U.K. legislators and regulators have been at the leading edge of data protection progress and standardization for the better part of a decade. But as the academic calendar turns to a new year, authorities have been paying special attention to how carefully schools are handling student information.
Room for improvement
A recent report issued by the Information Commissioner's Office surveyed the data security and records management practices of more than 400 schools across nine local regions. Overall, officials found that awareness for Data Protection Act mandates was quite high across the education sector with more than 90 percent of schools proactively providing parents and students with insights on how their personal information was being stored, protected and used.
However, one in three schools conceded that password management had become a potential pain point, with several systems covered by codes that were infrequently changed and of questionable strength. An additional 20 percent of schools admitted outright that their email systems were insecure.
"The survey results showed that whilst awareness of the law was broadly good, knowledge on how to comply with it wasn't always there," ICO director of good practice Louise Byers noted. "In many respects that should come as no surprise – it's not teachers' area of expertise – and it is precisely what our report is aiming to address."
Recommended best practices
The most important discipline highlighted in the ICO's supplementary list of data protection best practices was that of notification. As officials suggested, keeping regulators informed on how much student data is being collected and what it is being used for is less of a tip and more of a legal requirement. Schools were also advised that, while delegation of responsibilities to certain administrators was a "sensible" tactic, ultimate responsibility still resides with the data controller that has registered notification with the ICO.
This transparency shown to regulators must be extended to pupils and parents as well. For instance, the ICO report advised administrators to provide a fair processing memorandum each time parties are asked to supply personal information. Whether it is an educational pamphlet or web portal, both students and families must be made aware of why data is being collected, what it can be rightly used for and what safeguards are in place to limit the possibility of a breach.
But while data security best practices such as access and device control were discussed at length, report authors also made a point of addressing the information disposal procedures that are so often a weak link in the chain of custody. Educators were advised to take information sensitivity and potential personal consequences that could come from a breach into account when deciding on a disposal method. Most often, document shredding and hard drive scrubbing are the prescribed strategies. But once again, institutions were reminded that delegating such tasks to a third party does not transfer responsibility for their proper execution.
Finally, ICO officials underscored the importance of crystallizing these concepts in an effective employee training framework.
"Those making decisions about running schools need to know about information rights. Many data protection failures are caused by ignorance and anything that promotes awareness is to be recommended," the report stated. "Mistakes can often be prevented by being aware that a potential problem exists and knowing who can give more detailed advice."
Administrators were encouraged to incorporate data protection workshops into professional development days hosted throughout the year. But on a more continuous basis, the ICO insisted that staff should always have access to at least one colleague with an advanced working knowledge of expectations and best practice solutions.
Security News from SimplySecurity.com by Trend Micro