Avoiding data protection breaches in schools: Eight things you need to get right
With the General Data Protection Regulation (GDPR) coming into force last year and changing the face of data security, it has never been more important to ensure your school is doing everything it can to keep sensitive data secure. Pupil and staff data alike need to be protected, that protection goes beyond the security set up by your IT experts and is something every member of staff needs to be mindful of.
Creating a positive and proactive data protection culture within your school doesn’t need to be a difficult or time-consuming process, with clear communication of some basic principles staff can learn how to stay safe and can help to avoid any potential problems. With this in mind here are eight simple things your staff need to get right when it comes to data protection.
Laptops left unlocked
If someone needs to step away from their laptop, it is important to ensure they lock their screen first. It can be tempting to leave it be if someone is only stepping away for a short time, but it only takes a second to use an unlocked device to access sensitive data. In addition to this, locking a laptop is simple and only takes a second, you can do this in Windows by holding down the Windows key and pressing L or on Mac by using control, shift and eject.
Children looking over a shoulder
Laptops hold a wide range of potentially sensitive data; it is important to remember that much of this may need to be kept private and protected from the pupils in the school and not just external sources. If a member of staff is accessing data around children, for example in a busy classroom, it is important to ensure that there is no one watching over their shoulder or in direct sight of the screen.
Taking documents offsite
Teachers are extremely busy which means they are often required to take documents and equipment such as laptops offsite after school hours. Doing this presents a risk should anything be lost or stolen while away from school. Reminding staff that they should always to know where any sensitive information is being kept at all times and putting a clear and simple process in place for staff that allows them to report any missing documents or equipment quickly is vital. An even better solution would be to take full advantage of cloud services to ensure staff can always access the files they need from home without taking anything offsite.
Documents not being destroyed properly
You should always destroy any physical documentation containing sensitive information once it has ceased to be of use and this should always happen in an appropriate manner that will prevent anyone from accessing it. The most secure method of doing this is to shred the documents before recycling them instead of just throwing them away. To make this as easy as possible make sure all staff know where they can go to access nearby paper shredding facilities.
It may be hard to believe, but ‘password’ and ‘123456’ are still among the most commonly used passwords in the workplace. Such passwords present a large security risk as it is not just people on school property who can potentially gain access to important accounts such as email, social media and more. The best way to combat this is through raising awareness and teaching staff how to choose a strong password. A common barrier to using such strong passwords is the task of remembering them; this can be made simple by integrating a free password management tool such as KeePass into your IT set up.
Opening suspicious emails
Email-based attacks have become increasingly sophisticated over time, emails that are designed to appear to be from suppliers, parents or large companies such as Microsoft or Apple can aim to get you to click an unsecured link, hand over sensitive information or open a dangerous attachment. While your email security will block many of these emails, there may be some that make it through and staff mistaking these emails as being genuine is a significant security threat. Your staff need to be trained by your IT experts in how to spot and deal with these emails, and they also need to know whom to report it to should they open a suspicious email.
Another way in which schools can be a target is through voice solicitation, which is essentially where your school is contacted via the telephone by someone who falsely claims to be from a company or a parent of a child at the school. They do this to request access to sensitive information over the phone, with this in mind it is always important to have a process in place for verifying whom you are speaking to when a call comes in before sharing any sensitive data. You can also put policies in place limiting the type of information that you will share over the phone.
Using anti-virus software is an effective way of protecting your IT systems against cyber-attacks, and you should confirm with those responsible for your IT that this is in place. In addition to this is it vital to keep any anti-virus, as well as other software, up to date to ensure the latest protections are always installed.