One in five UK schools believe their email systems are insecure, according to a survey by the Information Commissioner’s Office.
The data protection watchdog surveyed 400 schools across nine local authorities in the first half of this year. The survey also revealed that third of those with password-protected IT systems admitted the passwords were not necessarily strong enough or changed regularly.
While schools have a “generally good” awareness of data protection laws, with 95% providing some information to pupils and parents about what they do with personal information, knowledge of how to comply with them is lacking, the ICO found.
“The survey results showed that whilst awareness of the law was broadly good, knowledge on how to comply with it wasn’t always there," said Louise Byers, the ICO’s head of good practice. "In many respects that should come as no surprise – it’s not teachers’ area of expertise."
The ICO issued a report containing four top tips to help schools comply with the Data Protection Act. These are: notifying the ICO of what they are doing with personal data (a legal requirement), being “fair” by letting parents and pupils know why and where CCTV is being used, taking care not to disclose person information online, and keeping information secure.
The ICO also said schools should take time ensuring they have clear and practical policies, ensuring that staff are trained in what they mean and don’t forget to monitor whether policies are being followed. Other recommendations include disposal, subject access requests, data sharing, websites, training, and answering freedom of information requests.
Last month Syscap, an independent funder to the education sector, warned schools that they could face “hefty” fines if they fail to keep private information secure.
Syscap pointed out that the ICO has issued 68 warning notices for data security lapses in the last year (to June 30 2012), up 51% from the 46 the previous year. The overwhelming majority of fines were against public bodies, Syscap said, with a number of warnings issued against education providers.
Recent warnings issued against education providers include Holly Park School (theft of an unencrypted laptop holding pupils’ personal data), Phoenix Nursery School (loss of device containing details of pupils, parents and guardians), and Godalming College (inadvertent blanket email to students containing sensitive information).
In August, the Telegraph reported Gabbitas, publisher of the UK Independent Schools Guide, had leaked personal data on school children – including comments about them from their parents – through its website. The company insisted that the data breach was the result of external attack and not an error on its part.