The emerging trend of technology and schools: How to avoid fines
By James McKnight - April 20, 2022
Data Protection has arguably been around for decades in various forms; however, in the last five years there has been a global movement to push for tougher laws and regulations, coupled with growing public awareness has pushed Data Protection to the forefront of concerns to the public. It is no surprise that these regulations have impacted schools significantly, especially considering how much information schools hold. Schools use personal data for an extensive number of purposes. The most common of these types include:
Contact information about students, staff, parents, governors
Health/ Safeguarding information
Student and alumni exam results
Staff HR information (inclusive of security check information such as the Disclosure Barring service (DBS)
Many schools may therefore rely on technology or third parties in order to assist with the day to day running of the school and enable a better quality of service to their students and employees. Simple spreadsheets can hold full records of staff and students, digital access cards may hold financial information and student access/ ID cards may hold data that in the wrong hands could lead to a serious breach of confidentiality and regulation. Data in this form is often overlooked and subsequently exploited. No longer do physical keys keep assets safe, when the keys themselves such as ID cards/ Access cards can be used to steal much more valuable financial, medical and identity information.
The simple version of both these articles is that they are two examples of schools receiving fines for not having correct processes in place. Of course it could be argued that these are isolated instances in which the school as a whole may not have picked up on until a complaint is raised to the regulator. It is unclear whether the Greek school followed a risk assessment for implementing Zoom and as such demonstrates how critical having oversight and a robust risk assessment process is to comply with regulations. 9ine as a global company, covering a multitude of regulators and educational institutions is noticing the trend between unprepared schools and the regulators issuing the fines or sanctions.
While implementing technology is not prohibited and in some cases has been proved to significantly benefit a school and its students/staff. What is often missed is an assessment on the potential risks and impacts to its users. In some countries it is a specific requirement of their data protection law to carry out assessment. However, it could be argued that globally it is best practice to carry out the same form of assessment. The assessment itself should provide a balanced approach to identify the benefits of the technology along with the potential impacts to the users rights and freedoms. Impacted users can range from students and staff to parents / carers, governors and alumni. It is important that the school list all potentially impacted groups of people. This will provide the school insight in how to mitigate certain risks and manage others.
It is inevitable that schools have a long list of vendors who support everything from IT infrastructure, emails, food ordering, payment processing providers and digital plagiarism detection. Let's be clear, this isn't going away anytime soon, if anything more vendors shall arise with an abundance of offerings because schools just don’t have the resources and knowledge to implement themselves.
It is common knowledge that these vendors provide a paid service that in order to work there must be a transfer of information regarding the school’s data subjects. The vendor is then responsible for the safeguarding of this information and it is important for the school to understand and evaluate the potential risks and mitigations that the vendor has put in place when dealing with the schools data. This relationship of a third party processing data necessary for a service on behalf of the school is commonly known as a Data Processor, where the school is known as the Data Controller. In this instance the Data Controller must be aware of how the processor processes data and the safeguards that the processor have put in place. One common issue is that the vendor does not store the data in the same country as the school and instead will transfer the data to another country. Fundamentally this is the equivalent of letting a coworker borrow a pencil or pen. It is your pen but you are allowing a 3rd party to use it. This is very common, however in order to comply with the EU General Data Protection Regulation (GDPR) the school must ensure that the vendor has sufficient safeguards in place to satisfy the school such as the country is a EU member state, the company has additional safeguards in place such as encryption or enhanced cyber security.
It is often the case that new technology and vendors are implemented within schools without consideration of Data Protection regulations. The emerging trend is that Data Protection regulators are targeting schools due to a severe lack of compliance. This is where 9ine can assist you. Our bespoke Risk & Privacy management app has been developed to assist the education sector in managing complex risk and vendor assessments with dedicated support from our team of global privacy experts. Contact an expert below to discuss how 9ine can help minimise the risk of a fine and assist you becoming compliant with Data Protection regulations.
Let’s Stay in Touch
Subscribe to our newsletter to receive product announcements & other updates.