Data safeguarding is as important as any other safeguarding and more work needs to be done to ensure schools act on that fact, writes Lynne Taylor
If these were Ofsted gradings, a political reckoning would be under way.
The Information Commissioner’s Office (ICO) has audited compliance with the General Data Protection Regulation (GDPR) across over 360 schools and not one has reached an overall ‘excellent’ rating.
The ICO audits assess schools in the key areas of governance and accountability, data sharing, training and awareness, and requests for personal data and portability. Across all of the reports, overall assurance ratings were ‘reasonable’ at best, with many schools receiving a ‘limited’ score.
When GDPR was introduced in 2018, schools were initially praised for working diligently to introduce new practices to safeguard their information and protect their staff and students. The latest audits suggest that many are still struggling to understand what is required of them.
It might not be an all-important Ofsted visit, but the truth is that this should be no less concerning, given the everyday risk of data breaches. The reputational damage could be just as bad as an ‘inadequate’ grading. The risk of further investigation and very substantial fines should hold Schools Week readers’ attention. Some have already been hit with smaller fines for failing to pay the registration fee. It’s not a lot of money, but there isn’t a lot to go around to start with, and it shows a worrying lack of prioritisation.
The evidence is already that schools are lagging in their data compliance, and inaction will only make that worse as time progresses. Part of the problem seems to be that once media attention died down, data compliance in many schools was palmed off to IT departments or selected individuals, when it should be understood as a school-wide responsibility.
Transparency and accountability don’t begin and end at the top
Nobody is yet suggesting that schools don’t try to keep their students and staff safe, but a lot more can be done. Basic requirements such as paying the ICO data protection registration fee and appointing an independent data protection officer (DPO) are firm foundations of GDPR best practice, but they must result in building a culture of transparency and accountability.
In order to excel in the ICO assurance ratings, schools must have the evidence to prove that they understand fully, and are continuing to better, their information governance. Simply telling the ICO is just not good enough. You must be able to show that each piece of information is correctly organised and stored according to the guidelines and keeping a detailed log of data protection processes is paramount.
And a culture of transparency and accountability doesn’t begin and end at the top. Trust managers, senior leaders and key staff should be driving privacy and risk assessment at every level. Every process that uses personal data must be GDPR-compliant, which means every person engaging with those processes must be GDPR-compliant too. Data protection impact assessments (DPIA) are essential, and so is staff development.
Around 380 schools in MATs have been inspected to date and have been asked how they carry out a DPIA on systems that contain personal data, including how they would dispose of data and how they would prove this. Each question opens up potential pitfalls, but the aim isn’t to catch schools out doing bad – it is to protect the data of the children and families in our care. Which is to say, it is about protecting them.
Available technology can help, but the key message from the audits is evidence. It is no longer good enough to be doing – the ICO requires proof that it is being done. Maintaining proper processes and records will ultimately help schools to become and remain compliant, improve data safety and avoid risks of fines, even achieve ‘excellent’ ratings.
For now though, schools’ data safeguarding ‘requires improvement’. And if the word ‘data’ wasn’t in the previous sentence, how would reading it make you feel?