GDPR is now in effect. As such I thought I would share some thoughts and advice on how schools might tackle some common issues which might arise.
The issue with USB, or other removal storage device, use in schools is that they are easily lost or stolen, plus even when data is deleted it may be possible to recover it. In a time now passed, USBs were a near essential piece of kit in allowing sharing of data, lesson materials, etc, however now we have Office 365 and the G-Suite for education there is no need. Using OneDrive or GoogleDrive users can now easily share files all within the confines of the schools IT systems and control. As such my prevailing advice would be to include reference to avoiding USBs use for personal data in your Acceptable Usage Policy and in awareness or cyber security training. I stop short of preventing USB use simply because some resources are still provided on USBs and they are still so very common. They also continue to be useful for sharing images or video footage or for other large files.
Before discussing personal devices of staff I think we need to be clear on what constitutes using a personal device for school purposes. As far as I am concerned, simply setting up email on your phone constitutes its use for school purposes as it will store your emails and any included school data. Some, at this point, would suggest personal devices should be banned however I think this is a little heavy handed. The benefits of staff having their email on their phone are huge. Banning personal devices also totally removes the potential benefits associated with a BYOD (Bring Your Own Device) environment including the personalisation benefits which arise where the device belongs to the user and therefore is set up by them to meet their needs and preferences. My approach again, like with USBs, is to ensure coverage of personal device use is included in the schools Acceptable Usage Policy plus ensure it is also covered in any training provided to staff. I would also make sure the appropriate policies indicate a need to ensure personal devices have appropriate security such as device encryption plus passcodes, passwords or biometrics enabled. There should also be a requirement for staff to report a lost or stolen personal device where it was setup or used to access school data or systems.
I have discussed photography before; you have read the post here. It continues to be a concern. The issue for me is that we all now carry a camera with us in our smart phones so it is easy for us to capture images for sharing via social media, email, etc. There are lots of benefits in this, particularly the potential to capture impromptu photos which can be used in teaching and learning. Schools need to provide some guidance on what is acceptable around the taking of and using of photographs. This could be contained in the acceptable Use Policy or in a separate Photography policy. Where staff use their own phones for taking photos this should be covered by the use of Personal device in the AUP as mentioned above.
Third Party sites
This is most likely the biggest area of concern as far as I see it. Schools must know where they are sharing data so a process must exist to ensure that any sharing of student data is logged. Schools must also ensure that the sites to which data is shared are secure. Generally this will take the form of a review of the sites privacy or data protection policies to ensure key points in relation to security and sharing of data are covered. Thankfully in most cases the sharing of data will be limited to a pupil’s school email address and name for the purposes of providing them an account to login to a particular service. As such the risk associated with a breach is low and therefore a simple check of the services policies should suffice. Records of these checks should be retained. Where more data is being shared, such as date of birth, age, SEN info, etc, more questions should be asked of a service including if they carry out penetration testing and/or external auditing around their security, what their breach notification policy is, etc.
There a couple of third parties which all schools are likely to have to share with such as examination boards, local authorities or councils, social services, etc. For these I think consideration should be given as to how data is shared making sure student details are not emailed unencrypted to such bodies. Where possible an online portal provided by the body should be used and where this doesn’t exist an encrypted email service such as Egress might be considered. I think schools should also review the data protection policies or privacy notices of these bodies, as they would do for third party websites using in lessons, just to show that they have done some due diligence.
I think a very important activity for a school to undertake is a risk assessment. This should indicate the risks that are perceived and also any mitigation which has been taken, or may be taken in future. Having a risk assessment in place, which is regularly reviewed and updated, can go some way to show that the schools is aware of risks in relation to IT and school data and is actively seeking to minimize risk where it exists. This helps to prove “privacy by design”.
There is now single blueprint for being GDPR compliant. It depends very much on the school and its processes. The key for schools is to able to show that every reasonable measure is being taken and that decisions around risk associated with data processing or sharing are carefully thought through with evidence retained of the decision making process.
GDPR should not be a panic activity to try and get things “right”. GDPR is an ongoing process showing a focus on data privacy and security at the heart of a schools operation. All schools need to show not just how they “have” complied with GDPR but how they will continue to ensure GDPR compliance and treat the data of their students and other stakeholders with the utmost care.