Skip to main content

Category: News

Data Protection for Designated Safeguarding Leads

Data Protection for Designated Safeguarding Leads 1The DfE’s Keeping Children Safe in Education statutory guidance states that Designated Safeguarding Leads (DSLs) are required to ‘act as a source of support, advice and expertise for all staff’*

Annex C of the KCSIE outlines that one of the roles of DSLs is to ‘understand relevant data protection legislation and regulations, especially the Data Protection Act 2018 and the UK General Data Protection Regulation’*

Added to that, the concluding report and recommendations of the Independent Inquiry into Child Sexual Abuse suggest significant changes need to be made in the way school staff report concerns.

It has never been more important to ensure your DSLs are equipped to navigate this area of data protection and UK GDPR.

We have devised a training session to bolster and embed DSL knowledge in this area which will enable them to confidently instruct and advise the remainder of the school staff.

Delivered by our Education Data Hub Team Manager, Clare Wilson, this session is aimed at DSL’s and Deputy DSLs and will explore:

  • KCSIE 2024
  • the IICSA Recommendations
  • Information Sharing Advice for Practitioners May 2024
  • ICO 10 Steps to Information Sharing to Safeguard Children
  • DfE Dealing with Subject Access Requests Apr 2024
  • and the latest case law

to provide you with a thorough understanding of:

  • Recording concerns
  • Retaining records
  • Transferring records
  • Securing records
  • Sharing information
  • Responding to requests for records

We have an upcoming session that individuals can book onto HERE.

Please contact us at [email protected] to enquire about bespoke sessions for MATs.

 

*information taken from KCSIE May 2024 pending publication Sept 2024

Why Schools Shouldn’t Share Security Information Online

Why Schools Shouldn't Share Security Information Online 2In an age where transparency is highly valued, it is understandable that schools want to keep parents, students, and staff well-informed about what’s going on. However, when it comes to security, it’s best to keep things under wraps.

Here are just a few reasons why schools shouldn’t post their Critical Incident Plans or IT Disaster Recovery Plans on their websites:

1. You don’t have to!

There is government guidance available to all schools that informs them exactly what must or should be published on a school websites. It is regularly updated, and you can find it using the links below:

What maintained schools must or should publish online

What academies and further education colleges must or should publish online

2. Keep Your Plans Secret – Increase Your Cyber Resilience

Imagine if someone who wanted to cause trouble knew exactly how the school handles emergencies or IT Disasters. When security plans are posted online, it’s like giving potential attackers a blueprint of the school’s defences. Perpetrators could find weak spots and take advantage of them or target individuals to gain access to school systems. By not sharing this information online, schools reduce that risk and immediately increase cyber resilience.

3. Protecting Personal Information

School security plans often include information about the people who keep the school safe. This might encompass names, roles, access levels, and even personal contact details. If these details are shared online, not only could this be a potential breach of UK GDPR, but those individuals could be at risk of being targeted, perhaps by phishing.

4. Insurance Policies

If you left a note on your car that let someone know where the keys were, would you expect your insurance company to pay out if it was stolen?  Publishing detailed school security and recovery plans on your school website may void insurance policies so please check the small print. To be on the safe side – don’t publish them!

Transparency is crucial in many aspects of school administration, but security information should be handled with the utmost discretion so that schools can better protect their students, staff, and wider school community from potential threats.

 

We support schools and MATs all over the UK. CONTACT US today to find out how Education Data Hub could support you.

 

 

 

How to Deal with Freedom of Information Requests in Schools.

What is a Freedom of Information Request?

A Freedom of Information (FOI) Request is a request made by any member of the public for information held by public authorities or publicly owned companies. Therefore, schools fall under this Act.

  1. Under the Act public authorities are obliged to publicly publish certain information about their activities in a publication scheme. Every organisation is required to have a publication scheme which sets out what information the public authority hold and if that information is public where it can be found.
  2. Under the Act public authorities must provide information to anyone making a written request.

This Act does not give people access to their own personal data.

Who can make a Freedom of Information Request?

Anyone can make a valid freedom of information request – they do not have to be UK citizens, or resident in the UK.

Freedom of information requests can also be made by organisations, for example a newspaper, a campaign group, or a company.

If you are concerned about the validity of a request see the ICO guidance (What makes a valid request? | ICO) and talk to your DPO. However, it is likely that any request in writing will be valid.

Do we have to respond to every Freedom of Information Request?

