Data protection and the education sector: Why schools and colleges can’t risk a breach

This month, a UK-based secondary school and sixth-form college, The De Montfort School, part of the Four Stones Multi Academy Trust, hit the headlines when families received COVID-19 results for the wrong students. The incident, ascribed to human error, reportedly impacted a small number of pupils and has since been reported to the ICO.  

The nature of this event means this story was quickly picked up by the press, where many fly under the radar. However, according to the ICO’s latest report (Q1 2021/22), the education sector took the lead over all other industries in the number of reported data incidents.

75% of the incidents were caused by non-cyber related issues, referring to non malicious and inbound attacks. Nearly 40% of non-cyber related incidents included failure to redact, or misuse of Bcc and, primarily, data emailed to incorrect recipients. 

These are some of the most common causes of data breaches across all sectors. However, handling young people’s data, particularly healthcare related information, is an example of when data protection is actually about people protection. The repercussions of data being mistakenly shared with the wrong recipient could be disastrous for students, professionals, and the organization involved. 

This is why today, with parent engagement more important than ever, and remote learning and working increasingly common, it is vital to arm school staff with technology designed to ensure compliance and the proper handling of sensitive student data.

Students, parents, staff, suppliers, local authorities - school employees communicate with a variety of different stakeholders, every day, often situated across different sites and schools. The data being handled is vast, from health and safety information and Looked After Children data, to contact details, attendance and performance reports.

Email is a reliable means of communications, yet it does not guarantee data protection or compliance with the GDPR. Alternative parent engagement platforms rarely deliver a user-friendly experience; often, they are not accessible and rely on parent uptake to be truly useful.

Joris Weel, Chief Information Security Officer at Curio Education Institution demonstrates the importance of this; "Curio institutions are spread across different locations, so it's crucial that we can share privacy-sensitive matters with each other online. Email is a popular and accessible means of communication and therefore a very important communication channel for the institution.”

So what’s the solution?

Smart, user-friendly, intuitive technology that is tailored for what is needed in the moment is key. That means a solution which empowers school staff to manage stakeholder communications with ease, without jumping in and out of alternative platforms. 

Staff regularly need to share large files between teams and parents (such as academic reports, attendance and registration data, health and safety information or more); this is a day to day task which should be simple to achieve. And yet today, it is not.

Staff must be able to authenticate the recipients identity, and have access to the performance of a communication once sent. The ability to revoke a communication in the event of an error, or control access to a file - these are tools which teachers, administrators, business and operations managers require every day. Without access to this functionality, mistakes will continue to happen.

Pointing fingers when things go wrong does not tackle the issue at its source. People are only as good as their tools - it’s time for school leadership teams and technology leaders to come together to empower people to be secure with their digital communications with A* technology.

By Robert Fleming, Chief Marketing Officer, Zivver