In the light of recent high-profile data losses by government agencies and banks, the government has signalled its intention to impose hefty fines on organisations that breach the Data Protection Act. Simon White, a data protection expert at Browne Jacobson LLP, assesses the impact this will have on schools
What does the Data Protection Act and data security have to do with schools?
Pupil information held by schools and teachers – whether at school or on laptops and other portable devices – attracts the same level of regulation under the Data Protection Act (‘the Act’) as other personal information held by public and private institutions such as banks, businesses in general and government agencies. Pupils’ information needs to be held as securely as possible to protect this potentially vulnerable group.
To that end, the Act requires (among many other obligations), through the ‘seventh data protection principle’, that schools (as with all other organisations) take ‘… take appropriate technical and organisational measures… against unauthorised or unlawful processing of personal data and against accidental loss or destruction of, or damage to, personal data’.
What is changing in the law?
In the wake of recent massive breaches of the Act by HMRC and various banks, the government has signalled its intention to hold organisations to account for failing to comply with it.
The Criminal Justice and Immigration Act recently amended the Act and introduced a power for the Information Commissioner’s Office (the organisation tasked with enforcing the Act) to impose hefty civil monetary penalties on data controllers (such as schools) that knowingly or recklessly commit serious contravention of the data protection principles (including the data security rules noted above in the seventh data protection principle) set out in the Act.
The government has delayed the implementation of the regulations (and confirmation of exactly how hefty the fines will be) which will herald this increased power, and it looks like they may just make the statute books before the general election in May. The proposals are of fines up to £500,000 for such knowing or reckless contraventions of the Act (the current maximum fine is £5,000).
Is there any guidance on data security specifically for schools?
A number of the recent high-profile data security breaches have resulted in data losses from modern systems of work, such as laptops and memory sticks. Given the nature of such electronic storage devices, it is never possible to eradicate the risk of their loss or theft. However, it is the case that all schools should have policies in place to ensure that such loss or theft does not compromise pupil and other personal information. It is likely that such policies should include a clear notice that laptops containing personal information should not be left in cars even if those cars are locked.
The Information Commissioner has specifically stated that anyone (whether employee or data controller) holding personal information should know the basics of encryption to protect such information. Clearly schools will need to review whether such knowledge among teachers exists and, if it doesn’t, put in place training and, if necessary, invest in the relevant software to enable encryption.
So what else can your school do (in addition to complying with the other obligations under the Act) to ensure that it doesn’t fall foul of the rules surrounding information security under the seventh data protection principle? Schools should:
- ensure that there are policies on taking pupil and staff personal information off-site and the use of mobile computing and memory sticks, etc
- ensure that these policies are properly communicated to employees and enforced
- invest time in ensuring that your business implements ISO 17799 on information security management.
Becta, the government agency tasked with promoting the effective use of information technology in schools, has recently updated its good practice guides to help schools to secure personal information held on learners, staff and other individuals. The series includes guides on:
- Keeping Data Secure, Safe and Legal
- Dos and Don’ts
- Information Risk Management and Protective Markings
- Data Encryption
- Audit Logging and Incident Handling
- Secure Remote Access.
The guides can be found here.
This e-bulletin issue was first published in January 2010
About the author: Simon White is a solicitor at Browne Jacobson specialising in data protection and internet law. To find out more about the legal services Browne Jacobson provides in the education sector and to visit their website, please follow this link www.brownejacobson.com.