…is that it isn’t an issue - until it is. Millions of individuals’ data are kept by organisations all over the world with apparently no problem, until such time as there is a data breach, hack or other cybersecurity failure which puts those peoples’ personal information at risk. And when massive corporations such as UBER, Equifax and government departments like HM Revenue and Customs suffer significant data breaches, the number of people affected can be huge. But this issue is not limited to digital records; many infamous data breaches have occurred through paper files being left on public transport or turning up in landfill sites. However, irrespective of how it occurs, any data breach has the potential to cause significant alarm and distress and when that information ends up in the hands of criminals the consequences for victims can be enduring and far-reaching.
Of course, the need to protect data is not new; it was in 1953 that Article 8 of the European Convention on Human Rights first introduced a requirement to respect an individual’s privacy. Since that time, data protection legislation has existed in a number of different guises and the introduction of the General Data Protection Regulation – GDPR – is simply a response to the latest developments in technology and the way in which vast quantities of data are now handled and stored.
Under the Data Protection Act there is no legal obligation on data controllers to report breaches of information security (albeit the Information Commissioner’s Office – ICO – believes that serious breaches should be reported to them and many responsible organisations already do so). However the GDPR will create a statutory obligation on organisations to report certain breaches of personal data to the ICO and wherever practicable they must do so within 72 hours of becoming aware of the breach. Furthermore, under GDPR an organisation responsible for a data breach could suffer serious damage not only to its reputation but also to its finances, as regulators will be able to levy administrative fines of up to 20 million Euros or 4% of annual turnover – whichever is the greater! This would-be eye-watering for any organisation – for a school it is potentially catastrophic.
To suggest that schools need to take GDPR seriously is both a statement of the obvious and potentially a major burden. Schools rarely have the resources to be able to employ or commission data protection professionals to manage their day-to-day information security arrangements. There has been plenty of policy advice from various sources circulated in respect of GDPR, but policies are only ever of use if they are tested and actually work when needed.
And while school budgets are continually being stretched, the need to develop a network of reliable and secure data storage solutions is greater than ever, meaning that schools need to be sure that they can trust the providers of their data collection and management tools. In addition, the weakest point of any chain is its links and that is most certainly true when it comes to data management. As individuals’ data is passed from one service or provider to another, there has to be complete confidence in the security and accuracy of the information being shared.
In terms of the legislation, schools are the data controllers of the data that is held about their staff and pupils in either their own or, perhaps more importantly, third party systems. Those organisations looking after data on behalf of schools are ‘data processors’, each with their own range of duties. One Team Logic is the data processor in respect of the highly sensitive personal information about pupil’s safeguarding and well-being that is held in MyConcern, whilst each school remains the data controller and legal owner of that information. That is to say, One Team Logic does not have access to this information (it is all fully encrypted), but we do have the responsibility for storing it safely, securely, and restricting access to only those permitted to access it, such as the safeguarding leads within schools. It is vital that we protect this information, not only because we have a duty to schools as our customers but also for the protection of the pupils who may have records held about them within MyConcern.
To ensure that we are fully GDPR compliant, all our staff have received GDPR training and we have robust systems in place. For example, we have achieved the internationally recognised ISO27001 standard for information security management and were externally audited in order to achieve the government-backed ‘Cyber Essentials Plus’ accreditation. We have also had our systems and networks penetration tested by independent external specialists; all of the data that we process on behalf of schools is held in secure and resilient data centres in the UK. This allows us to be confident (but never complacent) that the service we provide to schools is of the highest quality and that the data we process on their behalf is safe.
When combined with the data held in SIMS, MyConcern gives schools the tools they need to monitor and manage concerns and actions around individuals and groups. Thanks to being able to securely control information sharing between staff and trusted external partners, MyConcern ensures that schools as data controllers can have complete faith in the processes they put into place when it comes to their pupils’ details.
Martin Baker is the Managing Director of One Team Logic, the producers of MyConcern.