There was justifiable apprehension leading up to 25th May 2018, when the EU General Data Protection Regulation (EU GDPR) came into effect, with a flurry of activity as schools and organisations worked diligently to ensure the correct policies and procedures were in place.
Three years on, many of the existing challenges to protect data remain. Almost 50% of data protection incidents occur through email communication, which presents a multitude of opportunities for misuse and the inappropriate sharing of data when not managed correctly. However, school leaders are also experiencing a number of new and exceptional challenges.
Leaving the EU
With Brexit on the horizon, many people questioned the future of GDPR in the UK as this was an EU law. Post-Brexit, we now have the UK GDPR, which combined with the UK Data Protection Act 2018, can be referred to as UK Data protection legislation.
UK GDPR is essentially the same as EU GDPR, but as time progresses, changes between the two may arise. For schools, this creates the need to check when contracts, data sharing agreements or privacy notices were written to ensure the current data legislation is quoted. Additionally, schools that recruit students from the EU or those that appoint staff who are EU residents may have to make major changes to the way they process personal data.
With regards to asking employees if they have had the COVID-19 vaccination, and the collection of this data, employers must remember that this information is sensitive personal health data and that they must comply with data protection rules.
As well as data protection legislation, the Equality and Diversity Act must be considered when asking such questions. Unless schools have a policy of recording other vaccinations, they cannot act differently with regards to the COVID- 19 vaccination.
As cyber criminals targeted the remote learning environment, 58% of UK secondary schools identified breaches in 2020, with many others thought to have gone unidentified. This continues, as ransomware attacks lead to the loss of student homework, school financial records and data stored regarding COVID-19 testing. With remote and online learning now an integral part of our lives, data protection is the first line of defence for safeguarding pupils and school staff.
Educating pupils and school staff on the potential risks and correct data protection principles can be one of the stronger tools we have in keeping data secure, both in the classroom, and out.
With awareness, schools can work to avoid the input of incorrect information and the misuse of systems, ensuring the use of password protection or encryption where needed and avoiding breaches caused by password sharing or the use of generic passwords. It’s important to encourage staff and pupils to be aware of personal requirements to protect data; bank details, passwords, licences and passports, often stored in a bag, mobile, laptop, tablet or notebook.
With GDPR constantly evolving, it’s vital for schools to have the right tools and support in place. Cantium are supporting schools, Data Protection Officers (DPOs) and Data Protection Leads (DPLs) in monitoring and managing their data protection compliance through GDPRiS. Used by nearly 3000 schools, this simple, intuitive cloud-based platform is designed to support schools, academies and trusts in working towards GDPR compliance, reflecting the existing processes in schools whilst pro-actively prompting them to meet and exceed GDPR.
With the depth of knowledge required from a DPO in areas such as data security operations, breach management and the legal aspects of data handling, it’s not surprising that many schools may find the DPO responsibilities a challenge to deliver.
Cantium’s external DPO service, DPOaaS, provides schools with a dedicated, experienced DPO who can provide expert practical advice and guidance to help them address today’s compliance demands while they stay focused on core business activities.
Get in touch with a member of Cantium’s team to arrange a free demo of GDPRiS.
03000 411 115