Safeguarding Data in Schools.

Data Collection Policies

Schools have a phenomenal amount of data and much of it is high risk. Safeguarding parents', children's and staff's data is at the very core of data collection. Failure to safeguard data can have very serious consequences. Serious for the data subject (parent, student or staff member) and for the school as an organisation.

With more than 20 years in education, and as I transition from teaching into data governance, the emergency of data privacy grabs at me.

A typical school holds data such as medical history, travel location, well-being, address, contact details, previous school or employment, even biometrics. Sometimes data can be inferred from information held, such as a student's or employee's religion from their dietary preferences. Students will often carry out research in the classroom, with little knowledge of how to protect the personal data of peers. That data may be placed on the classroom walls, and then purposefully or accidentally shared in social media. Much of this information requires a DPIA.

So, where do we start? The subject on my mind today has been that of Data Collection Policies. Before moving on to this subject, I want to introduce three standards that help schools to demonstrate accountability:

Standards are critical in safeguarding student and staff data.

ISO/IEC 27001 - Information Security Management Systems: Requirements for establishing, implementing, maintaining, and continually improving an information security management system (ISMS). It helps schools structure their data security practices around risk assessments and security controls, including data collection policies.

ISO/IEC 27002 - Code of Practice for Information Security Controls: This standard supports ISO/IEC 27001 by offering best practice guidelines on information security controls.

ISO?ISO/IEC TS 20748 - Information technology for learning, education and training: Learning analytics interoperability. Part 4: Privacy and data protection policies.

Accountability and compliance stand strong in data protection laws and directives around the world. Using the ISO standards guides and demonstrates that accountability and compliance are adhered to.

Data collection policies, developed under the scrutiny of clear professional standards, involve several detailed components that schools must consider to ensure they manage data responsibly:

1. Scope and Purpose Specification

When developing data collection policies, schools need to clearly define the scope and specific purposes for which data is collected. This involves detailing the exact types of data needed, the activities or functions for which the data is collected, and the intended outcomes of these activities. For instance, the scope may include collecting contact information for emergency communication, health information for safely managing physical activities, or academic data for performance monitoring and educational support.

Each type of data collected should have a legitimate and clearly defined purpose directly linked to the school's operational or educational objectives. Schools should ensure that the scope of data collection is strictly aligned with these defined purposes, avoiding the collection of any data that does not directly support school functions. This precise delineation of scope helps in maintaining focused and legally compliant data practices, thereby enhancing data security and minimizing potential misuse.

2. Transparency

The data collection policies should be transparent and communicated effectively to all stakeholders, including students, parents, and staff. Schools need to inform these stakeholders about what data is being collected, the purposes for which it is collected, and how it will be used. This transparency is crucial for building trust and for compliance with data protection laws that require informed consent. This connects directly to the next point: Legal basis of collecting, holding and processing data.

3. Legal Basis

In developing data collection policies, schools must establish and document a legal basis for collecting and processing personal data. This includes determining whether the processing is necessary for compliance with a legal obligation, for the performance of a contract, for protecting the vital interests of a data subject or another person, for carrying out a task in the public interest, or for the legitimate interests pursued by the school or a third party.

The requirement for a legal basis ensures that schools not only obtain consent where appropriate but also consider other lawful grounds for processing data. For instance, in some cases, processing might be necessary to fulfill educational obligations or to adhere to safety regulations without explicitly needing to obtain consent. This aspect of data protection acknowledges that while consent is crucial, it is not the only foundation upon which personal data can be legally processed, providing schools with a framework to handle data responsibly within the confines of the law.

4. Data Collection Limitation

The policy should emphasize the principle of minimal data collection—only collecting data that is essential for the specified purposes and nothing beyond that. This limits the risk of data breaches or misuse of excessive personal information. For example, while it may be necessary to know a student's medical allergies, detailed medical history beyond what is relevant to school activities should not be collected. A school's LMS holds so much data, and this needs to be carefully managed so that each employee only has access to information that they truly need.

5. Review and Update

Data collection policies should not be static. They require regular review and updates to reflect new educational tools, changes in legal requirements, or shifts in the school's operational needs. This ongoing review ensures that the policies remain relevant and effective in protecting student data.

6. Impact Assessment

Before introducing new data collection practices or technologies, schools should conduct assessments to understand the impact on privacy and compliance with existing data protection laws. These assessments can help identify potential risks and the need for additional safeguards. This is especially relevant with regards to high risk data such as medical information, religious and political views (we all know how opinionated teenagers can be!).

Schools usually have a strong online presence. The DPIA must track all photos and social media stories to make sure that data is shared carefully with safeguarding at the forefront of thought and care.

Addressing these issues is a small part of the whole of safeguarding in the field of data protection. Strong control mechanisms help schools create a secure data protection environment, safeguarding the information of students, staff, and parents, and ensuring compliance with legal obligations.

==========

Article written by Derek Ray Havelock, founder of Asia Privacy Action (APA).

The APA specialises in data protection and privacy in education in the ASEAN region.