Safeguarding and Data Protection:
Safeguarding and data protection are two interests that are traditionally depicted as being at odds with each other. The Department of Education lists frequently asked questions which include:
- Are the GDPR and Data Protection Act 2018 barriers to sharing information?
- Does the common law duty of confidence & the Human Rights Act of 1998 prevent the staring of personal information?
- Is consent always needed to share personal information?
The answer to all these questions is a resounding “no”!
To quote the ICO directly: ‘It is important to remember that the GDPR and human rights law are not barriers to justified information sharing but provide a framework to ensure that personal information is shared appropriately.’*
Then why is it the case that these interests are viewed as opposites? Why must it be safeguarding OR data protection? Both are surely fundamental considerations in the interest of protecting the individual.
‘Safeguarding’ is a term often associated with ‘child protection’ and can fundamentally be understood as promoting the welfare of children, protecting them from maltreatment and taking action to enable all children to have the best outcomes. Whilst many people see data protection as a legal requirement impeding the delivery of education and restricting the use of online resources, its purpose is to protect its data subjects, protect minors, your students, from harm caused by the exposure of their personal data. This therefore makes it a valuable tool to enhance safeguarding.
How to marry safeguarding and data protection:
The advice given by the DofE is:
- Be open and honest from the outset about why, what, how and with whom information will, or could be shared, and seek their agreement where possible.
- Safety and wellbeing are of utmost importance – base your information sharing decisions on the considerations of safety.
- Keep a record of your decisions and the reasons for them – whether it is to share information or not.
- Seek advice if you are in any doubt about sharing information without disclosing the identity of the individual.
The general framework given by the government states that information sharing (including the sharing of safeguarding information) needs to be necessary, proportionate, relevant, adequate, accurate, timely and secure with the ultimate intention of protecting the safety, wellbeing and future of the individual.
The last point, the ‘security’ of this transacted data is of the utmost importance, as this is where safeguarding guidelines and data protection law converge with cybersecurity. The security of data, whether utilised, stored, shared or transacted, is a fundamental priority and is considered so by both the DofE and the Information Commissioners Office (ICO). There are various measures you can take to secure your data, many of which are technological in nature – constant monitoring of network and endpoint devices, penetration testing and cyber safety training to name a few. The fact is that the safety of your network and connected devices is fundamentally tied with the safety of your data and pupils.
Finally, and perhaps most fundamentally, government advice specifies that should there be any doubt regarding information sharing (safeguarding or otherwise), schools should consult and seek advice from experts.
Delivering value to Independent Schools with good data protection practices
As we have noted, data protection and safeguarding are intrinsically linked and ultimately serve the same purpose: protecting the welfare of children. In short – a breach of data protection policy and the disclosure or release of sensitive data about a child can harm their future opportunities which is, in effect, a breach of safeguarding principles.
Schools gain notoriety for public breaches of ‘special category data’, the ICO takes these cases seriously and has been known to fine schools, penalising them for breaches of confidence. The direct financial burden of a fine is often minor in comparison to the loss of revenue resulting from the negative effect this can have on reputation.
However, rather than implement data protection practices as a result of fear of the financial or reputational impact of a fine, it is far more liberating to consider the manner in which data protection practices can deliver value to educational organisations. By putting children first and protecting their online safety and wellbeing, schools have the opportunity to differentiate themselves and put themselves in a more competitive position. With a strong safeguarding and data protection record, a school protects its reputation and engenders parent loyalty, increases customer retention and child success.
How can you do this?
- Cultivate a reputation of data privacy.
- Seek transparency with all data processing – inform the individual, where possible, of how, why and where their data is being processed, utilised and stored.
- Seek transparency with all data processing – inform the individual, where possible, of how, why and where their data is being processed, utilised and stored.
- Include data protection and IT acceptable-use guidelines in your safeguarding policies
- This demonstrates that you appreciate the link between safeguarding and data protection and take these responsibilities seriously.
- Parents value the safety of their financial information and the wellbeing of their child, both in person and online. This extends to their data privacy.
- Ensure the safety of information
- As the government guidelines specifies, secure data. This can be done through a comprehensive Cyber Security as a Service (CSaaS) offering which includes Threat Detection & Response, Vulnerability Management, Penetration Testing, Email Threat Prevention & Cyber Safety and Phishing Awareness.
- Train ALL staff in both data protection and cyber security responsibilities. 80% of cyber security incidences occur via the ‘human element’ (i.e. successful phishing attacks) and 69% of 450 schools audited had suffered phishing attacks in 2019.
- Prepare for the worst and cultivate a data breach and cyber security incident response plan
- If in any doubt, consult an expert!
- Call us on +44(0) 203 855 6215 or email info@normcyber.com to start a conversation about how we can support you, update your GDPR compliance and deliver value by implementing good data protection and cyber security practices.
Sources:
Information sharing advice for safeguarding practitioners
Keeping children safe in education
Also see NCSC & LGfL Cyber Security Schools Audit 2019 for statistics on cybersecurity breaches
Further reading:
Damages awarded against school for misuse of pupil information
Written by Isabelle Churchill
Isabelle Churchill is a member of the norm. sales team. She joined the team having graduated with a First-Class degree from the University of Bristol and is currently focusing her research on an analysis of the cybersecurity and data protection needs of the education sector.