School IT Blog

Understanding Your School Data Protection Policy

Mon 30 September, 2019

Data protection is a serious concern, especially in schools. Making sure you’re up to code with your school data protection policy will keep you protected from breaches and safe from crisis.

The Data Protection Act is designed to protect the privacy of individuals with regards to how personal data is collected and stored online.

School IT systems contain a huge amount of sensitive information about both staff and pupils, so any data that is stored or collected by you must remain secure and confidential.


Register with the ICO and give annual notification

The Data Protection Act requires all data controllers to register with the Information Commissioner’s Office (ICO) and notify them of how they process personal information. After registration, this process will need to be repeated annually to remain in accordance with the Data Protection Act.

When registering, and annually afterwards, you must inform the ICO of:

  • What data you are collecting and storing
  • The purpose of storing that data
  • Where the data has been collected from
  • Who will be given access to this data or who the information will be shared with
  • Which countries the data will be shared to


Have privacy notices in place

As a school, parents are putting their trust in you to keep their children safe, and this includes the safety of their personal information. Staff at the school also require the peace of mind that their information is being handled correctly. As such, you must be completely transparent about your school’s data protection policy in the form of privacy notices.

You may be using this data for emergency contact information, assistance with medical conditions or to arrange school trips, but parents and teachers need to be able to access your data protection policy easily and understand it clearly.

All schools must have privacy notices in place that provide concerned parties with the following information:

  • The purpose of holding the information
  • How personal data is collected
  • How data is kept up to date
  • Procedures for security breaches, lost or stolen data
  • Correct disposal of confidential waste
  • What the school’s policies and expectations are for staff accessing this data
  • Security system details such as computer password use, firewalls, and anti-virus software
  • How personal data is encrypted
  • Who is a trusted third party
  • Rules for sharing or transferring the data outside of the school


Have firewalls and anti-virus software in place

As mentioned above, your school’s data protection policy must ensure that online data is protected. This includes protection from malware through the use of firewalls and anti-virus software that cannot be easily circumvented or accidentally disabled.

For security purposes, it’s also important that all the devices in your school are operating on the same system, and the most up-to-date version of that software. Any outdated software is a weak link in your security and can threaten the effectiveness of your data protection.

From a practical standpoint, it is also much easier to manage a synchronised IT and security system, and the use of secure cloud backup also protects you from losing information if disaster strikes.


Encryption of personal information

Encryption is the process of converting information into code to prevent unauthorised access. This is in case it falls into the wrong hands because encrypted data can only be made readable through the use of a decryption key.

All personal information that you keep on your school’s IT system must be encrypted to prevent security breaches. This also goes for any memory sticks or external storage hardware that may be used in conjunction with the system. These devices need to be password protected and fully encrypted.


Limiting access to devices

Only the authorised devices used by your students, staff and trusted third parties should be able to access your school’s IT system. Your system shouldn’t operate as a free Wi-Fi service that anyone can access, even with a password. Even the personal devices of your students and staff should be kept separate from the system where you hold so much sensitive data.

Any devices not owned by the school can be a security risk as you don’t have control over the software and security features that they use. Your school data protection policy should ensure that any IT systems that you use - such as desktops, laptops and classroom tablets - are properly maintained and kept up to date with the latest operating systems and anti-virus software.


Responding to Student Subject Access Requests

Students and their parents or legal guardians have the right to request to see their personal data held by the school. The authority to request this access lies with the student unless they are unable to act on their own behalf or they have given consent to their parent or guardian.

Even young children still have the exclusive right to their personal data, rather than the parents, if they are mature enough to understand their rights. Parents and guardians can request to see their child’s educational records, however, even without the consent of the child.

Any request to access personal data must be received in writing before access is granted. This can be a physical letter or an email, but there must be a record of it.

Your school data protection policy should adhere to all of the above information for your school to be within the regulations of the Data Protection Act. Not only is this essential from a legal standpoint, but it also ensures the protection of your students and staff from harm and your system from potentially devastating data breaches.


For more information on keeping your school’s data secure and protected, you can view our IT security services for schools.