*Reassuringly dull cyber security

How to align safeguarding and data protection in schools

Back
safeguarding

Safeguarding and Data Protection:

Safeguarding and data protection are two interests that are traditionally depicted as being at odds with each other. The Department of Education lists frequently asked questions which include:

  • Are the GDPR and Data Protection Act 2018 barriers to sharing information?
  • Does the common law duty of confidence & the Human Rights Act of 1998 prevent the staring of personal information?
  • Is consent always needed to share personal information?

The answer to all these questions is a resounding “no”!

To quote the ICO directly: ‘It is important to remember that the GDPR and human rights law are not barriers to justified information sharing but provide a framework to ensure that personal information is shared appropriately.’*

Then why is it the case that these interests are viewed as opposites? Why must it be safeguarding OR data protection? Both are surely fundamental considerations in the interest of protecting the individual.

‘Safeguarding’ is a term often associated with ‘child protection’ and can fundamentally be understood as promoting the welfare of children, protecting them from maltreatment and taking action to enable all children to have the best outcomes. Whilst many people see data protection as a legal requirement impeding the delivery of education and restricting the use of online resources, its purpose is to protect its data subjects, protect minors, your students, from harm caused by the exposure of their personal data. This therefore makes it a valuable tool to enhance safeguarding.

How to marry safeguarding and data protection:

The advice given by the DofE is:

  • Be open and honest from the outset about why, what, how and with whom information will, or could be shared, and seek their agreement where possible.
  • Safety and wellbeing are of utmost importance – base your information sharing decisions on the considerations of safety.
  • Keep a record of your decisions and the reasons for them – whether it is to share information or not.
  • Seek advice if you are in any doubt about sharing information without disclosing the identity of the individual.

The general framework given by the government states that information sharing (including the sharing of safeguarding information) needs to be necessary, proportionate, relevant, adequate, accurate, timely and secure with the ultimate intention of protecting the safety, wellbeing and future of the individual.

The last point, the ‘security’ of this transacted data is of the utmost importance, as this is where safeguarding guidelines and data protection law converge with cybersecurity. The security of data, whether utilised, stored, shared or transacted, is a fundamental priority and is considered so by both the DofE and the Information Commissioners Office (ICO). There are various measures you can take to secure your data, many of which are technological in nature – constant monitoring of network and endpoint devices, penetration testing and cyber safety training to name a few. The fact is that the safety of your network and connected devices is fundamentally tied with the safety of your data and pupils.

Finally, and perhaps most fundamentally, government advice specifies that should there be any doubt regarding information sharing (safeguarding or otherwise), schools should consult and seek advice from experts.

Delivering value to Independent Schools with good data protection practices

As we have noted, data protection and safeguarding are intrinsically linked and ultimately serve the same purpose: protecting the welfare of children. In short – a breach of data protection policy and the disclosure or release of sensitive data about a child can harm their future opportunities which is, in effect, a breach of safeguarding principles.

Schools gain notoriety for public breaches of ‘special category data’, the ICO takes these cases seriously and has been known to fine schools, penalising them for breaches of confidence. The direct financial burden of a fine is often minor in comparison to the loss of revenue resulting from the negative effect this can have on reputation.

However, rather than implement data protection practices as a result of fear of the financial or reputational impact of a fine, it is far more liberating to consider the manner in which data protection practices can deliver value to educational organisations. By putting children first and protecting their online safety and wellbeing, schools have the opportunity to differentiate themselves and put themselves in a more competitive position. With a strong safeguarding and data protection record, a school protects its reputation and engenders parent loyalty, increases customer retention and child success.

How can you do this?

  • Cultivate a reputation of data privacy.
    • Seek transparency with all data processing – inform the individual, where possible, of how, why and where their data is being processed, utilised and stored.
       
  • Include data protection and IT acceptable-use guidelines in your safeguarding policies
    • This demonstrates that you appreciate the link between safeguarding and data protection and take these responsibilities seriously.
    • Parents value the safety of their financial information and the wellbeing of their child, both in person and online. This extends to their data privacy.
       
  • Ensure the safety of information
    • As the government guidelines specifies, secure data. This can be done through a comprehensive Cyber Safety as a Service (CSaaS) which includes Threat Detection & Response, Vulnerability Management, Penetration Testing, Email Threat Prevention & Cyber Safety and Phishing Awareness.
    • Train ALL staff in both data protection and cyber security responsibilities. 80% of cyber security incidences occur via the ‘human element’ (i.e. successful phishing attacks) and 69% of 450 schools audited had suffered phishing attacks in 2019.
    • Prepare for the worst and cultivate a data breach and cyber security incident response plan
       
  • If in any doubt, consult an expert!
    • Call us on +44 (0) 333 101 4399 or email info@normcyber.com to start a conversation about how we can support you, update your GDPR compliance and deliver value by implementing good data protection and cyber security practices.

To learn how to overcome the most common cyber security and data protection risks in schools click here.

Click here to sign up to our mailing list to be notified about future blog posts from the education sector.

Participate in our Independent Schools Cyber Security and Data Protection Survey 2020 and have your voice heard.

Sources:

https://www.gov.uk/government/publications/safeguarding-practitioners-information-sharing-advice

https://www.gov.uk/government/publications/keeping-children-safe-in-education–2

https://www.gov.uk/government/publications/data-protection-toolkit-for-schools

Also see NCSC & LGfL Cyber Security Schools Audit 2019 for statistics on cybersecurity breaches


Isabelle Churchill

Written by Isabelle Churchill
Isabelle Churchill is a member of the norm. sales team. She joined the team having graduated with a First-Class degree from the University of Bristol and is currently focusing her research on an analysis of the cybersecurity and data protection needs of the education sector.

Appointing NormCyber as our virtual DPO has given Ferrero the best of both worlds – access to data protection experts who understand what we stand for as a business, without the hefty overheads usually associated with appointing an in-house DPO.

Harpreet Thandi
Regional Counsel, UK & Ireland, Ferrero

We were looking for a virtual DPO service that offered all of the benefits of a fully qualified data protection lawyer, without the overheads of an in-house hire. The DPaaS solution from norm. has been invaluable in helping us to ensure we respect the integrity of our customers’ personal information, while using it to continue to deliver differentiated products and services which support our growing customer base.

Mike Whitfield, Compliance Manager
Marmalade

CSaaS allows me to step away from multi-vendor management as the Security Operations Centre coordinates all of the technology for me.

David Vincent, CTO
Perpetuum

We were in the market for an independent Data Protection Officer service that was well versed with both UK and EU regulators. We’re thrilled to have acquired this service knowing that an expert is available 24/7.

Suzanne McCabe, Head of Project Management
James Hambro & Partners

Norm’s penetration testing layer, along with the suite of CSaaS modules has enabled MA to exceed all its audit requirements for its major clients.

Rob Elisha, ICT and CRM Manager
Montreal Associates

The speed of your Data Protection Officer’s response was very impressive – it was far quicker than I would have expected even from an in-house DPO

Will Blake, Director of Technology and Analytics
CRU Group