Yes, under the Act you must release the information unless there is good reason not to.

There are two scenarios where you may not have to answer an FOI, that is if you have a right to refuse the request or an exemption applies.

Your Data Protection Officer will help you decide if either of these options apply.

What if I don’t know the answer?

You only have to disclose information you hold in a reportable format, you do not need to create information merely to respond to the request. If you do not hold recorded information, you do not have to respond to that question.

When do we have to respond by?

Under the FOI Act 2000, you must respond to requests for information within 20 working days, counting the first working day after the request is received as the first day. The time allowed for complying with a request starts when your organisation receives it, not when it reaches the relevant member of staff.

Section 1 (3) of the Act states that if you require clarification from the requester the time does not start until you receive the extra information you required to complete the request.

How do we respond to a Freedom of Information Request?

Here at Education Data Hub, we provide schools with a ‘How to Guide’ for dealing with FOIs.

Following this guide, the first step is to log the request. It is good practice to keep a log of all requests you have received, the relevant dates and your response, to produce an audit trail for your school.

Once the school have logged the FOI request, they will receive correspondence from us, as their data protection officer, with advice on how to deal with the request. This will contain, a template acknowledgement letter and a response template for your answer.

How to Deal with Freedom of Information Requests in Schools. 3

If you require any assistance with dealing with Freedom of Information Requests, or any other Information Requests, please get in touch at [email protected]

 

Updates to DfE Cyber Security Standards May 2024

Updates to DfE Cyber Security Standards May 2024 4Updates to the DfE Cyber Security Standards for schools and colleges were published today (20th May 2024) and our EDH Cyber Team are proud to have been involved and referenced in them as a source of help for schools aiming to improve their cyber resilience.

Given the increasing reliance on technology in education, the importance of cyber security in schools cannot be overstated. It is essential for numerous reasons, from protecting sensitive information, to supporting business continuity, to maintaining trust in your digital systems.

The updated cyber security standards address tasks that should be completed by both the senior leadership team in a school and IT support. It is recognised that cyber security is not something that IT teams can carry out alone – it is a shared responsibility between multiple roles and teams. They contain the same key information that the previous cyber security standards held, but the format of this has changed to make them more accessible to staff without cyber expertise.

A human layer of cyber security is integral to school cyber defences. Fostering a culture of awareness, education, and vigilance, significantly reduces the risk of cyber threats and can improve cyber security posture and data protection obligations.

To find out how we can help you improve your school cyber resilience, have a look at the services we offer or email us at [email protected]

Data Protection Day 2024

5 things your school can do TODAY to improve data protection compliance.

Data Protection Day 2024 5The Data Protection for Schools team within The Education Data Hub offer a suite of services designed to support schools in complying with their obligations under UK General Data Protection Regulation (GDPR) and the Data Protection Act 2018.

Our services are delivered by experienced and specially trained information governance specialists, recruited specifically for their experience in data protection and their understanding of the education sector.

We’d like to use this Data Protection Day as an opportunity to remind schools of the importance of keeping up their data protection compliance journey.

School life is extremely fast-paced, busy and pressured. Sometimes schools do not have the time or staff to complete everything that needs to be done, however all schools have important data protection obligations.

A school’s data protection compliance journey has got to start somewhere, and these are the first 5 things you can do:

1. Check your ICO registration is up to date and includes the correct contact details.

All organisations who process personal information are required to pay a data protection fee to the Information Commissioners Office. This fee must be renewed annually.

You can find out more information about checking, editing and renewing your ICO registration by clicking here.

2. Contact your Data Protection Officer.

Schools have a statutory obligation to have a data protection officer (DPO), please make sure your school has a DPO and you know how to get in touch with them.

The role of the DPO is to assist the school in monitoring their compliance by informing and advising you on your data protection obligations. Whether your DPO is internal or external, make sure you are giving them the information they need to be able to support you.

3. Check your training records.

The ICO require organisations to have an all-staff data protection and information governance training programme and that you keep records of your staff completing this training.

You should keep records of who has had training and make sure you follow up with any staff members who have not completed training recently. Staff who have additional data protection obligations within the school will require an enhanced level of data protection training.

If you find yourself in the unfortunate position of having to report a data breach to the ICO, you will be asked to confirm whether that staff have had data protection training within the last 2 years.

