Increasing regularity in safeguarding, means safeguarding leads in schools and colleges and other staff members are increasingly being called to account in how they are handling data.
This has caused many people to look more closely at the use of technology for the recording and management of safeguarding in education.
Although digital records and technology can help to improve safeguarding and provide major support to reducing staff workload and stress, before adopting any technology for recording anything that might later be required as ‘evidence’, there are several important considerations that are widely misunderstood and a few myths and legends that need to be unpicked.
One myth is that when a pupil moves between schools and their safeguarding record is transferred to the new school, any remaining records retained by the originating school must be destroyed.
Another myth relates to the sharing of information and a fear that information cannot ever be shared without the consent of a parent/carer or the data subject
Some local authorities formally issue such guidance, which is very concerning – not least because it is potentially unlawful: The ‘child protection record’ as it is called in the DfE Guidance (KCSIE 2018) should not be confused with the Common Transfer File (CTF) when a pupil moves between schools – they are entirely different. The Department for Education’s data protection toolkit for schools makes it abundantly clear that schools (and/or multi-academy trusts) are data controllers in their own right and as such they make the decision about data retention under the auspices of the Data Protection Act 2018, not the local authority.
Furthermore, the ongoing Independent Inquiry into Child Sexual Abuse (IICSA) has long since issued a direction that NO child protection records are to be destroyed until further notice.
The DfE is currently working on data retention guidance for schools (including safeguarding records) while the Information Records Management Society Toolkit (v5), which many people see as the current definitive guidance, is also under review. The main point is that no-one can tell a data controller to destroy records. It is their duty in law to make that decision (and they should record their rationale for that decision).
Another myth relates to the sharing of information and a fear that information cannot ever be shared without the consent of a parent/carer or the data subject. Again, the DfE toolkit makes it very clear that the Data Protection Act 2018 introduced ‘safeguarding’ as a reason to be able to process sensitive, personal information, even without consent (DPA, Part 2,18; Schedule 8, 4).
The guidance states: “All relevant information can be shared without consent if to gain consent would place a child at risk. Fears about sharing information must not be allowed to stand in the way of promoting the welfare and protecting the safety of children. As with all data sharing, appropriate organisational and technical safeguards should still be in place.”
The important thing for practitioners to know is WHEN information can be shared without consent; the DfE guidance is immensely helpful for this.
The ongoing Independent Inquiry into Child Sexual Abuse (IICSA) has long since issued a direction that NO child protection records are to be destroyed until further notice
A final but hugely important issue when investing in digital technology is to ask the right questions of potential suppliers. This starts by well-informed practitioners, supported by their professional IT colleagues, asking questions such as:
- Who hosts their software application? (i.e. do they host it themselves or is it externally hosted? if so where?)
- Where will your data be hosted? (the DfE requires all school data to be held in the EEA)
- What are the resilience arrangements? (e.g. secure resilient data centres on separate sites)
- Has the supplier completed the DfE’s Cloud Services accreditation document?
- Can the supplier demonstrate compliance with the National Cyber Security Centre’s ’14 Cloud Security Principles’?
- Does the provider (not just their third-party data centre) hold ISO 27001:2013, the latest version of the externally assessed international standard for information security management?
- Do they hold the government-backed Cyber Essentials ‘Plus’ certification? (The ‘Plus’ is important – it’s the independent verification; the basic Cyber Essentials certificate is self-assessment only.)
- Has their system been independently penetration tested? Will they disclose their pen-test certificate?
- Is the application accessed by single-factor authentication or two-factor authentication?
- Have you seen the provider’s GDPR Compliance Statement, Private Notice and Lawful Basis for Processing policy?
These and a host of other issues regarding data protection and associated issues all need careful consideration.