As we make greater use of technology in our schools we make greater use of online services. We might make use of an online communication tool to improve on communications with parents. We might make use of Google Apps or Office 365 to allow staff and students to have cloud storage so they can access their files when away from the school or on any device. We might engage with an online maths tutorial site so students can undertake self directed study online and further develop their maths skills. We might make use of a site to manage trips or resource bookings within our school. The number of online services we are using in schools is increasing and therefore we are sharing more and more data with online service vendors.
The above is important to note given the new general data protection regulations are speeding towards us. These new regulations will come into operation in May 2018 and will put a focus on all organisations to prove that they comply. It is therefore important that all organisations including schools get a handle on the data which they have and how it is stored and processed. For schools part of this includes examining where third party services are being used such that the schools data is processed and/or stored by these service providers. We need to be asking what these service providers do to ensure the security of our data.
To aid the above, the need to review third parties, and the increasing use of third party online sites, the government has created their Self Certification process for vendors to self-certify their provision in relation to data protection where they offer cloud software services for schools. You can view this here. The thing that worries me is that as I write this there are only 38 vendors listed which appear to have submitted a self certification. This represents only the very very tip of the iceberg which represents the vast range of services being used by school.
We all need to push vendors to answer questions in relation to the protection of our school data. We need to push them to self-certify and to share what they are doing. We need to ask the difficult questions now before they are asked of us later.
Have you considered the data protection of school data on third party services lately? It is time you did!