Data Protection guidance from ICO (Information Commissioner’s Office)
The ICO recently released a document entitled ‘Report on the data protection guidance we gave schools in 2012’ available here. The document highlights how the ICO helped several schools earlier in 2012 to comply with data protection rules and highlights the findings of that work. The paper covers areas of data protection including use of CCTV, FOI (Freedom of Information) requests, appropriate policies, handling personal / private data, use of digital images and the importance of staff training.
Some of the key factors for schools to understand are the differences between personal data and sensitive personal data and understanding that there are greater legal restrictions on sensitive personal data. The document clearly highlights the types of information that falls into each category, for example names, D.O.B. and NI numbers are classed as personal data but information relating to political opinions, religious beliefs and criminal offences are sensitive personal data.
There is also the need to differentiate between personal and private (confidential) information when sharing or publishing information. The example shared in the document is that a teacher’s identity is personal information but would be in the public domain but their home phone number would be classed as private.
The document outlines some key aspects of information security and the need to ensure all portable electronic devices containing private (confidential) data are physically secured under lock and key when not being used, are password protected and encrypted. There also needs to be clarity over school data accessed through personal equipment, this may occur when data is shared via email or email attachments either by teaching staff or often as with governors. If schools data resides on personal equipment then the school could be liable for any loss of that data if they cannot demonstrate they have ensured suitable actions have been taken to minimise this risk.
One of the common ways schools do not adhere to the recommendations is by sharing private data with other colleagues or the council using email accounts that are not on secure servers or by sending emails to an insecure recipient. If not using secure email account a bare minimum requirement would be to ensure that no sensitive data is in the body of the text and that any attachments are password protected. All school based communication on behalf of the school should be on secure school systems.
The area of data protection can be a minefield but this document (although 30 or so pages long) gives clarity to a lot of concerns that schools have and also includes an excellent audit resource to help you identify how effective your school’s policies and practices are.
Please contact a member of the Curriculum ICT team (01274 385844) if you would like further advice with respect to this area.