It’s not just big businesses that need to be mindful of data protection – protecting the privacy of students and staff alike is paramount in the education sector. Schools, colleges, universities and education centres are obliged to comply with Data Protection Act of 1998, and are just as susceptible to a fine of up to £500,000 as business and corporations.
So what data protection challenges does the education sector face, and how do they overcome these? Check out the most common factors faced and their solutions below.
Every pupil and student has the right to access their personal information on record, whilst their parents have the right to see their educational records. This is known as ‘subject access’, and allows an individual to find out whether any of their personal data is being processed, to be given a description of the personal data on record and the reasons why it is being processed. The individual also has the right to know if it is being handled by any other organisations, and can request a copy of their personal data and details of the source if they wish.
Education establishments must therefore make sure that when a request for information is received, they grant permission. Refusal for a personal data request constitutes a breach of the Data Protection Act.
Sharing Personal Data
Schools can share their personal data with three main organisations: local authorities, other schools and educational bodies, and social services. Personal information can only be shared with pupils once they over the age of 18, although it can be shared with parents and guardians. Once of age, any student has the right to access their information without their parents’ consent.
As we know, personal data can be shared in accordance with Data Protection Act, but there are factors to consider. Firstly, make sure that you are allowed to share it first. Secondly, ensure that adequate security has been put in place to protect it (extremely useful in regards to highly sensitive information), and provide an outline of who is receiving personal information from the school.
Any education establishment that is preparing to provide personal information should also be aware that the way it is shared needs to be taken into consideration. Sending an email can have many disastrous consequences – attaching a wrong document to an email can happen (we’re all human, and mistakes can be made), email accounts are not 100% secure, and only some email providers allow you to recall messages once you’ve hit ‘Send’. If you’re confident that your email is secure enough, make sure that any circular emails are sent under ‘Bcc’ so no party has their email address shared with anybody they’re not comfortable sharing it with.
Publishing Exam Results
Publishing exam results is allowed, especially for research purposes for the educational sector, but all parties involved should be notified before this happens.
Taking Photos in Schools
There’s no part in the Data Protection Act that prevents parents and teachers from taking photos in the school for events such as sports days, Christmas plays and so on. However not all parents are comfortable with their children being photographed in school – especially without their consent. Ensure that parents are notified whenever photos will be taken, and for what reason. If they wish to have access to these photographs before publication, then this is another simple request that ought to be granted.
This also extends to CCTV recording. People must be informed that it is recording and what it is used for. Retention periods must be reviewed regularly to ensure no irrelevant data is being kept on file.
Failure to train staff in how to properly govern personal information is asking for trouble. If a staff member incorrectly tells an unauthorised party confidential information pertaining to the school, staff or students, then they are in breach of the Data Protection Act. Training is a good way to notify staff of any changes, as well as keeping them informed on how to handle any sensitive information.
Protecting Sensitive Information
Educational establishments must ensure that all staff and student records are is locked away with access only granted to authorised personnel.
When disposing of records, the best way to render them irretrievable is to contact Datashredders. Our commercial shredding service sees us provide clients with secure waste containers, ensuring a clear destination for all shredding – you don’t even need to separate paper from laptops, hard drives or data discs and you don’t need to spend countless hours removing staples. We’ll either shred all of your confidential data onsite or take it back to our shredding centre in Peterborough to feed into our state-of-the-art AXO FATSO double shredding machine. Contact us today for a free, no-obligation quote.