4. Change your passwords and encourage your staff members to do the same.

Schools are storing more and more information online, on a variety of platforms such as management information systems, communication applications and behaviour logs. It is important to make sure staff have different passwords for different services and use secure password methods such as the National Cyber Security Centres three random words approach.

The ICO do not recommend changing passwords regularly. As a general rule, they recommend you get users to create a strong initial password and then only change them if there are pressing reasons, such as breach of your systems resulting in passwords being compromised.

Why not use Data Protection Day as an opportunity to remind staff that they should be creating strong passwords to help ensure data is adequately protected.

5. Check your privacy notice

Providing accessible information to individuals about their use of their personal data is a key element of their legal right to transparency as per the UK GDPR. Have a look on your website for your privacy notice and check when it was last reviewed.

Have your school changed the way they process data since that review date? For example, have the school signed up to new EdTech providers, or started using Cloud storage? If yes, you will need to put time aside to update your privacy notice, to clearly explain how you process personal data.

 

Data Protection Day 2024 6If you require any assistance or advice on the above, or any other data protection needs, please don’t hesitate to get in touch with us at [email protected].

Email related data breaches in schools: why realising the mistake after pressing send is so common

How many times have you sent an email to someone referring to an attached document, pressed send and seconds later realised you forgot to attach the document itself? It’s a painful and common occurrence.

In schools, like all other industry sectors, emails have become a non-negotiable business tool, critical to efficient functioning of business.  It is second nature to use the convenience of email messaging to communicate with all key stakeholders and providers of services to the school, particularly parents and carers, local authorities and external support services.  However, the ease and speed of these tools also contributes not only to many emails being sent without attachments but also some of the most significant causes of personal data breaches. The last ICO Annual Report reflects our clients’ experiences; of the 9,500 data breaches reported to the Information Commissioner in 2021/22, a massive 16.87% were due to data being emailed to the incorrect recipient.

Email data breaches that are reported to us as Data Protection Officer typically stem from human error and consist of:

  • emails sent to the wrong person
  • multiple recipients included in the ‘to’ or ‘cc’ box instead of ‘bcc’
  • incorrect documents attached with sensitive information relating to another individual.

Many of those that report email-related data breaches tell us that the second after they had pressed the ‘send’ button they had realised their mistake! This can cause distress and anxiety not just for the affected data subjects, but also the staff member responsible for the error.

Considering how to prevent a re-occurrence is a really important part of responding to data breaches and near-misses. However, saying “try harder not to make a mistake” isn’t particularly constructive or effective. So, what advice and action can really make a difference when it comes to email-related data breaches in schools?

Thinking fast vs thinking slow

Psychologists such as Daniel Kaherman and neuroscientists such as David Badre explain the complexity of our brains and how we operate in two thinking modes; one ‘fast’ and one ‘slow’.  When our brain thinks fast it is automatic, often reacting to a situation or deadline. This is crucial for our cognitive function, helping to keep us safe and to preserve our energy for tasks where more cognitive control is needed. If you’ve ever driven to a destination and wondered how you got there, your thinking fast brain was in charge during the journey!

We also use this thinking fast ability in work, for example, when we send an email quickly. When there are dozens of emails to work through each hour, with many tasks that seem routine, it is understandable to feel pressure to work quickly. During this time, our thinking slow part of the brain is inactive. It is this part of the brain that wakes up the second that email has been sent, and tells us we have forgotten that attachment, or sent the email using CC not BCC.

So, we need to take a minute to let our slower thought process take over and allow time to think in a more considered way. Even the knowledge that you need to check in with the ‘thinking slow’ part of your brain before hitting the send button can prevent a data breach. Setting a ‘delay send’ feature on your outbound emails can really help; here’s how to do it in Office 365 and Google. The option of recalling an email can also be used with some systems, however it is not a reliable tool to remove email from the recipient’s inbox- once an email has left your own outbox there are limits to how it can be managed. There are commercial vendors offering email management systems, which either add extensions to existing email systems or offer complete email management systems using algorithms which can help to flag and stop potential errors, and for larger organisations, it can be a cost-effective way to reduce risk.

Email related data breaches in schools: why realising the mistake after pressing send is so common 7

Stop – Think – Check

There are some additional simple measures that can put in place to prevent a significant proportion of data breaches:

  • Sending an email to the wrong recipient – this frequently happens if there are multiple people in your address book with the same or similar name, or when autofill predicts who you want to email.

