidential company information for commercial gain, and most data breaches in education come from human error. Here are some of the key issues and the actions a school can take to guard against a potential data breach risk.
Data sent to the wrong recipient by email
Below are a few steps you can follow to make email communications less prone to accidental breach: 1. Turn off autofill in your e-mail: many of the mistakes come from programmes such as Outlook or Gmail automatically filling the address field with the most commonly or last used email addresses. Whilst it can be a handy feature, it is also a risk that turning off autofill will avoid. 2. Enable BCC by default: most client emails don’t have BCC available by default, so if the user doesn’t know how to activate it they may be tempted to put all the email addresses in the CC field. This means that every recipient of that email can see the other recipients. This could be an issue if the subject of the email is sensitive, eg if you were emailing all parents whose children receive pupil premium funding or have attendance issues. 3. Mail encryption: this may prevent email messages being intercepted and read whilst in transit to the recipients. This is good practice where you are sending potentially sensitive data via email. 4. Data labelling: you can use the advanced functionality in Office 365 and now G Suite to label your documents and emails with a sensitivity label. This prompts the user to think about what they do with those documents or emails. You can also prevent a document from being copied or printed, which stops sensitive data from being left on printers for unauthorised people to find and read. Finally, you can prevent documents or emails with certain labels from leaving your organisation.
Loss/Theft of paperwork or devices
You should challenge the practice of allowing paperwork to leave secure areas within the school when digital forms of data are far easier to secure and are more portable. Devices that leave the school should have more security than devices that stay within the school gates and should only be accessed by those authorised. Encryption is one of the easiest ways of doing this – encryption technology such as BitLocker on Microsoft devices can ensure that should the device be lost or stolen it would be extremely unlikely that anyone could access the data on the device.
