Schools have an ever-increasing workload which means that some things can occasionally fall by the wayside. In our experience, data security, GDPR and related issues are often some of the first things to be deprioritised. There are many reasons for this – let’s face it, data protection and GDPR requirements are hardly the most exciting things for school staff to think about!
However, schools rarely fall short when it comes to safeguarding. Everyone in the school takes it seriously, appreciates the need for it to be an important part of their role and therefore tend to keep up-to-date on it and make sure they consciously take it into account at all times.
In actual fact, data protection forms a part of safeguarding! But school staff don’t always appreciate this.
Think about this scenario for a moment…
A member of the Safeguarding Team is sending an email from your primary school to the local social worker in advance of a case review meeting. The email includes details of an incident between a pupil and the parent of another child who yelled abuse at the pupil.
The staff member, like all school staff, is under pressure with a high workload and a lack of time and when adding the recipient to the email clicks the name of the social worker and fires off the email.
Unfortunately, the social worker’s name happens to be very similar to that of another contact in the address book and the staff member has inadvertently selected the wrong email address. Completely accidental, but the email has now gone to someone who should not have this information about the pupils, or parents involved.
No problem – just recall the email and apologise to all concerned. Nothing to get too worked up about, is it?
In the first place, recalling emails rarely work. The email can only be recalled if it has not been read or previewed by the recipient. Be honest here, if you spot a request to recall an email, the first thing you think about is whether you should go and look at the email – after all, it must be something juicy if they want to recall it!
Secondly, this is a clear data breach and needs to be reported to your DPO so that they can assess the impact of it, decide on actions that need to be taken and, if serious enough, report the breach to the ICO.
Thirdly, and most importantly, depending on what information is contained in the email, this could be a serious safeguarding issue.
Let’s think this through…
- The school name is identifiable, so this ‘wrong recipient’ now knows which school the pupils attend.
- If the pupils’ names are included, the recipient also has the names of the children involved.
- If the name of the parent involved is included in the email, they have that information also.
- There will be a description of the incident that took place – more knowledge the recipient has gained.
- The name of the social worker is likely to be on the email too.
Should the recipient themselves be of an ‘unsavoury’ nature, or should the recipient talk about this error with friends or colleagues (as is likely to happen) and one of those were to be ‘unsavoury’, it would provide them with all the information they needed to approach the pupil and gain their trust – after all, they know the child’s name, their social worker’s name, details about the incident, what school the child attends etc.
If nothing else, it could lead to embarrassment for the child and/or their family if it became widely known that a social worker is involved at all.
All highly unlikely to happen, I’m sure we agree – but would you want to be the school or, even worse, the member of staff that sent the email incorrectly, if something did happen?
Another scenario to consider.
A member of staff is passing through the reception area when the telephone starts ringing and the office staff are not there or are busy dealing with a parent at the counter. Being a helpful person, the member of staff answers the telephone to a pupil’s father who just wants to check that his daughter will be finishing school on time today as he needs to pick her up promptly to take her to the dentist.
The member of staff recognises the name of the pupil in question and confirms that they will be leaving at 3.15pm as usual. ‘Thanks’ says the father…and they go about their day thinking ‘what a helpful person I have been’.
Unfortunately, unbeknown to this helpful member of staff, the father in question has a court order against them that insists they must not know the whereabouts of the child due to serious safeguarding concerns. He had been ringing round schools in the area in an effort to find his daughter and now they have unintentionally confirmed she attends your school.
That afternoon, there is a serious incident in the playground when the father arrives and tries to take the daughter home, with the mother screaming for help.
Again – highly unlikely to happen, but would you want to be the school or even worse, the member of staff concerned, if something did happen?
Be sure that your school takes data security seriously. Link it intrinsically with your other safeguarding awareness and training. Give some examples of what could go wrong and why it is so important to protect information at all times.
A large proportion of data breaches are caused by ‘human error’. A well-intentioned person making a mistake such as using the wrong email address can be prevented by training staff to always double check the email addresses they are sending to before they actually press ‘send’!
Equally, ensuring staff training includes the importance of not passing information or confirming anything over the telephone without first checking that you know who is at the other end and that they have the right to the information reduces the risks.
Data security genuinely is safeguarding – make sure your school and all its staff appreciate this and take it seriously. Good quality, regular data protection training is a requirement of GDPR and should be seen as another part of your school safeguarding strategy.
If you want advice on your data security compliance, staff training etc., please contact us at firstname.lastname@example.org for an informal chat.
Steve Baines is a qualified GDPR and Data Security professional with many years’ experience as a Data Protection Officer as well as having led GDPR training for thousands of school staff.