Action:  Double check the recipient’s full email address is correct before sending, including the exact spelling of their name. Turn off and don’t rely on autofill if it is enabled.  Here’s how to do that in Office 365 and Google.

  • Sending to multiple recipients as ‘cc’ not ‘bcc’ – sending a message as a ‘carbon copy’ rather than ‘blind copy’ is a common but potentially serious mistake, resulting in the personal email addresses of multiple recipients being exposed.

Action:  Where possible, use the school’s communication platform (i.e. ParentPay, Weduc, ClassCharts etc) to send messages rather than messaging through a school email account.  If you are unable to use the school communication platform, ensure you double check ‘bcc’ is selected when it is not appropriate to share recipients email addresses with other recipients.

  • Attaching documents – often sensitive documents are attached to an email in error, and a serious data breach can occur if the wrong person receives sensitive data as a result.

Action:  Include extra security measures by adding a password to the document – remember to send the password separately (via a different means if possible).  Consider sharing documents using tools such as SharePoint or Google Drive instead of an attaching them, as extra security controls can be put in place, i.e. specifying the amount of time the recipient can view the document or removing access if a document is shared in error.

Reminders: other areas of good practice for email communications:

  • Post box – inbox: Avoid using your inbox as a filing cabinet – treat it as a post box for information. Delete messages as per school policy or save in an appropriate digital system if retention is needed.
  • Stop the email chain: Avoid ‘reply all’ if this is not needed and do not forward email chains unless you’ve checked the whole chain and it is necessary to share it.
  • Email etiquette: Always be professional when communicating with colleagues, parents/carers and other stakeholders – you are a representative of your school. Remember, school emails are not private and can be requested as part of a Subject Access or Freedom of Information request.   Never use personal emails to communicate school related matters.
  • Email security: Ensure access cannot be gained to your account – be aware of your own email security, use strong passwords and multi-factor authentication and be aware of phishing emails inviting you to click on links. Email security breaches remain a high threat to all industry sectors.

Finally, we are all human, mistakes do happen and when they do, your DPO should be there to help mitigate and learn from data breaches.  It is the steps taken to reduce the risk, and actions to prevent reoccurrences in the future, that show you take the security of the data you hold seriously.  Continue to reinforce a positive culture of data protection compliance in your school – report your data breaches and near misses to your DPO is an important part of that culture.

Author: Jacqui Wheatcroft.

From Vision to Strategy to Daily Good Practice

From Vision to Strategy to Daily Good Practice 8How can growing MATs develop a high-profile culture of privacy, efficiency and trust? 

The School’s Bill may be gone, but the government has indicated that it is wedded to its principles. And although that means we no longer have academisation as a statutory target, the juggernaut is unlikely to be halted in its tracks. 

However, the DfE itself has called existing academy rules “complex,” “inconsistent” and “ineffective”; coupled with revolt sparked last year by the widening of the handbook beyond finances – Multi Academy Trusts are in a no man’s land when it comes to this area of compliance.  The bottom line is, there is no constitutional framework that addresses privacy and data protection.  Therefore, as any good teacher will tell you, if you leave a void where behaviour expectations should be – the behaviour that fills that void is unlikely to be the behaviour that you hoped for. 

So how do MATs develop and prioritise that high profile culture of privacy, efficiency and trust, beyond mere compliance without a framework?   The answer is obviously – work with us at Education Data Hub!   We are very much aware that ‘one size’ fits no-one, so we work with Trusts in an entirely bespoke way. 

There are many reasons this matters from a regulatory perspective, audit, reputation, publicity etc; but we think the most important reasons are respect, trust, transparency, well-being, time, and pride. 

Understanding and documenting where all the elements of compliance sit; from HR to Safeguarding, from records management to IT acceptable use, from CCTV to DPIAs, from curriculum to business management, from recruitment to parent communications, from policies to privacy notices, from ROPAs to cyber security; we work with Trusts to understand and reflect on their own position so an effective gap analysis can be devised to assess new schools coming on board. 

This proactive work makes your reactive work with us so much easier. If the basics above are in place, responding to data breaches, cyber incidents, SARs and FOIs becomes much more straight forward and less draining. All of our staff have a background in education so we know first-hand and inside out the pressures faced by your staff and the impact they can have – be assured you will always get not only an expert but also an empathic and supportive hand to hold.   Please contact us at [email protected] to find out how we can help you.

