The recent cyber-attack on the Online Single Central Record (Online SCR) supplier Intradev has sent shockwaves through the education sector, affecting many schools and thousands of school staff.
While this incident is deeply concerning, it can serve as a learning opportunity for schools in their relationship with edtech vendors.
Ultimately, it highlights the trade-off in risks that often occurs when procuring technology services and the need for robust, proactive risk management.
Outsourcing’s hidden trade-off
Using the services of an external company to manage processes such as your single central record (SCR) and recruitment checks is perfectly valid.
Many edtech vendors provide high-quality platforms that reduce workload as well as risk by efficiently identifying gaps and errors in the record.
However, reducing risks in one area doesn’t eradicate risk altogether. In fact, transferring sensitive data to an external supplier creates a new one.
Many schools we speak to acknowledge they haven’t considered this trade-off, and this is the crux of the problem.
In the case of the Online SCR incident, it was the platform’s own software supplier Intradev that was hit by the cyber-attack. Hackers were then able to access the names, addresses and phone, national insurance and passport numbers of school staff.
This illustrates the complexity of modern data-sharing arrangements and the critical importance of understanding exactly what data flows where.
Therefore, risk management should be front and centre of any technology procurement exercise, never just an afterthought.
Data protection issues aren’t going away
With the Department for Education encouraging schools to embrace AI tools, and Browne Jacobson’s School Leaders Survey last autumn showing that half of schools are using AI tools in the classroom, the volume of data being shared with external vendors is only going to increase.
As a result, so is risk.
The consequences of data being compromised are far and wide. The Information Commissioner’s Office last year reprimanded an Essex school for failing to protect data when installing facial recognition technology, while some staff have been asking for schools to compensate them following the Online SCR cyber-attack.
Strategic risk management
The first time that trustees or governors become aware of risk shouldn’t be when they are asked to deal with a data breach. Maturely accepting and managing vendor risk means:
Involving Data Protection Officers (DPOs) from the outset
Schools should always assess data risks and conduct vendor due diligence before entering into contracts. Your DPO should be involved from the very beginning of any tech procurement exercise to help to bring a focus on data protection risks.
Conducting thorough Data Protection Impact Assessments (DPIAs)
When talking to vendors, read their terms and conditions, and privacy notices. A DPIA isn’t just a box-ticking exercise; it’s your opportunity to understand and mitigate risks before they materialise.
Get proper legal advice
When entering into high-risk processing activities where significant amounts or sensitive personal data might be shared, seek independent legal advice to review or draw up contracts that ensure any risks are effectively mitigated.
Transparent governance
Schools might decide after reading the contract that there is still risk. However, they can then ensure their governors or trustees are making a fully-informed decision on whether to proceed.
The Online SCR incident should be a wake-up call for the entire education sector.
The worst thing schools can do is fail to acknowledge risk at outsourcing tasks to edtech vendors. Instead, they must start viewing edtech procurement through a risk management lens, understanding that every technological solution promising to solve one problem may well create others.
The key is not to avoid all risk. That would be impossible and counterproductive. Instead, it is to understand, assess and consciously manage it.
The future of education technology is bright, but only if we approach it with our eyes wide open to both its benefits and its risks. The time for naive optimism is over; the era of informed, strategic decision-making must begin now.
Your thoughts