Schools rely on data for many of their operations, including everything from payroll processing to tracking student performance and progress. Much of this data is personal and sensitive. As such, it needs to be protected.
Ensuring data in schools is being used and kept correctly can seem like a daunting task, so how do you ensure that your data storage is up to scratch?
We spoke to two data protection experts to find out whether cloud storage could be the solution to keeping schools’ data secure and what school leaders should consider before making the leap.
What are the specific data protection challenges faced by schools?
GDPR (General Data Protection Regulation) came into full effect in May 2018, modernising previous data protection rules. These rules were almost two decades old and struggled for relevance as modern lives went online and became increasingly data-heavy.
“Education is a sector that likes to hold on to data ‘just in case’ and where teachers often took historical data with them when moving schools to help make their case for pay progression,” says Tony Sheppard, former head of services at GDPR in Schools and founder of My Data Protection World.
However, with the arrival of GDPR, that changed – or, at least, it should have.
“We see some very good practice and a lot of common sense prevailing, thankfully, but I would still say that data protection and privacy are the forgotten element of risk within schools,” he says.
“If you’re a commercial company with a sales database, there’s a lot of very clear and specific guidance out there for you to apply. In education, we have to work a bit harder to find those resources and that can make the task intimidating.”
What is cloud storage?
Cloud storage can be an effective option for schools looking for a solution to their data issues – but what exactly is it?
“Put simply, cloud storage allows users to store their data remotely on servers run by a specialist provider,” says Sarah Lyons, deputy director for economy and society at the National Cyber Security Centre (NCSC).
“Just as with a physical storage locker, a customer effectively leases storage space from the provider – and then sends their files over via the internet.”
Cloud storage offers an additional alternative to storing data locally – for example, on a school computer – and provides a number of benefits when configured properly, such as improving the availability of data when not on-site and supplying a remote backup.
“Storing data remotely can be helpful in the event of a cyber incident, as the data is stored away from any infected computers on site. It can help protect against physical security issues, such as theft or fire, too,” Lyons adds.
Is cloud storage more secure than conventional storage?
“There can be a temptation to try to control as much of your IT as possible on-site,” says Lyons. “But having physical control of your computers and data is not the same as securing it effectively, and the right cloud storage provider may be able to help do this better.”
When configured properly, cloud storage can offer many security advantages to schools, as the service is managed by the provider, which should understand how to keep it secure and have dedicated resources.
However, schools still have a responsibility for keeping the data secure by managing who can access the cloud and configuring settings to prevent sensitive data from being made public accidentally.
Sheppard agrees. “Schools cannot pass off their risk to someone else,” he says. “A good provider will be open and transparent about their responsibilities and support the school’s data protection officer in fulfilling theirs.”
The NCSC also reminds school users that they should continue to follow good cyber security practices, including using strong passwords and having two-factor authentication set up on cloud accounts to prevent unauthorised access.
What questions should schools and academy trusts ask when considering cloud storage?
When considering deploying new technologies, it is important for school leaders to weigh up the benefits and risks, and then discuss this with their IT team or supplier.
A range of cyber security guidance and resources for schools is available on the NCSC’s website, including advice aimed at helping governors ask questions to better understand their school’s cyber security.
The NCSC’s cloud security guidance offers further advice on how to configure, deploy and use cloud services securely, as well as tips on how to gain confidence in suppliers handling cyber security issues.
Lyons explains further. “Every organisation will have different security needs but schools might find it helpful to ask cloud storage providers questions including: is the data encrypted at rest as well as in transit – to reduce the risk of unauthorised access? How is access to the data managed – as this will be the school’s responsibility? And what protocols are in place at the provider for accessing data if there is an issue to resolve?”
When looking for a provider, Sheppard encourages schools to seek out helpful online communities and resources for word of mouth recommendations and advice.
“The Information and Records Management Society has also produced a toolkit to help schools manage their data. It’s comprehensive and user-friendly, and makes a great starting point,” he says.
“Transparency and clarity are vital, as are strong testimonials and plenty of real-world examples of how they’ve helped schools with their data storage issues,” he adds. “And communication is vital, with both parties needing to understand their roles, responsibilities and the operational instructions involved.”