2020 School Predictions: Data Protection & Cyber Security

Technology is transformative. In 2020 schools and universities worldwide are dependent on the IT infrastructure that supports them. As schools embrace mobility, collaboration and cloud services, technology evolves beyond a purely IT consideration to become a critical, board-level discussion. Recent changes to global data protection and associated law have also created the need for school leaders, boards and governors to be held to account in how data and information is handled and processed within their organisation. 

In the spring of 2020 we’ll be launching the highly anticipated 9ine app. Having reviewed 9ine’s own resources in the areas of IT Management, Data Privacy & Protection, Cyber Security and Safeguarding, we’ve reimagined how schools can get access to our expertise in order to efficiently demonstrate the principle of accountability for evidencing compliance with data protection and related law. The new app will help schools solve the complex problems brought about by the rapidly changing pace of technology, including some of the following areas that will become a focus for schools in 2020.

Developing a better understanding of the principle of accountability amongst school leadership teams.

Recent audits conducted by the UK supervisory authority reveal that leadership and school boards are not understanding the principle of accountability. This is supported through our experience of noticing a ‘glass ceiling’ between those responsible for managing data protection and cyber security and those making decisions on the resources to be deployed in managing those risks. We don’t attribute this to ignorance on the side of those holding the purse strings, more so to a misunderstanding in the relationship between legal obligations and the approaches and initiatives that can be taken to identify and then manage data privacy & protection, IT and cyber security risks.

More pressure on schools to manage cyber risk and to have a robust cyber security strategy in place.

It’s difficult to comprehend that in 2020 many schools are still not taking cyber security as seriously as they should. Cyber security is a term that is widely and often used...but often in the wrong context. In our simplified view, effective cyber security is the result of effective IT operational management, development & strategy; the organisation has tools, controls and frameworks to identify and understand its risk from the various cyber related threats, vulnerabilities and actors. The ICO in the UK have taken steps to levy significant fines for organisations that do not take cyber security seriously. In 2019 The National Cyber Security Centre (NCSC) published a document designed for company boards and school governing bodies explaining their responsibilities. The Education Funding Agency references cyber risks back to the Academies Financial Handbook. Many organisations are telling education institutions to take relevant action, yet we are not seeing the requirements taken as seriously as they should be and often the approach is questionable. 

Tune in to a recent #Bett2020 podcast, Episode 11:The unintended consequences of data protection in education, featuring 9ine's MD, Mark Orchison.

Safeguarding issues such as profiling and monitoring will move away from being the responsibility of the IT department in order to meet privacy obligations.

Certain countries have requirements for education organisations to profile the online behaviour of users on the institutes IT systems. This includes, but not limited to, browser history, page content, personal messaging (Facebook messenger) on devices that are owned by or use the organisation’s IT systems. This profiling, often by automated means, creates a significant risk of intrusion to the privacy of those individuals whose personal data is being captured by the organisations filtering and monitoring systems. Without well thought through configuration, access controls and training, the very nature of processing data in this way could be a fundamental breach of data protection and related law. In many instances, we observe schools doing this with limited documentation and controls as to the impact on the privacy of staff, students, parents and visitors using the organisations systems. 

During 2020 this will become a greater problem and is likely to be even more widely reported in national and international press. Furthermore, where profiling and monitoring is in place, we are often seeing that IT team departments are responsible for making decisions about profiling / monitoring and reviewing online activity and reports from the systems that are being used. This is no longer considered best practice; safeguarding and child protection teams need to own these responsibilities.

New data protection laws will be introduced impacting international schools around the world.

Data protection laws are evolving globally. Countries in East Asia are updating or developing their local data privacy and protection laws. In many cases there are similarities with the GDPR. International schools have more complex considerations than domestic state or independent schools due to the amount of information and personal data flowing between schools and institutes across the borders of multiple countries (for example, the transfer of student files, recruitment of staff or the sending / hosting of students for athletic events). In these instances  there is a need to consider the privacy rights of the data subjects to whom the information relates and whether the transfer of data is affected by the law in other countries. A benefit for schools in these situations is 9ine’s DPO Essentials service. Our in-house legal team provides guidance and resources for cross border and multi-country data transfers to those that subscribe. We have scheduled training events in Thailand, Bangkok, Taiwan, Japan and Hong Kong in 2020.

Schools will need to get ready for GDPR’s newest accomplice... the E-Privacy directive.

Schools will need to be prepared for the EU E-Privacy Regulation. The draft of the Regulation has not yet been finalised but it  is intended to complement the GDPR by clarifying requirements in areas such as electronic marketing and tracking technologies (such as cookies). The Regulation is expected to have a wider territorial application than the GDPR and may therefore affect all businesses providing services to individuals in the EU regardless of where the business is based. 

Furthermore, schools within the jurisdiction of the GDPR will need to be actively aware of guidelines produced by the European Data Protection Board (EDPB). This is an independent body, composed of representatives from the national data protection authorities across Europe and the European Data Protection Supervisor, which aims to contribute to the consistent application of data protection rules throughout the European Union. The EDPB regularly produces guidance on key areas within the GDPR, having first offered the public an opportunity to comment on draft guidance during rounds of public consultation. There are currently two consultations closing in early 2020. The first concerns Article 25 and data protection by design and default, the second considers the criteria for the right to be forgotten in search engines. Additional consultations are expected in 2020 regarding guidelines for other data subject rights, children’s data and legitimate interests of data controllers. These are likely to provide additional clarification in these complex areas for schools processing information about data subjects in Europe. 

Towards the end of the year, if not in 2021, the GDPR scaremongering is likely to go into overdrive again with the development of the UK’s GDPR certification framework.  This will involve the Information Commissioner approving certification scheme criteria which accredited organisations can deliver. It is going to be interesting to see how the framework develops - 9ine will certainly be applying to be an accredited-certification body given our expertise within the area of Education.

9ine’s 2020 Vision...

Over the past 10 years 9ine consultants have been helping school IT departments meet seemingly incompatible objectives. Our team has been working in schools on a day to day basis, designing and deploying IT solutions with the emphasis on scalability, flexibility and cost-efficiency.  

9ine’s new platform provides school leaders, boards and governing bodies with real time analysis and benchmark of data protection and IT and cyber security compliance. It enables schools to manage and prioritise their people and resources based on the level of risk facing the organisation. Providing objective analysis, and benchmarking across other schools on the actions your school needs to take to be compliant with the law, it helps to keep track and lower your risk of a data protection breach, cyber security attack or IT outage.

ABOUT THE AUTHOR:

Mark Orchison is Founder and Managing Director of 9ine. He is an experienced management consultant with expertise in data protection, cyber security, technology, project and programme management in education. Mark began his career with Sun Microsystems before moving into management consultancy, where he was the technical consultancy lead for overseeing technology systems for new build schools. Since 2009, Mark has led 9ine in becoming the leading independent K-12 technology and compliance consultancy in the UK. Mark now leads a team of twenty multi-disciplinary and specialist consultants in-house, with a client base expanding across Africa, Middle-East, Russia, India, Asia and the Americas.