The education sector is among the most vulnerable to data breaches across the globe, accounting for 172 publicly disclosed security incidents last year.
Only the public sector was worse affected, according to data from our sister company IT Governance, which reviewed more than 1,000 data breaches.
The education sector faces more challenges than most when it comes to protecting sensitive data. That’s in part because of a lack of resources in many schools, but it’s also due the vast amounts of personal data that they must process.
Schools typically need information on pupils and parents, including:
- Contact information about pupils, students, staff, volunteers and carers;
- Health records;
- Employee references;
- Safeguarding information;
- Pupil exam results;
- Employees’ HR records; and
- DBS information.
The requirements for processing and handling this information were made more complex following the introduction of the GDPR (General Data Protection Regulation) and, following Brexit, a localised version known as the UK GDPR.
These rules have reshaped the way organisations approach information security. Most people who are responsible for data protection should by now be broadly aware of the GDPR’s compliance requirements, which came into effect more than four years ago.
But what specific problems does the education sector currently face? In this blog, we look at five data protection challenges that must be addressed.
1. Writing a data privacy notice
A data privacy notice is a public document that explains to individuals how the school uses personal information.
This includes data on the types of information being processed, how and why it’s processed, where it came from (if it wasn’t from the data subject) and how long it will be kept.
The data privacy notice should also explain, or link to advice on, individuals’ data subject rights. The GDPR enshrines eight rights upon individuals, including the right to be informed that their information is being processed, the right to object to processing and the right to view any information that’s stored on them.
Schools must publish a data privacy notice as part of their GDPR compliance practices, but the requirement is often overlooked because it doesn’t play an active role in preventing data breaches.
Although it’s true that a data privacy notice won’t protect you from security threats, it’s a crucial part of data privacy. This is an equally important concern for schools, because data subjects must be able to trust that you’re using their information responsibly.
The threat of data compromise might make most of the headlines and draw the attention of your compliance practices, but privacy breaches can be just as costly.
You can find information and advice about data breaches in the education sector in our free green paper Cyber Security 101 – A guide for schools.
It contains essential tips on what your school must do to protect its systems, and debunks six common cyber security myths.
2. Identifying information security risks
Schools are often warned of the myriad cyber security threats that they face: network vulnerabilities, software vulnerabilities, ransomware, phishing and so on.
These countless risks might make it seem impossible to know where to begin. Organisations generally shouldn’t implement defences to counter every risk they face, because it will be expensive and time-consuming.
Schools in particular will lack the resources to adopt a comprehensive cyber security programme, so they must find a way to operate more efficiently.
The best way to do that is with a DPIA (data protection impact assessment). The assessment helps you spot the likelihood of data breaches resulting from certain data processing activities and the impact that those incidents might have.
The process must be completed whenever an organisation implements a data processing activity that could present a risk to data subjects.
Schools can use the results of the DPIA to identify ways to minimise risk. This could be as simple as altering the way the data is processed or implementing security controls to mitigate the likelihood or impact of the risk. Alternatively, it could mean that the data processing activity must be stopped.
Ransomware was the most common cause of data breaches among schools last year, according to IT Governance’s report, accounting for 41% of all incidents.
Meanwhile, Jisc’s Cyber Impact Report 2022 found that educational institutes in the UK spent £2 million on average responding to ransomware attacks in that time.
This includes, for example, the resources required to address the initial attack and restore their systems. A forensic investigation might also be required, and the organisation must audit its practices to identify ways to bolster its defences.
The threat of ransomware is particularly bad in the education sector, because schools are among the most likely to pay a ransom demand. With pressure to restore systems and ensure that classes go ahead, you can understand why – but cyber security experts urge victims not to negotiate with attackers.
They note that there is no guarantee that the attackers will keep their word and restore the victim’s systems once they have been paid. Even if they do hand over the decryption key, it will take days – if not weeks – to restore systems.
To protect against ransomware, schools would be better off investing in regular backups and implementing a process to ensure those records are regularly updated. Doing so ensures that they can wipe their infected devices in the event of a ransomware attack and restore their systems with clean data.
4. Lawful basis for processing
One of the most misunderstood aspects of the GDPR is its requirement to document a lawful basis for processing personal data. Many schools believe this means having to seek consent when gathering students’ information, but this is not the case.
There are six grounds upon which personal data can be collected, and consent is the least preferable. This is because the GDPR strengthened the rules for obtaining and maintaining consent, so using it as the default option creates major compliance headaches.
For a start, data subjects are permitted to withdraw consent at any time, forcing organisations to remove any personal data that was collected using that lawful basis. This isn’t simply inconvenient; it could create long-term compliance problems.
Consider the amount of personal data that you are required to process to complete basic functions or to meet other legal requirements. Without this information, it would hinder your ability to operate, and could even mean you were breaking the law.
To avoid these problems, schools should use another of the GDPR’s lawful bases wherever possible: processing in the public interest.
This basis applies whenever personal data is “necessary for the performance of a task carried out in the public interest or in the exercise of official authority vested in the controller”.
In contrast to consent, public interest is the most resilient basis in the GDPR and can be used whenever a school is:
- Carrying out a specific task in the public interest that’s laid down in law; or
- Exercising official authority (such as a public body’s tasks, functions, duties or powers) that’s laid down in law.
The law that will apply most often to schools is the Education Act 1996, which states that children aged 5–16 in England and Wales must receive a full-time education.
Any activities that are necessary to provide that education are therefore likely to fulfil the requirements of processing in the public interest.
Additionally, Recital 41 of the GDPR states that, although the tasks must be laid down in domestic law, they don’t need to be explicitly stated.
In other words, data processing is permitted as long as the application of the law is clear.
The questions schools must ask, therefore, are whether they need to perform this processing activity to run the school effectively. This may include, for example, processing related to pupil registration and achievement records, or for contacting parents and guardians.
If the public interest basis doesn’t apply, schools should consider legitimate interests, which can be used when:
- The processing isn’t required by law, but there’s a clear benefit to it;
- There is little risk of the processing infringing on data subjects’ privacy; and
- The data subject should reasonably expect their data to be used in that way.
5. Third-party services
There have been a spate of third-party data breaches recently, with a Black Kite report finding a 17% increase in incidents last year.
To combat the risks, schools must ensure that third parties have appropriate security controls in place, and create contracts that put their requirements in writing.
Contracts must stipulate that the third party will act only on your documented instructions, that it won’t hire a sub-processor without your approval, and that it will delete or return personal data at the end of the contract.
Protect your school with GDPR.co.uk
If you’re looking for more advice on how to better protect your organisation’s sensitive data, GDPR.co.uk is here to help.
Our GDPR for Schools platform provides specific, tailored guidance for educational institutes. You’ll discover how to perform essential data protection practices, such as data protection impact assessments, staff awareness training and incident reporting.
Our tool was developed by data protection and cyber security experts with more than 15 years’ data privacy and cyber security experience, and now comes with a free two-week trial.