Peter Hall
December 21 2023
Upholding the fundamental human right to privacy is crucial, whether individuals are offline or online. The education sector, encompassing both public and private institutions, faces distinct challenges in this regard. These organisations manage substantial amounts of special category personal data, including information on pupils, parents, and employees. This data spans from personal details to safeguarding information, medical records, and financial data. Additionally, educational institutions are entrusted with securely retaining this information, often over the long term, to validate alumni qualifications and certifications throughout their professional careers.
The benefits of collecting and processing this data evidently outweigh the cons. However, this situation raises serious risks and concerns relating to education data protection and privacy within the sector. For example, given that everyone is subject to mandatory education between the ages of 4-16 in the UK, educational institutions are handling personal information about an individual at their most vulnerable, provided by parents or legal guardians, and retaining that data for years after that individual has grown up, left the institution and long forgotten about the data it holds. This presents unique compliance obligations for these institutions to ensure they are upholding the data privacy rights of all individuals.
Consequently, the need for educational institutions to understand and comply with the UK GDPR regime cannot be understated. Therefore, this article seeks to improve that understanding, while also arguing that to achieve the best results, it is necessary to look beyond compliance and consider broader security measures and certifications to achieve an overall culture of ethical data handling.
This article will first present the UK GDPR in relation to the education sector and the institutions that make up this industry and demonstrate that education data protection and privacy compliance is a unique challenge for these institutions compared to other sectors. Secondly, the implications of non-compliance with data protection and privacy will be outlined. Finally, an argument for going beyond simple data protection compliance and looking to achieve an overall culture of ethical data handling will be made.
Understanding Education Data Protection under UK GDPR
The Data Protection Act 2018 is the UK's implementation of the EU General Data Protection Regulation (GDPR), that was retained post-Brexit as the UK GDPR regime. For now, the rights and obligations remain the same - everyone responsible for the handling of personal data must follow strict rules called 'data protection principles' to comply with the legislation and avoid penalties/fines for unlawful data processing. Individuals and organisations must make sure information is:
- Used fairly, lawfully and transparently
- Used for specified, explicit purposes
- Used in a way that is adequate, relevant and limited to only what is necessary
- Accurate and, where necessary, kept up to date
- Kept for no longer than is necessary
- Handled in a way that ensures appropriate security, including protection against unlawful or unauthorised processing, access, loss, destruction or damage
This comprehensive understanding is crucial for navigating the intricate landscape of education data protection within the framework of the UK GDPR.
How GDPR applies specifically to educational institutions
The UK GDPR splits the act of handling personal data into two roles – Data Processors and Data Controllers. In most education data processing activities, the institution will be the data controller, meaning it will determine whose information to collect, the types of data it needs and why collection is necessary. Data Processors on the other hand are responsible for the actual collection, storage, security and retention of the data. These are typically third-party suppliers to the educational institution but can also be the institution itself. Regardless, both roles are required to comply with the data protection principles.
The principles protect Personally Identifiable Information (PII), and also identify types of data as likely to be more sensitive and requiring stronger legal protection (known as special category data), such as personal data revealing racial or ethnic origin, genetic data; biometric data (where used for identification purposes) and data concerning health.
Key GDPR principles relevant to student data protection
There are a number of rights associated with the principles of the UK GDPR that educational institutions must uphold by tailoring them into their processing activities. These rights include:
The right to be informed
Institutions must ensure all staff and students are aware of the UK GDPR, how the institution is collecting and storing their data and the implications of a breach in a manner that is understood by them (I.e. in clear and plain language where minors are to give consent)
The right to give consent
Institutions should have systems in place that gather the necessary consent for data processing and verifying the ages of individuals.
The right to know where your data is stored
Institutions must provide visibility on what software is being used for data collection, such as teaching, timetabling and other institutional apps and software.
The right to rectification
Institutions must give individuals the ability to request changes to their personal data if they believe it is out of date or inaccurate.
The right to erasure
Also known as the Right to be Forgotten, institutions must give individuals the ability to ask for the removal of their data. This will typically be exercised when the individual leaves the institution.
The right to restrict processing
For example, Individuals can exercise this privilege to request that a process (e.g. an application for a bursary or other benefit) be examined personally because automatic processing will not take into account a relevant consideration of the individual.
The right to data portability
Institutions must allow individuals to request/consent that their personal data be relocated. For example, where a student is attending a partner institution (feeder school) and is due to attend the other institution next year.
