From exam papers, reports and classroom photos to financial details, national insurance numbers and safeguarding assessments, schools hold a vast amount of student data. So how should they successfully protect such information? Don Robins, BSIA Information Destruction Section Chairman, shares some advice
Having worked in confidential shredding and data destruction for over 25 years and having also been involved with the British Security Industry Association (BSIA) for 18 of these, I understand how important it is to look after data, both on an individual level and as a business or organisation.
Security breaches, fraud and identity theft do not discriminate and can affect anyone, so it is vital to put the right precautions in place to prevent them, and this is no more relevant than in the education sector.
As a parent of four, I understand that, for parents, the safety of your children is your number one priority. When they go to school, or on to higher education, you put your faith in those institutions to protect your children and keep them safe.
For schools, colleges and universities, this is an enormous responsibility, but one that is absolutely paramount. Yet, this is a difficult task. Over the last few decades, we’ve entered a new digital age, with constant technological developments and, with that, we have a whole online world to explore, as well as endless gadgets to play with and work on. But, by doing so, we’re also creating more routes and opportunities for our data to be compromised – and our children’s too.
This is something ICO’s UK Information Commissioner, Elizabeth Denham CBE, talked about only last week, when she announced a new code of practice for online services to help create a safer digital space for children to “learn, explore and play”. She said it’s not about “seeking to protect children from the digital world, but by protecting them within it”.
Data in schools
As one of the main places children and young people spend their days, educational institutions are right at the centre of this. They hold a plethora of confidential information on students, from exam papers, reports and classroom photos to financial details, national insurance numbers and safeguarding assessments. And the same goes for staff and parents’ details. So, in this age, how do educational institutions successfully protect the information they have on themselves, their staff, parents and students?
To reduce risks and keep data as secure as possible, schools, colleges and universities must have appropriate security measures in place. Not doing so will make this data extremely vulnerable, increasing the likelihood of security breaches, hefty fines and potential harm. So, these institutions should install a firewall and virus checker on all computers and password protect all data, where possible. They should encrypt all electronic personal information and disable any auto-complete settings. They should also keep devices and hardcopy data under lock and key when not in use, check storage systems are secure, limit access to data, and shred all confidential documents and destroy electronic data carriers.
Within the education sector, everyone who deals with personal data, even students, has a responsibility to handle that data carefully and prevent it from getting into the wrong hands. But, by law, schools, colleges and universities must also have a designated Data Protection Officer (DPO), who is educated on data protection and responsible for establishing and upholding systems and policies related to this.
Holding and updating data
While an educational institution holds data about a person, for as long as it’s being used, it needs to remain accurate. To ensure this is the case, schools, colleges and universities should carry out information audits at least annually. This includes writing a letter to children’s parents or college/university students at the start of each academic year to check their details are correct and amending information as soon it needs doing so.
Schools should also follow a records disposal schedule, hold data accordingly, and securely destroy any personal data that is out of date or no longer needed.
It is a violation of data protection legislation to keep data for longer than it is needed. Because of this, all businesses and organisations need to think about, and be able to justify, how long they keep personal data. Once no longer needed, this data must be securely destroyed. Failure to do so can result in warnings, financial penalties and reputational damage.
For schools, colleges and universities, as with all businesses and organisations, it is essential to find an accredited data destruction company to destroy confidential information once it’s no longer needed or out of date. A company with the right accreditations will provide a secure, compliant service and a Certificate of Destruction upon completion. By choosing wisely, educational institutions will remain compliant with the law and avoid hefty fines. They will also protect themselves, staff, parents and students against identity theft, fraud and any other potential harm.
An accredited data destruction company will also provide secure storage options for confidential waste, as well as solutions for a variety of different materials.
Members of the BSIA Information Destruction should operate to specific standards; EN 15713 (secure destruction of confidential material – code of practice), be ISO 9001 accredited, and ensure that individuals who come into contact with confidential information are screened to BS 7858.
Recycling of WEEE (Waste Electrical and Electronic Equipment) is a specialist part of the waste and recycling industry and addresses environmental and social problems that have resulted from sending products to landfill.
It is a rapidly growing sub-sector due largely to the implementation of the original WEEE Directive in the UK by the WEEE Regulations 2006, following this came associated requirements for the recovery, reuse, recycling and treatment of WEEE. The Waste Electric and Electronic Equipment (WEEE) Regulations 2013 became law in the UK on 1 January 2014 and replaced the 2006 Regulations.
The Health and Safety Executive (HSE) estimates that every year an estimated 2 million tonnes of WEEE items are discarded by householders and companies in the UK. This includes most products that have a plug or need a battery. Ten broad categories of WEEE are currently outlined within the Regulations, but a main one concerning data handling is IT and telecommunications equipment – e.g. personal computers, copying equipment, telephones and pocket calculators.
Educational institutions should choose information destruction companies which can provide safe, secure and environmentally friendly recycling to their clients and provide evidence of being able to do so. The dangers of not using a qualified company may include failing to delete data properly, resulting in enormous fines for breaching GDPR.