GDPR makes the management of personal data crucial for all organisations. And when it comes to the definition of ‘personal data’, it’s detailed and prescriptive. By the nature of the service they provide, educational establishments naturally handle a lot of student personal data, so here’s how to manage GDPR compliance for schools and colleges:
Control where your data is and how it’s stored, shared and accessed
Students, parents, staff and others expect that their school or college will maintain personal data in a safe and confidential manner. Under the GDPR there are strict requirements for managing and storing personally identifiable information.
Students, parents, staff expect their school or college to maintain personal data in a safe and confidential manner. Click To TweetWhat is Personally Identifiable Information?
Every piece of data or information that can be used to identify an individual is personally identifiable information (PII). This can be
- name
- email addresses
- phone numbers
- social security numbers
- an IP address
- a user name
- a login ID
- a social media post
- a photograph
- a video from a security camera
Audio visual, geolocation, biometric, ethnic, religious, sexual and behavioural data can also be classified as PII.
Individuals or ‘subjects’ as defined by GDPR in the case of schools and colleges can be students but also staff, and under the GDPR they are entitled to know, on request, the information being held on them by the school or college.
All personal data about students and staff needs to be held securely in order to be GDPR compliant.
And if students are under 16, there are additional safeguards under GDPR as to the processing of their personal data that need to be taken into account.
Data encryption, security protocols, storage and transmission will be at the forefront of schools & colleges and other educational establishments in meeting their GDPR compliance obligations.
Here are some steps you need to take for taking control of student and staff data:
1. Make sure that all personal data is stored securely
Is student and staff data secured both physically and electronically and is all access to it safeguarded, logged and tracked?
2. Encrypt all personal data
Is your student data encrypted – at rest, in transit or end to end? Look at solutions to encrypt student data in order to keep it safe and secure.
3. Restrict unauthorised access to personal data
Are user privileges in place to restrict unauthorised access? And are there appropriate privileges in place for authorised users?
4. A designated person should be responsible for security
The designated person should also implement periodic reviews of the measures and practices in place to make sure they are compliant.
5. Communicate privacy information clearly
Under the GDPR schools and colleges need to tell students (and staff) how they intend to use their information. The privacy policy should also give the lawful basis for processing their data, data retention periods and that individuals have a right to complain if they think there is a problem with the way your school or college is handling their data. The GDPR requires the information to be provided in concise, easy to understand and clear language.
6. Implement secure sharing of personal data
This means not only internally but with particular regard to external sharing with third parties as well. Put data transmission controls in place, e.g. personal data should not be sent by email attachment. Implement a secure sharing system instead that ensures the data is sent securely and to the correct person.
Student and staff data ideally should not be stored on public cloud like Google drives or Dropbox as complete security cannot be guaranteed in public cloud.
Recommended reading: GDPR Compliance: Private Cloud vs Public Cloud Explained
7. Third party access to student data
Where student or staff data is transferred to any third party processor, make sure that you have a written contract in place and a procedure for data breach.
If you use a third party processor for student or staff data make sure you have a written contract in place that covers GDPR Click To Tweet8. Ensure data retention/deletion policies are put in place
You will need policies to ensure data isn’t kept beyond the necessary timeframe. Schools and colleges should have:
- A defined policy on data retention periods for all personal data
- Procedures to implement the policy from a management, clerical and computer point of view
- Processes to anonymise of personal data after a defined period if there is a need to retain non-personal data.
If a student contacts your school or college and requests that their data be removed from your databases, you will be obliged to do so, unless you have a legitimate reason to retain the data. So you will need a deletion policy as well.
9. Implement an audit process for data and activities
Are you able to audit your student data to allow you to see if data has been changed, shared, accessed, deleted or in any way interfered with and by whom and from where?
10. Put a risk plan for data breaches and data loss in place
Have you put in place a serious data breach risk plan? This includes PR and communications, customer communication, regulator communication, data security and so on. Do you have back up plans in place so that student data can be accessed even after damage or loss?
Recommended reading: The Costs of a Data Breach May Shock You
Making Sure The Way You Store Students Data is GDPR Compliant
Putting data storage and processes in place, to securely store and manage your students data means your school or college will be able to better manage compliance, as well as the requests and risks involved.
Storing and sharing student data securely will make data breaches less likely but also provide invaluable documented mitigation for the regulator if they do happen and lessen the probability of heavy fines or penalties.
Rinodrive has been built to meet these requirements. It can map and seamlessly ingest your organisational data into a dedicated secure infrastructure to help your school or college be compliant. Try Rinodrive and discover for yourself that there’s an affordable and easily implemented solution.
Ready to give Rinodrive a go? Signing up for a free trial is just
How has your school or college implemented changes for collection and storage and sharing of personally identifiable information? Any tips on managing GDPR compliance for schools? Did you find this article useful? Tell us your thoughts in the comments below.
Join our conversation ‘all about data’ on Twitter and LinkedIn. And keep up with what’s going on in the world of data by trusting us with your email for monthly mailings (and we store it on Rinodrive so it’s super safe).
About The Author:
Before joining Rinodrive, Jill Holtz founded Mykidstime.com and Digital4Sales.com, as well as a spin-off company Clearbookings.com.
In her past life, Jill worked in CRM and Marketing Support managing projects for British Gas, Royal Bank of Scotland, Barclays Bank, AIB, as well as holding product management and communication roles in several technology companies. Jill holds a BSc in Mathematics from University of Glasgow, an MSc in Operational Research from University of Strathclyde and a 1st class honours Executive MBA from NUI Galway. Jill was included on Technology Voice’s 2014 list of Ireland’s Talented Technology Women. She has a passion for digital and social media marketing and is an experienced writer and speaker.
More posts by