The Current State Of Data Protection In Schools

In preparation for this blog, I scoured the internet trying to find some up-to-date stats on Data Protection compliance in schools. I wanted to know how schools are getting on with their Data Protection compliance projects. How many of them are still on the journey to compliance? How many of them haven’t started yet or have stagnated? How many of them feel like they are in a really strong position and are (dare I say it) compliant? Disappointingly, I couldn’t find any. Although, this doesn’t surprise me. Four years on from the GDPR and there still seems to be a lack of momentum and, more importantly, a lack of interest in the Data Protection practices of schools. In 2018 there was fear in schools – “The ICO will fine us €20 million if we’re not compliant by 25 May 2018!”. Steering groups were formed and action plans drawn up. There was a sense of urgency to get the job done. In the last four years schools have seen the ICO focus their attention on other sectors and the fear has diminished, taking with it the drive to achieve and maintain compliance. It’s only when a DSAR lands or a personal data breach occurs that the fear creeps back and there’s a flurry of activity.

Why is this? A number of factors are coming into play here. Schools, and particularly state schools, don’t have the budget to allocate the resource needed to Data Protection. Given that it is not currently included in Ofsted or ISI inspections and with a lack of accountability to the regulator, schools, unfortunately, don’t see Data Protection as a priority. It will be interesting to see how long it takes before the inspectorates start seeing Data Protection as part of a school’s governance and including it in their inspections. There is also very little guidance and resources available from the ICO around children’s privacy and Data Protection practices in schools. The ICO has released the Age Appropriate Design Code, which aims to keep children safe online but what about the organisations that process their personal data offline? Where is the guidance for them? Schools don’t know where to turn for guidance without spending money on professional help. Independent schools are a slight step ahead due to more freely available funds and the fact that their parents expect more and can afford to take action if they’re not happy, however, the underlying argument of “Data Protection is not inspected” still exists. All of these factors coupled with the current exhaustion that our schools are feeling mean that Data Protection compliance in schools isn’t keeping pace with other regulated sectors.

An indication of the current compliance level of schools can be seen by looking at reported data breaches. The Education and childcare sector have reported the second highest number of security incidents to the ICO during 2022 so far, with 16% of all incidents. The leading cause of these incidents was human error, which backs up the theory that schools aren’t allocating the appropriate time and funds to Data Protection. In an organisation where Data Protection is woven into the fabric and appropriate funds, time and respect is given to Data Protection on an ongoing basis, this shouldn’t be the leading cause of security incidents.

Additionally, the Department for Digital Culture, Media and Sport recently surveyed the education sector as part of its aim to inform government policy on cyber security. The stark figures show that a whopping 70% of all secondary schools and 41% of primary schools surveyed identified a breach or attack within the last 12 months. By contrast, the figure for all UK businesses surveyed was 39%. The proportion of all UK businesses identifying breaches or attacks in 2022 remained at the same level as the previous year, however secondary schools saw a significant increase compared to 2021 (58% in 2021 compared to 70% in 2022), and primary schools saw a slight increase (36% in 2021 compared to 41% in 2022). It is clear from these figures that schools are increasingly coming under attack and the need to prepare for these incidents is becoming more and more important.

Fostering a Data Protection culture

Anyone working in a school will know that the holy grail of laws is Keeping Children Safe in Education, and rightly so. Every employee of a school wants to ensure the safety and well-being of each and every child. However, for a school to be at the top of its game with respect to Data Protection it must understand how safeguarding and Data Protection laws are inherently linked. There needs to be a culture instilled from the very top with the view that Data Protection is part of safeguarding and the two aren’t in competition, as is sometimes believed (“Does the GDPR stop me from sharing this information with social services?”). After all, a severe data breach or a misuse of data could lead to significant consequences for the children involved and their futures. Once this is understood Data Protection will be given the appropriate time and attention which will naturally translate into higher levels of compliance and a decrease in personal data breaches.

Like safeguarding, it is the responsibility of all staff to adhere to Data Protection laws and therefore staff must have an understanding of their responsibility and of the data that they possess and use. Training plays a big part in this, but is not the bee-all and end-all. It is good for staff to see Data Protection in action and be part of it day to day to keep their engagement high. Departments should take ownership and responsibility for their data instead of relying on the DPO to know and manage it all. Making staff think about compliance tasks it will equate to raised awareness and better consideration of personal data in other tasks. Arguably the DPO’s role should be to bring all departments together and have an overarching insight into the organisation as a whole and not to run the show single handily.

