Managing the pressures of safeguarding in education is no easy task. With a growing number of pupils in the system, funding cuts, occurrences of crime, and pressures to make greater use of advanced technology, senior leaders already face a series of challenges in maintaining or improving student safety and security.
A number of facilities have integrated advanced security systems such as CCTV in schools and access control in colleges to help ease the burden of keeping people and assets secure. With the capabilities of this technology increasing, and adoption continuing to rise, the regulatory landscape is evolving to match, with bodies such as the Information Commissioner’s Office (ICO) and ATL, The Education Union updating guidance relating to surveillance technologies.
Benefitting from improved connectivity and high image quality, security systems are also capturing larger amounts of data. As of May 2018, education organisations will need to be compliant with the General Data Protection Regulation (GDPR), superseding the Data Protection Act 1998 and designed to safeguard the way institutions capture, handle and report Personally Identifiable Information (PII). While larger organisations have dedicated teams for regulatory processes, responsible for detailed data inventory and mapping projects, one can only begin to imagine the scope of the challenge in the education sector and particularly for those Academy Trusts that have taken on new Academies in the past two years. In fact, adherence is likely to be a challenge for a number of organisations with analysts Gartner predicting that by the end of 2018, more than 50 per cent of companies affected by GDPR will still not be fully compliant1
Data security in education
Due to the often sensitive nature of the information captured or processed by systems in education, ranging from images of children to exam results, the sector is likely to rapidly come under close scrutiny. Under GDPR, data breaches must be reported to the correct authorities within 72 hours and robust data portability policies must be put in place. Further to this, public authorities should also employ a Data Protection Officer. The need to find and invest in a member of staff to fulfil this role internally may prove a challenge, especially at a time when budgets for schools, academies and colleges are shrinking. Many education organisations are therefore expected to seek third-party help in managing the security of data, with an understanding of the potential penalties for non-compliance. While the Data Protection Act saw maximum fines of up to £500,000, GDPR brings with it penalties of up to €20 million or 4% of an institution’s annual group turnover (whichever is higher).
Ultimately, the regulations and advice open to the market are there to safeguard student and staff data, plus simplify regulatory environments for institutions. A recurring element throughout the various regulatory standards and guidance is that all data must be sufficiently protected to avoid a breach, including careful consideration of technical, organisational and physical security. With the increased use of high-end security technology that is often connected to broader IT infrastructure, conducting a comprehensive health-check of relevant systems will be key to ensuring the security of people, assets, systems and data. Ultimately, this will demonstrate that the education institution is not only effectively managing organisational risk, but is also encouraging best practice.