GDPR: The five things teachers should do first
General Data Protection Regulation (GDPR) will reshape the way organisations approach data privacy in the European Union and beyond.
GDPR will come into force on May 25, 2018, and is designed to harmonize data privacy laws across Europe and to protect and empower all EU citizens’ data privacy.
It covers such topics as data breaches, citizens’ right to access data, their right to have personal data erased, and the requirement to design systems with data privacy built in from the start. Failure to adhere to GDPR could result in significant financial penalties.
To help educators prepare for the new laws, Microsoft included a GDPR session in an educational conference it held recently at its London office.
As part of the event, Mark Orchison, Managing Director at education technology consultants 9ine Consulting, revealed the five aspects of GDPR that educators should understand first.
Be aware of the impact of the UK government’s “10 steps to cybersecurity” when using IT in school
In 2016, the National Cyber Security Centre published guidance on how organisations can protect themselves in cyberspace. It contained an introduction to cybersecurity, a white paper on what common cyber attacks look like, and advice sheets on how to prepare your systems. Advice includes identifying your risk management regime, making sure your network is secure, managing user privileges, dealing with incidents and working from home.
Protect data when communicating with other people
Under current laws for collecting personal data, an organisation must tell an individual who they are and how they will use the information they receive. This is usually done through a privacy notice. When GDPR comes into force there are additional things organisations will have to tell people. For example, they will need to spell out their lawful basis for processing the information, their data retention periods and that individuals have a right to lodge a complaint with the Information Commissioner’s Office if they think there is an issue with the way their data is handled (teachers should ensure spreadsheets are password protected). GDPR also requires the information to be provided in concise, easy to understand and clear language.
When using your own technology (phones, laptops, PCs etc) ensure it is password protected and adequately encrypted
Encrypting your devices helps to protect user data from theft and other malicious actions. Full-disk encryption allows the owner to protect everything with one easily-remembered passphrase, which is entered when the device boots up. A hacker will be unable to access the data without this passphrase, even if they remove the hard drive. Encryption also offers IT professionals the opportunity to enter a legal “backdoor” into the system, so they can gain control when a staff member leaves, for example. Windows 10 contains BitLocker, which enhances file and system protections. BitLocker also helps render data inaccessible when BitLocker-protected computers are decommissioned or recycled.
Ensure laptops and PCs have adequate encryption, antivirus, malware and other protections
Teachers often work at home in the evening, at weekends and during school holidays, but this can raise issues when it comes to data movement and storage. Information relating to pupils and staff can be lost or stolen if stored on unprotected USB sticks and personal laptops – according to research from EE, almost 10 million mobile devices such as smartphones, tablets and laptops containing sensitive business data were lost by employees across Britain in 2013/2014. Moving data to easily accessible WiFi networks will also raise concerns. Always keep personal and work-related information separate, and encrypt all files and devices that relate to your job.
Teachers should not rely on using USB sticks
According to the Government’s “10 steps to cybersecurity” the use of USB sticks should be limited, they should be encrypted and that the school devices they plug into have adequate end-point protection. So many storage devices are lost and stolen every year that some organisations have banned staff from using portable hard drives and USB sticks. If you have to use flash drives then ensure they – and the files on them – are encrypted. End-point protection means that users make sure every device – PCs, laptops, phones or servers – is responsible for its own security. This includes the use of antispyware protection, firewalls, warning systems and user controls, among other features.