Handle personal data?
You are probably aware of the impending arrival of the General Data Protection Regulation which comes into force on 25th May. If you are part of the team tasked with ensuring compliance in your school then you will no doubt be aware of the various implications and the steps that they need to take. But if you’re not part of this process, then what exactly does GDPR mean for you and your day-to-day role as a classroom teacher?
It would be easy to assume that GDPR compliance is the responsibility of the school and therefore as a teacher you have a limited role to play. But, the new regulations are focused on data protection and since teachers handle a certain amount of personal data, there are things that they need to be aware of as well as steps that they should be taking.
Key changes for teachers include:
- Introducing new systems: if you want to introduce a new piece of subject-specific software for example, you will need to inform your school’s Data Protection Officer (DPO) in order to make sure that it is done compliantly.
- Reporting a breach: you must understand what constitutes a data breach and if you suspect one has occurred, report it to your DPO.
When it comes to data protection, a significant number of the breaches identified by the Information Commissioner's Office (ICO) have been due to human error and inadequate policies;
"In one instance, pupil personal data was found at a printer by another student. In another, a text message about a pupil’s behaviour meant for their parents, was sent to all parents in error. In yet other breaches, letters and emails which contain sensitive pupil information have been sent to the wrong parents."¹
Whilst it is the responsibility of the Senior Management Team or the DPO to ensure that data protection policies are both robust and compliant with GDPR requirements, the human error aspect of data breaches is something that we are all responsible for.
So how as a teacher can you minimise the possibility of these happening?
Here are five steps that we can all take that should help to minimise the possible risks of data being lost:
1. Be aware of the impact of the UK government’s “10 steps to cybersecurity” when using IT in school
This document contains guidance on how organisations can protect themselves from cyber attacks, but it also has sections looking at how to identify such an attack, managing your risks and crucially from a teacher’s perspective, how to work safely from home.
2. Consider data protection when you’re communicating online
Emails are now a ubiquitous form of online communication, but they are also common point for data breaches. In order to make emails more secure:
- Always use your school email account for any work-related communications
- If you’re sending a sensitive document via email, consider password-protecting the document
- Make sure that the email address you are sending to is a legitimate one, particularly when replying to an email
- Do not open attachments from unsolicited emails
3. Ensure that your laptops and PCs have adequate protection in place
As teachers, we often work from home, in the evening, at weekends or during school holidays which can raise issues surrounding the transport of data and its storage.
Research from EE showed that "almost 10 million mobile devices such as smartphones, tablets and laptops containing sensitive business data were lost by employees across Britain in 2013/2014."² Always keep personal and work related information separate, keep your antivirus software up to date.
4. When using your own technology (phones, laptops, PCs, etc) ensure it is password protected and encrypted
Encryption may sound complicated, but it helps to protect data from theft and other unwanted attentions. Full-disk encryption protects everything on your computer with a single password which needs to be entered before the computer can be used. Even if the hard drive is removed, the data on it cannot be accessed without the password. There are various software options available that can help you set up encryption quickly and easily.
5. Do not rely on USB sticks
With so many storage devices, from USB sticks and flash memory to portable hard drives being lost and stolen each year, a number of organisations have banned staff from using them. If you use a mobile storage device, then make sure that the device itself and the files on them are encrypted. Secure flash drives are available with an encryption feature built into them for this purpose.
Data protection and the use of personal data has been particularly prevalent in the news recently, but by following the steps outlined above you should be able to go a long way to ensuring that the risk to your data and the data of others which you handle remains safe and secure.
As always, I must stress that the thoughts in this article do not constitute legal advice. I recommend reading this post alongside the ICO guidance or articles from specialists such as the Department for Education.
¹ GDPR Report, “Back to school: why all teachers and staff must be ready for GDPR” (2018)
² Microsoft News Centre UK, “GDPR: The five things teachers should do first” (2017)