These aforementioned rights pertain to all personal data collected by educational institutions, which typically includes but is by no means limited to:
- Contact information about pupils, students, learners, staff and carers
- Health information and medical records
- Details about recipients of pupil premiums, grants and bursaries
- Employee references
- Safeguarding information
- Diversity and inclusion information
- Passport information (for school trips abroad)
- Pupil exam references, results, qualifications and certifications
We can see how much of the data collected by educational institutions is, in fact, special category data.
So, educational institutions collect a large range of personal and special category data, from large groups of different individuals for multiple different purposes. It is not difficult to see how this can complicate the upholding of the rights conveyed by the UK GDPR. For example, the right to give consent is complicated by the different age groups that educational institutions administer.
In the UK, compulsory education applies from 5 to 16 years of age, and the age conferring the ability to consent to data processing is 13. Before the age of 13, the data was provided on behalf of the child by an individual with ‘parental responsibility’, i.e. a parent or legal guardian. This also means the accompanying data rights belong to the individual with parental responsibility, and not the child. Typically, a child will attend a high school institution between the ages of 11 to 16, meaning there is a transitionary period (at least legally) within the same institution regarding consent and how their data is to be handled. Therefore, schools must be aware of this transitionary period, and account for the effects of this on the exercise of other rights, such as the right to be informed, the right to rectification, the right to portability and the ability to make subject access requests.
Implications of Non-Compliance
Failure to comply with the UK GDPR will put an institution in the crosshairs of the data protection enforcement body – the Information Commissioners Office (ICO). The ICO can issue a range of different sanctions, depending on the severity of the education data protection breach. These sanctions include:
- Warnings and reprimands;
- Compliance orders;
- Bans on processing or data transfers (either permanent or temporary); and
- Administrative fines (financial penalties)
In regard to financial penalties, there are two categories of fines:
1. A maximum fine of £17.5 million or 4 per cent of annual global turnover (whichever is greater) - for infringement of the data protection principles or rights.
2. A maximum fine of £8.7 million or 2 per cent of annual global turnover (whichever is higher) - for infringement of other accompanying provisions, such as any administrative obligations
These fines will negatively affect educational institutions differently depending on whether they are publicly or privately funded or have multiple streams of income that make them better able to absorb financial loss. However, there are also unavoidable legal claims and negative press that follow education data protection breaches, with most institutions taking serious reputation damage after an incident.
For education institutions that are in competition with others (such as universities, academies and certain colleges), an education data protection incident could cast doubt on the institution's prestige and operational effectiveness, subsequently affecting their rankings and number of applicants – which is ultimately the lifeblood of the sector.
Despite the possible consequences of data protection breaches, the education sector is among the worst for GDPR issues, with around half (50%) of higher education institutions and three in ten further education colleges (31%) reported as experiencing breaches or attacks at least weekly.
There are numerous case studies of cyber-attacks launched against schools. For example, Pates Grammar School and 13 others were subject to a cyber-attack that successfully targeted and stole data, including children's SEN information, child passport scans, staff pay scales and employment contract details earlier this year.
As well as stealing valuable data, cyber-attacks can shut down school operations entirely. For example, Leytonstone School has been forced to remain closed because critical documents required for operation were inaccessible or the example of Highgate Wood School having to temporarily shut down because of an inability to timetable and schedule classes properly.
The fact is cyber-attacks on educational institutions have far reaching disruptive impacts that can impact the lives of all who work or study in them in unquantifiable ways. This creates an unpredictable snowballing effect of consequences ranging from temporary fixable issues to complex legal claims, permanent reputational damage and costly enforcement action.
Going Beyond Compliance - Why it is essential for educational institutions to exceed minimum compliance requirements.
This situation therefore warrants a careful, methodical approach that looks beyond the simple goal of achieving compliance and instead strives for continual improvement.
Article 5(1)(f) of the UK GDPR requires that personal information is “processed in a manner that ensures appropriate security of the personal data, including protection against unauthorised or unlawful processing and against accidental loss, destruction or damage, using appropriate technical or organisational measures”. However, it does not detail precisely what these appropriate measures are, leaving it to the discretion of the institution to determine what is required. This circumstance, coupled with most institutions' tight financial budgets, see’s differing measures being employed with varying degrees of adequacy.
However, the ability to demonstrate a robust security posture with accompanying practices can support and protect an institution in 2 main ways:
Firstly, having a robust security posture will obviously lower the likelihood of a successful attack and potentially mitigate a lot of the negative impacts associated with it.
