GDPR and schools: how your IT system should be designed

If you haven’t heard of GDPR yet, then you are quite possibly already in breach of some strict regulations. More likely, you have heard of GDPR, and your school has made some efforts to apply the rules. However, you may yet to have fully immersed yourself in the requirements and therefore cannot make wiser and more effective choices. Here we offer some of the fundamentals, which will act as a foundation for the learning you will need to undertake.

The what and why of GDPR

GDPR stands for the General Data Protection Regulation. This is legislation focused on the use and storage of personal data. It came into effect on 25th May 2018. The law was a response to the changing nature of internet technology and computing. It replaces the outdated Data Protection Act 1998, which was inadequate in dealing with the new realities of our interconnected world.

Data has become a commodity. Companies such as Facebook and Google, who offer free products at the point of use, are likely using your data to support advertising and other monetised functions of the sites. As with anything that holds value, we should keep our data safe and demand that those who hold it for us keep it safe too. Hence, GDPR came into force to require the correct handling, storage and processing of data.

Personal data in schools

Schools hold a lot of personal data of students and staff. Personal data is defined as any information that makes an individual identifiable, directly or indirectly. Therefore, all information down to the name, email address, any photographs and other identifying information are relevant to the regulations. It not only matters to IT stored data but also paper-based material too – therefore, children’s exercise books become an issue for GDPR too.

Designing your school IT system: Storage

If you are going to control the data stored on your school systems, then you will need to standardise the software and the way this software is utilised. At a higher structural level, as an IT manager, you can control admin packages and use security protocols to ensure this data is secure. However, you are also responsible for material held in word processing documents, spreadsheets and emails.

Consequently, only software within the confines of the school system should be used when presenting, analysing or exploring the personal details of staff and students. Private packages or email addresses cannot be used for schoolwork if you are going to control the collection and use of this data effectively.

Ultimately, the use of software on the school IT system will need extensive training to help staff understand their responsibilities. Teachers and admin staff will each need to ask why the personal data is being created, whose data it contains and then how this data must be stored. It may take, for instance, a secure connection to the school intranet from home for those teachers wishing to plan and prepare offsite. This would restrict the need for storage of personal data on teachers’ individual systems.

Designing your school IT system: Data Breach

The system protections needed to prevent a data breach and to signal when a violation has occurred are more straightforward. You are used to preventing an accidental or unlawful loss, alteration, disclosure, access or destruction of personal data.

Yet, it is not enough to put in protections. You also need to know quickly when there has been a significant breach of this protocol. If there is a breach, you have 72 hours to notify the ICO, and you may also need to inform individuals whose data has been impacted.

GDPR is statutory. Schools must comply with the requirements. The legislation can feel complicated, and you may worry that your IT system is not up to standard. Contact the experts at Serval Systems today. We can help you address any outstanding issues and concerns quickly and effectively.