Roundtable: Save the data – Amanda Jackson

Are our schools and universities doing enough to safeguard student and staff data? Steve Wright quizzes some experts in the field

The third in our series on safeguarding data, we speak to Amanda Jackson, senior inspector, Quality Assurance, at Havering Education Services (HES).

Q. We’ve all been well schooled now in the importance of data security. But can you outline some simple, practical and affordable solutions for schools and universities?

To date, there aren’t any solutions that address the issue perfectly, but there are some steps that schools can take to make sure that data remains as secure as possible. Many of these relate to daily procedures, as often it is human error that leads to a breach. 

Some of these are simple but surprisingly effective, such as setting a two-minute delay on your emails. It’s all too easy to copy the wrong person into an email – but, if you’re sending sensitive information, this could have serious repercussions. That two-minute delay means the email sits in your outbox and gives you the chance to rectify something before it becomes an issue. 

Q. Are schools and universities sufficiently aware of both the risks out there and the solutions available to them?

When changes to the data protection laws came into force, a lot of companies and consultancies were offering advice to schools, and some schools bought into expensive subscriptions for a consultant to review their data management. There are risks here, though. For one thing, it can be costly for the school: what’s more, outsourcing responsibility in this way does little to promote data security awareness amongst school staff. Since the latter are the school’s data gatekeepers, that’s a real issue. 

It can also be difficult for schools to get clear guidance. Although there is advice out there, there are so many concerns around data security and compliance that issues such as how long to retain sensitive data can be confusing. What schools really need is a trusted partner that can help them navigate the regulations, map out their own approach to data security, and help them to review it regularly.

Q. How much of this comes down to material solutions (better software, etc.), and how much down to human solutions, such as better training for staff and students?

The human solution is vital. It’s important for schools to be able to take ownership over this issue themselves, to conduct their own security audit (with guidance) and to have a clear understanding of what is expected of them. This means that training and awareness are the two most important tools for data security. Awareness will mean that compliance is front and centre when procurement decisions are being made, especially as more and more schools move to cloud-based services. Training means that staff are more aware of the instances when a data breach is possible, and become more vigilant at securing their data.

It’s also important that the training is reviewed regularly, as risks can evolve, whether from the use of new systems within the organisation, or from new external cybersecurity threats. This doesn’t have to be lengthy training; just a series of simple reviews and updates for all staff, to remind everyone of the key principles. 

Without these reviews, the human solution may not be as consistent as it needs to be, and simple errors – such as copying the wrong person into an email with sensitive information, or leaving your laptop on when you leave a room – can lead to significant data breaches.

Q. Do schools and universities face a slightly different set of issues from other industries, when it comes to data security?

A public sector organisation that handles sensitive information about children will always face different concerns. Schools share data with third parties; often software companies who provide curriculum resources or management information systems. Consent for this has been quite troublesome for schools as they are not sure whether sharing pupil data for this is part of their public task as a school, or whether they need to seek consent. Some schools could be sharing with 20–30 different organisations.

Q. Is there one particular area (such as loss of sensitive information, malware, phishing etc.) where schools and universities are particularly at risk?

Threats are evolving constantly, and so are the solutions available to schools. I think the biggest danger actually comes from assuming that what is true today will be true tomorrow – the only way to be sure that you’re up to date on all threats is to review your data security protocols regularly.