Michael Evans looks at the importance of keeping personal data about pupils and staff secure and the duty of a school under the Data Protection Act 1998.
What is required by the Data Protection Act 1998?
The Data Protection Act 1998 came into force at the beginning of March 2000 and brought the UK into line with a European Directive on Personal Data (98/46/EC). The Act effectively protects the rights and freedoms of individuals, particularly their right to privacy with respect to the processing of personal data.
An important requirement of the Act is that all organisations that hold personal data must ensure that this is held securely and that such data may only be used for specific purposes as allowed in the Act. Since schools hold a significant amount of personal data on pupils and employees this is a very important issue, but one that can all too easily be overlooked.
Anecdotal evidence suggests that many schools have a fairly relaxed attitude to data protection, but overlooking the issue of security is something that schools do at their peril. A school found to be in breach of the Act could face a fine of up to £500,000.
Under the Act, schools are “data controllers” in that they process personal data in which individuals can be identified. All data must be:
fairly and lawfully processed
processed for limited purposes
adequate, relevant and not excessive
kept no longer than necessary
processed in accordance with the data subject’s rights
The first and last of these requirements are worthy of particular attention.
Processing data fairly and lawfully
Fair and lawful processing of information means that data controllers have a responsibility to inform subjects about the purposes for which their personal data will be processed. This information should be provided at the time the data is obtained and it should be comprehensive and transparent. According to the Information Commissioner, children over the age of 12 will generally have sufficient understanding of their rights under the Act.
Lawful processing means that the school must send a comprehensive annual notification to the Commissioner, setting out all the categories of personal data being obtained and to whom this is to be disclosed. In order to satisfy the Act, the subject must consent to data being processed in this way.
Keeping data secure
Effective security is obviously vital. The Act is quite clear that appropriate technical and organisational measures should be taken to guard against unauthorised or unlawful processing of personal data. This would include the prevention of hacking into systems. Similarly, there should be strict safeguards against accidental loss or damage to personal data. This can be a big headache for schools since laptops and memory sticks can easily get lost, mislaid or stolen. Tight security practices are vital if schools are to stay within the law.
The Information Commissioner recommends that where there is a risk of damage or distress to individuals if data should be lost or go astray, all devices used to store and transmit personal information should be protected using approved encryption software that is designed to guard against the compromise of information.
This will include personal data that is held on the hard drives of PCs and laptops; portable media such as DVDs, CDs and USB drives; back-up tapes; computer networks such as storage networks; and off-site back-up services.
Schools can be at particular risk since new technologies such as biometrics and electronic filing systems are becoming more common. Many schools hold pupils’ biometric data in order to facilitate cashless catering systems or library access. This information could be regarded as sensitive.
Choosing the right level of protection
Not all information has the same degree of sensitivity, and schools must decide the appropriate level. It is recommended that stored information should be assessed and marked accordingly. Generally speaking, there are four categories of information in schools.
Information that is not protectively marked.
Information needing protection from unauthorised access.
Information where access is restricted to named people.
Confidential information where access will be highly restricted.
Data should be assessed and a number of questions asked in the event of a security breach. In schools, these will include the following.
Is there a risk that any kind of criminal case might fail?
Is someone likely to suffer discomfort?
Is there a risk to anyone’s personal safety?
Is anyone likely to be embarrassed?
If the answer to these questions is “no”, then there is no need for the document to be protectively marked. If the answer to any question is “yes”, the document will require a higher level of protective marking. The following issues should be considered.
Will it cause a serious criminal case or prosecution to fail?
Will someone’s personal safety be at moderate risk?
Is there a risk that someone might lose his or her personal reputation?
If the answer to any question is “yes”, then a decision should be made as to whether this data should be “restricted” or simply “protected”. Schools will need to decide the appropriate level of security but, in general, any information that contains personal details of an individual should be marked as “protected”, with a higher level of protection given as and when considered appropriate. Where there is doubt, the higher level should be chosen.
Data about staff and pupils
A great deal of information in schools can relate to teaching and non-teaching staff and some of this can be very sensitive. This would particularly be the case if a member of staff was subject to an internal investigation. This information would be highly confidential, with a very restricted circulation and great care would be needed to maintain security.
Similarly, there can be very serious issues regarding sensitive information about pupils. Electronic transfer of information is now part of everyday life, and will include information to legal authorities in cases relating to child protection and custody, pupil transfer data between schools, information for examining boards and information required by any statutory organisation.
All personal information needs to be kept safe and great care must be taken to ensure that it is only made available to those authorised to have access. One local authority incurred a heavy fine after faxing information to the wrong set of lawyers during the course of an investigation into child abuse.
Deleting confidential data
A high level of protection is needed in many areas and this can be very costly. However, schools need to take a close look at all the systems they have that hold information and ask themselves what the data is, why it is needed and whether it could be used and exploited for purposes other than those for which it was intended.
There will come a time when much of the confidential data held by a school will no longer be needed. In this case, the information should be deleted, but it must be remembered that the information continues to be confidential and that a computer’s normal deletion process only removes the directory entry of the file and not its contents. A significant part of the original content would usually be recoverable. The only safe solution would be to use a special software program that would ensure that all data is completely removed.
The protection of personal information is an important legal responsibility for schools. It is a problem that should be diligently addressed if serious consequences are to be avoided.