Further reading: although based on US research and commercial enterprises, this study shows the impact and return on investment a good privacy programme will have: From Privacy to Trust and ROI – Cisco Blogs

Education Data Hub work with Education Providers across the UK.  Our team members are all former school staff who understand the pressures of a school environment, meaning our support is mindful of the school day/calendar.

Follow us on Linked In

Data Privacy Day – a School’s Reflections 

Data Privacy Day - a School's Reflections  9This year, for Data Privacy Day, we’ve been reflecting on the journey that our school clients have taken to improve their data protection compliance. We interviewed one of our clients for their reflections on the changes they’ve made to their data protection practice since working with our service.

Q1) Does data protection matter to you? If so, what is it that makes you think this?
Yes, Data protection absolutely does matter. There are guidelines and legalities that apply to all of us, rightly so, and it is our duty to follow, protect and respond to these. Annual training, GDPR updates and getting into good ‘habits’ reminds me on a daily basis why these matter. Data protection can sometimes seem a minefield, however, it is an area where I feel brilliantly supported by the GDPR team so that makes it feel less frightening and more rewarding.

Q2) How do you keep data protection ‘alive’ in your school?
Annual training as well as regular mentions in staff meetings, staff emails and additional training. It is part of the ‘ethos’ of the school. Staff are aware of data breaches and always bring them to me. These are then mentioned in staff meetings as ‘reminders’ to be vigilant.

Q3) Do you feel you have a positive data protection culture where staff are confident and engaged?
I feel like we have a positive culture in school. I make it very clear that as Headteacher I have over-arching responsibility for much of data protection. As a school we encourage an open and positive culture and communicate well together. Staff are aware that they can speak out on breaches without feeling like they are ‘telling’ on each other. I will always mention if I make any data breaches so that staff know that we are ‘in it together’.

Q4) What is it like working with an external Data Protection Officer? What is it like working with the Education Data Hub Team?
I cannot speak highly enough of the support we get from our Data Protection Officer and Education Data Hub team. Responses to queries are always timely and detailed and a phone call is made if something needs to be spoken about in more detail. Information is always clear and concise.

Q5) What is the most important data protection lesson you have learned in recent years? What do you do differently as a result?
We think much more about how we present names / information regarding children, particularly as we have an increasing number of vulnerable children in school. School reports are always collected rather than handed out, displays are not named, and we double check permissions for naming children outside of school with parents etc.

Q6) What would your advice be to other schools regarding data protection?
Don’t go it alone. Develop a positive culture in school around data protection – encourage staff to be curious but don’t frighten them. Encourage open and honest lines of communication.
Above all, if in doubt – ask! Use the highly skilled individuals in the team and your data protection officer to ask for help – I do it all the time! We can’t expect to be experts ourselves so ask the experts instead!

Many thanks to Catherine Robinson at Stonelow Junior School for taking part in this interview.

To find out more about how our Data Protection Service can help your school, please email us on [email protected]

Top Tips for Schools

Top Tips for Schools 10

Data Privacy Day is celebrated on 28th January every year, so to join in with the celebrations, we asked our schools for their top tips about the importance of Data Protection in schools:

“Don’t go it alone. Develop a positive culture in school around data protection – encourage staff to be curious, but don’t frighten them. Encourage open and honest lines of communication. Above all, if in doubt ask! Use the highly skilled individuals in the EDH team to ask for help – I do it all the time! We can’t expect to be experts ourselves so ask the experts instead!”  Catherine Robinson, Stonelow Junior School.

“It MUST be taken seriously. Look at your emails – having a lax attitude about how we receive, respond to and store communication is one of the ways that we could sleepwalk into loads of bother. And stop saving passwords!!”  Rebecca Fenby, Hady Primary School.

“The small things matter. Keeping data secure and now only writing what is essential makes a huge difference to the possibility of a data breach and therefore of keeping ourselves and our data protected.”  Sarah Bentley, Etwall Primary School.

“Passwords are king. Approach any data with ‘fresh eyes’ and treat all data you handle as if it is your own data.”  Tim Cocking, Eckington Camms Primary School.

“The most important lesson for me is around pupil data and safety. Having started my teaching career over 20 years ago, there were many practices I followed because I knew they worked or that was how it was always done! Looking at how easy it was for someone to gain information about a pupil from a book cover or a school tracker made me rethink how information should be presented and shared in school.”  Prince Regent Street Trust.

To find out more about how our Data Protection Service can help your school, please email us on [email protected]