Secondly, having good accompanying processes and practices allows for effective responses. Enforcement action is typically proportionate to the failings and subsequent response of an attacked organisation. It is understood that cyber-attacks are an unfortunate reality, so if the victim organisation can demonstrate that they have responded well and mitigated the effects of a breach, they can usually escape large fines from regulatory bodies.
This is not to mention the fact that good data handling practices generally improves an institution’s operational efficiencies, service, resource allocation and decision-making.
The benefits of proactively protecting student data beyond legal obligations.
Therefore, proactively protecting student and employee data in a demonstrable manner is not only the best way to comply with the legislation, but also mitigate the negative effects of an attack (effects attributable to both the attacker, the victim, the wider public and the regulatory enforcement body post incident) and improve it. To do this effectively, it is necessary to go beyond the requirements of the legislation and look to wider best practices and recognised security standards. One possibility is to subscribe to and maintain an information security certification. While policies are an effective method of demonstrating security practices, maintaining a security certification means that your institution’s information security management is subject to at least an annual, external audit to validate its operational effectiveness to a continually improved security framework (Cyber essentials, ISO27001 etc). Another possibility is to under-go a broader, more generalised external security audit (such as a cyber security maturity assessment) to identify gaps and receive more tailored recommendations on fixing them. Either way, moving towards a holistic information security management system as opposed to ad-hoc compliance practices is a step in the right direction.
Proactive data protection measures
For example, Cyber Essentials focuses on 5 key security control areas that are argued to effectively combat around 90% of the most common cyber attacks. These control areas are:
- Firewalls
- Secure configuration
- User Access control
- Malware protection
- Patch management
These 5 relatively simple measures ensure that your endpoints are protected, your devices are set up to be secure during use, access to your data by users is provisioned in line with the principle of least privilege, your devices and network are monitored for malicious software and that all software is kept up to date with the latest security patches. However, there are far more than just 5 security control areas that can be looked at and managed.
For example, ISO27001 has certified institutions regularly training their staff for awareness, actively monitoring their suppliers for security compliance, conducting their own threat intelligence activities, encrypting data and employing data classification to allow for differing rules for categories of data. These are far more thorough security measures that aren’t always applicable to every organisation. But, demonstrating consideration, action and re-consideration in relation to as many security control areas as possible is paramount to putting your institution in the best position to safely operate in the risky online space.
The role of ethical data handling in education
To go a step further, an institution should strive towards an overall ethical data handling approach. This means that, regarding any interaction with data, careful consideration has been given to the 5 P’s - provenance, purpose, protection, privacy, and preparation. If adequate consideration has been given to all 5 of these concepts, then an institution can confidently assert that not only is it compliant with data protection legislation, but that it has made all reasonable efforts to handle data in secure and methodical way.
The key takeaways
By way of conclusion, this article has demonstrated that data privacy is uniquely important within the UK education sector, given the broad range of individuals that engage with its institutions and the wide array of data these institutions collect, process and store. Consequently, compliance with data protection legislation presents unique challenges for educational institutions. There is a constant balancing act between recognising and upholding the data rights of all individuals whilst also operating an efficient and cost-effective institution. This balancing act requires institutions to continually check their own processes and practices to ensure they remain in a compliant state. Non-compliance with data protection principles can result in serious issues for an institution, whether that’s having their data stolen by attackers, having their operations shut down for a significant period or having huge fines levied against them by the ICO. Therefore, to best achieve the full benefits of robust information security management – that is, lowering the likelihood of an incident and mitigating the impact if one should occur - it is necessary to go beyond the requirements of the legislation and to look at recognised security standards and wider best practices with a view to developing an overall culture of ethical data handling.
Encourage educational institutions to prioritise data protection
By prioritising data protection in this way, an education institution can use its budget on improving how it handles data, as opposed to using it to fund the recovery of its data loss and fulfilling the financial consequences for data breaches.
Provide a call to action for further exploration or compliance assessments
To do this, education institutions should consider subscribing to and maintaining a security certification (such as Cyber essentials or ISO27001) or under-going regular external security audits (such as a cyber security maturity assessment). This will assist an institution to identify gaps in its security posture and obtain recommendations for how to fix them. An institution that continually improves its information security management will soon reap the efficiency, reputational and compliance benefits and step closer to an overall culture of ethical data handling.