How schools can stop the data breaches
Did you know over 80% of data breaches in Australia this year occurred in the education sector? I didn’t either until I asked a member of my team to conduct some quick research of our own, and of the 6 publicised data breaches in Australia between January and July this year 5 breaches occurred in the education sector (NB: In the same period, there were roughly 186 breaches in the education sector published globally). Now, that’s either very unlucky or Australia’s education sector needs to address some serious privacy and data security shortcomings. I expect that we may see those numbers climb next year when mandatory reporting of notifiable data breaches in Australia comes into effect.
Our schools have it tough
I turned to the latest Deloitte ‘Australian Privacy Index 2017’ report. The report’s sub-title really made sense to me, “Trust starts from within.” The report’s core recommendation was to ensure sectors educate and train all their staff on privacy. Guess which sector landed last in the “meet Australian consumer expectations” and “exhibited good privacy practice” stakes? Yep, you guessed it, education. In 2016 education was ranked 6 out of 11 sectors. This year it dropped dramatically to the last place. Five years ago, no one really heard much about data breaches, but now it seems that overnight the education sector has become a key target (probably second only to healthcare). It makes sense that schools are a ripe target for those seeking to misuse personal information… just as it makes sense that, with the myriad responsibilities placed on school administrative staff and systems, some personal information could be inadvertently compromised. Just think of all the sensitive data and personal information that schools are responsible for; they retain banking information, medical histories and photos of your children to name just a few. And with Australian schools under pressure to innovate, they are struggling to balance the overwhelming array of new learning technology offerings from 3rd parties (if you attended the latest EduTech Conference in Sydney in May you would have noticed this) with the growing demands of privacy regulation, while simultaneously dealing with the reality of reduced funding and resources. New ‘privacy & technology’ issues must be an overwhelming headache for many school Principals and Boards right now.
How to make tech and privacy work better in our schools.
Now is the perfect time for school Principals and Boards to take a closer look at privacy. So, what should schools do?
Firstly, school principals can’t just stick their heads in the sand. Technologies will continue to demand more access to our lives, and schools will continue to feel the pressure to remain internationally competitive and produce world-class students. It’s time to face facts. The movement toward digitisation of our schools will continue, and some of the technologies we employ will require more than a cursory understanding of privacy and security issues.
Principals should take the next step and audit their current digital footprint. If their digital service providers are locally-based, secure and specifically engineered with privacy in mind then they get three ticks. Anything less and the school should seriously consider looking at alternatives.
Then they should go deeper:
- Does the school have someone in management who is responsible for privacy and (if it becomes necessary) the handling of personal data breaches?
- Do all staff understand what personal information is? For instance, do they know that images of students are generally considered “personal information” under Australian privacy law?
- Does the school offer meaningful privacy training to all staff?
- Do external contracts entered into by the school for the onboarding of new technologies contain relevant obligations in relation to the protection of personal information?
Addressing these questions will help place much-needed attention on privacy, educate schools about the potential privacy pitfalls they are facing, and encourage schools to explore technologies that offer a holistic approach to privacy.
It’s quite right to suggest, as many recently have, that using external third-party technologies in schools can be harmful to privacy and data ownership. But schools should also know that not all third-party technologies are equal when it comes to privacy. Companies like LearningField and Kinvolved are beginning to combine innovative technology with robust privacy measures to provide schools with real, tangible solutions. I am hopeful that these solutions will assist schools as the Australian Government gets tougher on privacy and data protection regulation.
My personal belief – yes some may say it’s outdated or naive – is that the core values of trust and mutual respect are still heavily present in society. That protecting the digital legacy of our children is still of utmost importance to us all and, as parents, if we were given the opportunity to be part of a technology platform that championed and nurtured a universal culture of trust and respect at schools, we’d take it!
I can’t deny that taking the privacy high road in business has been a long, hard slog in this new digital landscape, but maintaining the right of our consumers to privacy must remain front and centre of any business. Together, we can build a safer, more secure and protected online space for our children, and our children’s children. We can make a difference if we unite and tell our schools “Privacy matters to us, and to our children”.