The GDPR in schools
If you’ve read our ‘What is GDPR?’ blog, you should know the basics of how the Data Protection Act is changing. And, what these changes mean in relation to the GDPR (General Data Protection Regulation). If you’ve not read our ‘What is GDPR?’ blog, you can find it here.
To go into a bit more detail, this blog will look at what GDPR means for schools and education and I’ll recommend some of the easiest ways to secure your network and devices, without much of a cost or disruption to implement them.
The GDPR applies to anyone who processes or holds personal or sensitive information. Some schools may think it doesn’t apply to them, when in fact they hold the most sensitive data of all. Student data, grades, health records, parent’s details, social services details and more, this all counts as personal or sensitive data.
You must ensure that you’re securing your data in the right way. This includes any paper or hard copies of data. If you have filing cupboards full of files, you must make sure these don’t get into the wrong hands either. By storing it safely, encrypting documents and protecting your network, you can start to make sure your GDPR compliant.
Data protection rules and regulations
There are other rules and regulations you must follow in regards to student data, for example, how long you hold it for. By law, schools must hold a pupils data for 7 years, even longer for their pupils who have special educational needs or disabilities. This means schools hold a lot of personal data for a long time. However, holding data for too long can cause problems like:
- An increased risk that the information will go out of date and that outdated information will be used in error – to the detriment of all concerned
- More difficult to ensure that information is accurate
- You must also be willing and able to respond to subject access requests for any personal data you hold. This may be more difficult if you are holding more data than you need1
Under the new GDPR, data must not be kept longer than absolutely necessary2 and you must be extremely transparent with your pupils and their parents. You must tell them what their data is being used for, who has access to it and why you need to hold this data. A good way to let pupils and parents know about this is by updating your privacy notices. On your privacy notices, you can also let pupils and parents know how long you plan on keeping their data for and why.
What if schools don’t comply with the GDPR?
The new regulation comes with new fines and consequences. Under the old DPA (Data Protection Act), non-compliance from schools resulted in fines of £500,000. Under the new GDPR, these fines have increased to up to€20 million or 4% of your global annual revenue, whichever is highest. Also, if you don’t have the right policies and procedures in place around data protection, your Ofsted rating could be affected also.
How to prepare for GDPR?
A way you can start to prepare for GDPR could be by establishing data protection roles within your school. Appointing a data protection officer (mandatory in some schools),3 data processors or and information governance committee, could help you to implement a successful data protection plan.
You could conduct a data protection audit, review your data and documents of all the personal information you hold. Decide whether it is all needed, how long it has been kept for and where and how it is saved. Completing a data audit yearly could make it a lot easier to stay compliant. You can ask parents to update their details yearly so you know your data is always up to date and that way you know you always have consent to use the data.
Other GDPR regulations
Under the GDPR you must make sure your data is safe and your network is secure. Your data being lost or stolen could result in your school suffering a hefty fine. In order to secure your network, you need to think outside the box, meaning you need to secure everything, not just the devices your staff and students are using.
Things like printers, scanners, mobile phones and any other technical devices you use need to be secured also, as well as your network and internet connection. There are many ways you can do this. We’ve explored some of the simpler solutions below. But first, see how an unsecured printer could cost you millions with HP’s, The Wolf.
HP Printers are the worlds most secure printers,4 the can stop attacks the moment they start. You may think that printers are safe, but if they’re connected to your network, they’re a gateway into it. HP Print Security isn’t just about securing your printer, it’s about helping to secure your entire network.
GDPR recommended products and solutions
WatchGuard Fireboxes come in all sizes, they bring high-level security to schools everywhere. Included are features like URL filtering and intrusion prevention, so you can add many more protective layers to your system. They can be used as a stand-alone solution or centrally managed from another campus or building. Along with the advanced service of data loss prevention, WatchGuard fireboxes are a great, cost-effective way to secure your schools network.
Cisco Umbrella is another great layer for you to add to your security. In fact, it works as a first line of defence. Cisco Umbrella can detect where attacks are being staged before the first victim is even targeted. This incredible security feature is easy to deploy so you can start protecting your staff and pupils in minutes. With no hardware or software to install or update, securing your network couldn’t be easier.
To help with paper documents and data
Schools tend to have drawers full of paper documents, most will contain personal or sensitive data. It might be that you have a lot of older paper files that contain past students data that you need to keep for a certain amount of time. You need to make sure you’re securing these files in the best way.
Under the new GDPR regulation, you must make it easy for your data subjects to change and edit their information. Having paper documents makes it harder for you to search through, edit and change details.
As paper files are a lot easier to get lost or stolen, it might be worth making sure you have digital copies. Using an Epson in-house scanner to digitalise your paper documents makes it less likely for them to end up in the wrong hands.
The fast and efficient DS-530 and DS-570W colour duplex document scanners are a great choice for transitioning from paper documents to digital. Epson scanners offer a wide range of media handling options that enable you to rapidly capture, index, store and share your personal and sensitive data files.
The DS-570W is the preferred option for sales teams, healthcare workers and government officials, meaning it’s safe enough for schools. The advanced compact wireless scanner delivers a truly flexible scanning experience so that files and data can be captured securely. With connectivity options through ethernet, W-Fi, USB 3.0 and more, you’ll find you can scan to any device however you want to connect. And, it’ll secure as your network.
Have you thought about your USBs?
If your staff or students use USB sticks to save files, transfer work or data, they could be compromising the data you hold. If they take these USB sticks off premises, they’re increasing the risk of data being lost or stolen. Which could lead you to a hefty fine.
The best way to ensure your staff and student’s files are safe is with encryption. With Kingston encrypted products, the risks when moving files and data is minimised. Ensuring your sensitive data is protected.
Find out more about GDPR, contact our team of IT education specialists on 0870 429 3020
Things you need to know:
- Source: ICO
- Source: ICO, Article 5 of the GDPR – https://ico.org.uk/for-organisations/guide-to-the-general-data-protection-regulation-gdpr/principles/
- Source: Article 37 of the GDPR and the WP29 Guidelines. Read: http://pwc.blogs.com/data_protection/2017/02/data-protection-officer-do-you-need-to-appoint-one.html
- Source – ’Most secure printers claim’ applies to HP Enterprise-class devices introduced beginning in 2015 and is based on HP review of 2016 published embedded security features of competitive in-class printers. Only HP offers a combination of security features for integrity checking down to the BIOS with self-healing capabilities. A FutureSmart service pack update may be required to activate security features. For a list of compatible products, visit: http://h20195.www2.hp.com/v2/GetDocument.aspx?docname=4AA6-1177EEW. For more information, visit: – www.hp.com/go/printersecurityclaims.