Data breach doesn’t just happen to other schools

By | March 31, 2016


This post is prompted by a #bettchat session I hosted on Twitter about the emergence of myriad data protection threats due to the ubiquity of mobile personal technology in UK schools.

I worry about how prepared the sector is to counter these threats, and even how aware of them it is. If I had to bet on the next big education scandal to hit the mainstream press, a large-scale breach of pupil data would be among the front-runners . It will happen somewhere – the extent and seriousness of the breach will be determined by how well the school in question has managed this risk.

Wow, that was a depressing start. Let’s just remind ourselves of something positive: appropriate technology in schools can be highly beneficial, both administratively and educationally. That’s why we all use it. For example, many teachers will have used an app that helps organise seating charts and presents information about learning needs. Equally, learning tools that allow work to be sent to pupils, and to be sent back completed for marking are creating positive, rapid cycles of assessment and feedback. Purposeful, force-multiplying stuff, deployed for all the right reasons.

However, both of those beneficial examples of educational technology rely on sensitive personal data about pupils in order to work. They need to know contextual data (name, form, age, gender… possibly more) to function at even a basic level. And that’s before we take into account the data which the user (teacher or child) is creating with that app. The hyperlink above leads to the ICO’s definition of sensitive personal data, but to summarise, these are data by which someone can be identified and which no one would otherwise be able to know about them. Schools are legally required to keep these data secure.

Now think about all the things we routinely record about pupils – notes on attitude and behaviour, learning needs, pastoral incidents, assessment grades and predictions, end of year reports, their contact details, etc. These are all sensitive personal data. They have historically been kept in a school’s MIS (protected by a firewall and log-in credentials), which is a relatively safe place to keep them. Let’s face it, even if you left an unattended computer logged into most MISs, a passing casual data thief would be defeated by the ‘design’ of the interface anyway…

Similarly, children have created data whilst in school about themselves for decades – documents, photographs and videos – and these data have been both controlled by device functionality and context (you’re probably not going to try sexting your peers using a school digital camera, for example) and by the fact that they also typically reside within the school’s secure network and building. However, things have changed dramatically in the last couple of years.

Data breaches still happened in this locked-down 2009-ish example of school IT, but generally they were restricted to things getting sent to the wrong printer/ posted to the wrong address. Because of this, I think schools may be falsely confident about their level of risk. School leaders may have heard about large scale data breaches such as the Fapening, or even searched the Ashley Maddison email logs in a rising panic after reading about that one.

But in my experience, not many schools or governors feel their institution is itself at risk from similar breaches.

If you’ll permit a History teacher’s overblown analogy, it’s like we’re all living in villages at the foot of Versuvius in 100 AD . The mountain rumbles now and then but, hey, it’s been a while since Pompeii and anyway we’re not so stupid to ignore the warning signs if they start up again…

This mindset is a dangerous one. It assumes that the IT world of 2009 (on-premise, locked down, school owned) exists today, which it does not.

It assumes that there will be time to act before a large scale data breach affects every child in the school. Both of these assumptions are incorrect. The mountain won’t rumble ominously – schools experiencing a 2016-style data breach will be engulfed by its pyroclastic surges before they know what’s hit them.

In too many cases, we’ve entrusted unknown others with access to data without realising it. An alarming amount of data is now held by third parties on schools’ behalf, either hosted on cloud services (some of which are quite safe, some of which will not be) or – far less transparently – in the hands of app developers in who-knows-where.

The most obvious example is iCloud: when an iPad’s Photo Stream is left turned on, every photo that that a child takes silently makes its way up to non-EU server farms which have recently experienced high-profile breaches. Scary stuff, once you think about the implications for more than thirty seconds. Thousands of other examples exist though – any app which a child or teacher uses is potentially taking user data of some sort off the device.

Do you know why? Do you know to where? Are you confident you remain in control of these data, as you are legally obliged to ensure? Perhaps you do, but only if you’ve stopped and asked these questions.

This is why a data protection process called a Privacy Impact Assessment (PIA) is a pretty essential management action for any school making use of apps on mobile devices (and recommended for every school introducing any new tech tool). The documentation may seem daunting, but in reality the process is just a matter of asking sensible questions about what you’re planning to do and making a judgement on risk. I’ve previously written about one school which has taken a very clear line on DP & apps here and its well worth learning from their experience.

If I had to boil all this down to a list of key actions for schools, it’d be as follows:

  1. Make sure Data Protection is a defined responsibility for someone on SLT and reports to the appropriate sub-committee of the governing body. Accountability and oversight are crucial here;
  2. Pay attention to the changing landscape of DP. is a good place to start. EU law in this area is shortly to change quite a bit, and there’s a new data sharing agreement between the EU and US you should probably understand too;
  3. Follow the DfE’s advice on cloud service providers. This is a really useful document;
  4. Introduce the concept of PIAs for every new thing you let teachers/ students loose on.

Some people view data breach as inevitable in modern times – they may be right , and the only sensible response is to become alive to the risk and to do everything you can to mitigate its impact.

Image credit

4 thoughts on “Data breach doesn’t just happen to other schools

  1. Pingback: Modern Governor Data breaches don’t just happen to other schools

  2. Tony Sheppard

    I haven’t made a recent request but in the 10 years up to 2012 only 14 schools had signed an Undertaking and no school had been fined. the ICO has a wealth of resources and has tried very hard to connect with schools, but I also worry that there is a very serious disconnect between the risk and understanding about data in the first place.

    Still a lot of work to do and thankfully there are some out there working on it.

    1. norrishd833 Post author

      Yes, the ICO seems reluctant to sanction schools, but fines aren’t the thing schools should be worried about! Thanks for the comment Tony

  3. Tony Sheppard

    Yes, the fine is not important. The reaction to the sanction is the important bit. Unfortunately, having to sign an Undertaking is pretty meaningless as a deterrent to most senior leaders in schools. It used to be that Ofsted would at least admit that having signed an Undertaking would be a sign that the school has failed their Safeguarding obligations. That threat is now removed and as far as Ofsted are concerned, it is not their responsibility to check.


Leave a Reply

Your email address will not be published. Required fields are marked *