A matter of Principle

Following the recent high profile cases of personal data gone missing, Richard Bird looks at what schools and colleges should be doing to protect students and staff and stay within the law.

The public debacle of the disappearance of millions of personal details from under the watchful eye of civil servants has raised alarm with some heads and principals as to the vulnerability of their institutions.

They are right to be concerned. Whatever consequences do or do not befall government departments, there is civil liability for failure in data handling and indeed, the possibility of criminal action.

Principle 7 of the Data Protection Act is that appropriate measures should be in force to prevent the unauthorised processing or accidental loss, destruction of, or damage to, personal data.

It is also a criminal offence unlawfully to disclose personal data. 'Unlawfully' means 'knowingly' or 'recklessly', though exactly how it will apply in any one case will depend on the judge and jury. In essence, the person concerned must have known that a danger of harm existed and then acted in a way that showed a disregard for it.

If a teacher went into a pub, opened his or her laptop (which was not protected by a password) which had a database with pupils' names and addresses in it, and then left the laptop on the table while going up to the crowded bar to get a drink, that might well be found to be reckless.

What if a teacher's laptop, again unprotected by a password, was stolen from the boot of his or her car at a motorway service station where notices about the risk of theft from cars are prominently displayed? It might be considered gross negligence; but if the data was subsequently misused there would still be a basis for legal action.

What about PDAs or hi-spec mobile phones? What about wireless internet? What about flash drives/memory sticks left lying about? What about student hackers? All of these carry real risks.

Weigh the risks

The view of the information commissioner, who monitors data protection and freedom of information, is that absolute rules cannot be laid down to cover all eventualities. A risk assessment approach is the correct one, which balances the seriousness of the consequences against the likelihood of the event.

There is no doubt of the risk. Data held includes personal details of staff, pupils and parents. It includes addresses, names, ages, perhaps occupations, race, and in the case of staff, bank account details and qualifications.

Paedophiles and fraudsters would find such data extremely interesting and the level of embarrassment that might be caused is immense.

The damage to the school's or college's reputation would be serious; and while government ministers and civil servants so far seem immune to consequences for data loss, it is unlikely that a senior leader in education would not come under some pressure to consider his/her position.

So what are the 'appropriate technical and organisational measures' referred to in the seventh principle? Compliance starts with locks and bolts for physical files; locks on laptops that may go off site; and firewalls and passwords for wireless routers, software files and IT equipment.

Archives are also important. Assuming that some material has to be held (and data should be held for no longer than is necessary), it should be held in a secure place.

And those old computers you donated to charity...Did you make sure that the hard drives were wiped completely? There are highly competent IT technicians in Lagos, Nigeria, who make a fair living by extracting personal data from old hard drives and passing it to enterprising people who know how to profit by it.

Keep data on site

There are also procedures and rules: some organisations working with families use codes and numbers in place of names for data that goes off site; some encrypt.

An institution must do what is reasonable. It may be better simply to have rules about what data can be taken off site and forbid downloading of students' confidential data to memory sticks and other vulnerable storage devices.

Does the school/college have rules of access at different levels? Are there rules about not giving access to unauthorised people? Just as it would be reckless to allow any member of staff to burrow about staff files unsupervised, so is letting someone have an access password above their level.

Finally, there should, at a minimum, be training and an active monitoring scheme. And the monitoring scheme must be made known to all staff so that they cannot later sue for a breach of the Human Right to respect for their private life.

This is just the outline. The Information Commissioner's website at www.ico.gov.uk is helpful; but the school/college might be well-advised to seek specialist advice in ensuring that they are safe processors.

Oh, and by the way, did you have that CCTV system in place when you made your initial notification to the Information Commissioner? CCTV produces data and it should be declared.