From conversations that I have had with teachers and school staff, it is evident that staff are desperate for more training and knowledge around the topic to demystify it. They don’t want to be responsible for a personal data breach any more than the DPO want’s to deal with one. So how can we instil a culture of Data Protection in schools to give staff more confidence when dealing with personal data? There are a number of actions that schools can take which will help keep knowledge and awareness of Data Protection high across the organisation.

1. 1. Make sure to schedule annual data protection training and don’t bump it!
2. 2. Add data protection as a recurring item at senior leadership meetings. Some weeks there may be very little but having this time to update the leadership on what’s been happening will prove to be invaluable.
3. 3. Create data protection champions in each business area. These staff will know their own department and will know what data they use and how they use it. With some basic training, they can become the first port of call for queries from their team. Half termly meetings with all data champions and the DPO can be used to share best practices and update the teams on what has been happening elsewhere. Encourage champions to feedback to their teams so they can see data protection in action.
4. 4. Consider creating an internal data protection blog or newsletter. Make if fun and engaging but, above all, interesting! Include news stories, recommendations or blog pieces about what you’ve been up to. The aim is to get staff thinking about their own privacy and by making them more aware of their own personal data fostering a desire to look after that of others.
5. 5. Celebrate good data protection practice when you see it – be creative! Data Protection Day is 28 January each year. Make a big fuss, have workshops, competitions, etc.

All of these suggestions will help to keep awareness high and create confidence amongst staff but unfortunately, I don’t think that the overall compliance level of schools is going to rise significantly until they are held accountable by Ofsted/ISI and the ICO.

Challenges of a school DPO

Prior to joining Data Protection People, I worked as a DPO in a large independent school. On the whole, I loved this job. There are so many nuances to schools that make this role incredibly interesting and every day is a learning curve. There are, however, plenty of challenges that come with it. Here are some of the biggest challenges that I faced.

1. 1. Senior leadership response – Schools are busy and so are their SLT. Decisions took a long time, which was frustrating when I was trying to work to a project plan. I also faced challenges with SLT buy-in on certain tasks.
2. 2. Staff cooperation – There was a tendency to feel that I was a nuisance to some colleagues. I slowed down their projects and made them carry out lengthy DPIAs. Trying to get straight answers when it came to data retention, processing purposes and data sharing was challenging to say the least.
3. 3. EdTech companies – In my experience very few EdTech companies are prepared for a school to conduct due diligence on them or to insist on a DPA being in place. When I contacted companies I’d regularly get a bland response saying “Please see our privacy notice” or an outright refusal to comply with the due diligence exercise. A lot of time was spent in email exchanges with EdTech companies trying to educate them on the law. It does surprise me that they still don’t get it. Why aren’t they harnessing Data Protection and using this as a selling point for their product?
4. 4. Unpredictable workload – Regardless of how much you plan, someone always throws a curveball. DSARs seemed to come in multiples and then throw a data breach in there and you’re quickly over capacity. This had knock-on effects on other projects and work that simply had to wait.
5. 5. Lack of network and connections – I found the role to be a very isolated and lonely place. A regular question posed to me when I suggested change was “Is this how other schools do it?”, and the answer was always the same, “I don’t know, but this is how I would do it”. I searched for forums or groups of DPOs in education and failed to find any. There were many occasions when I didn’t want to pay for professional advice, I just wanted to know whether other schools had a particular policy, whether they used a particular EdTech company, or even how they recorded their RoPAs.

Therefore, The first thing that I wanted to do with DPP was to set up a networking group for DPOs and individuals responsible for Data Protection within schools. I wanted to provide a platform where you can speak to other schools, ask questions, pose dilemmas, and most importantly find support and friendly faces. And so we’re launching a free DPO Forum for the education sector. Myself and other colleagues at DPP will regularly dip in and out with news stories, experiences and advice but this is predominantly a platform made for you to interact with other schools.

Click here to sign up and start networking!

If you would like to join a podcast where we discuss all of the above and more, follow this link and sign up for our event tailored to the education sector on the 9th December 2022: Episode 104: Data Protection In Education

Written by Vicki Lawson – Data Protection Consultant – Data Protection People