Building back trust – Can Australian schools lead the way?

Were you aware that the Australian education market for the first time has not ranked in the OAIC top 5 sector notifiable data breach report for over a year? Or that Deloitte’s latest Australian Privacy Index Report ranked Education as the 2^nd most trusted industry to handle personal data? A big jump from previous year rankings where in 2017 alone, Education was ranked 11^th when measured against transparency and trust.

Given the increased reliance on technology by schools to manage student records, family financial information, and other sensitive data, cybersecurity and data protection has had to be prioritised.

With 90% of Australians now wanting organisations to do more to protect their data, schools are in a prime position to become the most trusted sector. For this alone, Australian schools deserve big accolades for not only stepping up to the plate but achieving all this during a global pandemic.

The digital age and child privacy

Surrounded by smartphones, tablets, and the internet, these technological advancements offer children numerous benefits but also pose significant challenges when it comes to child privacy.

With children of all ages engaging in online activities, whether it’s through social media, online gaming, or educational platforms, coupled with parents and schools also sharing photos of children online and on social media, it’s no wonder these platforms unambiguously encourage users to share information irresponsibly when connecting with others. Companies and advertisers also collect vast amounts of child data online, which is then used to create targeted advertising and influence their behaviour. As the internet is becoming an increasingly dangerous place for children, this callous attitude is enabling online predators, seeking to exploit their innocence and trust.

Big tech continue to exploit in this space, with Apple and YouTube being the latest culprits. This sounds even scarier when you learn that YouTube is the #1 social media channel used by teens in the US (95% of teens say they use it).

Protecting children’s data and privacy can help prevent them from becoming targets of harm.

Why schools must never compromise on child data protection.

If you read the core values or mission statements of most schools, child safety is always listed. A school is where a child spends most of their adolescent life, and it is where their academic life is recorded and pictorialized day in, day out. As a result, schools are becoming primary cyber-attack targets. According to Microsoft Security Intelligence, the education sector worldwide is targeted nearly 10 times as much as the next industry – a staggering 7 million malware encounters in the past 30 days alone.

Child data protection is critically important for schools, not only in tackling cyber security encounters, but also for:

• Legal and Regulatory Compliance: Schools are legally obligated to protect the personal information of students, teachers, and staff under various data protection and privacy laws, such as the Australian Privacy Act, the Family Educational Rights and Privacy Act (FERPA) in the United States or the General Data Protection Regulation (GDPR) in Europe. Failure to comply with these laws can result in severe penalties and legal consequences.
• Privacy and Dignity: Children have a right to privacy and dignity, just like adults. Protecting their personal data ensures that their sensitive information, such as medical history, is not misused or exposed without their consent.
• Safety and Security: Safeguarding children’s data helps protect them from potential harm. Schools may hold information about students’ addresses, emergency contact information, photos, and other sensitive details that could be exploited if not adequately protected.
• Preventing Identity Theft: Child data protection also helps prevent identity theft. If a child’s personal information falls into the wrong hands, it can be used to commit various forms of fraud and harm the child’s financial future.
• Trust and Reputation: Maintaining strong data protection practices helps build trust between schools, parents, and students. Parents and guardians need to have confidence that their child’s personal information is safe in the hands of the school. A breach of this trust can damage the school’s reputation.
• Ethical Considerations: Schools have an ethical responsibility to protect the well-being of their students. This includes protecting their privacy and data rights as part of their duty of care.

How can schools build even greater trust?

There are 3 important steps schools can take right now to build greater transparency and trust in their community:

1. Provide a Privacy Notice: The privacy notice is a public document that helps students – and their parents or guardians – understand personal data processing. This includes information on the data that’s being processed, how and why it is processed, where it came from, how long it will be kept and what rights the student/parent has have over it. The exercise of compiling the notice also helps the school assess the data it holds and whether adequate protections are in place. Depending on the age range of your students, you may need to consider an age-appropriate privacy notice.
2. Tailor third-party contract agreements: Whenever a school shares personal data with a third party, the supplier must agree in writing to the measures that both the school and they will take to protect data. The contract must stipulate that the supplier will act only on the school’s documented instructions, maintain the same level of compliance, and delete or return personal data at the end of the contract.
3. Conduct a PIA: These assessments help identify and minimise data protection risks posed by projects like implementing new software. A PIA looks at the processing risks to personal data, how likely it will cause harm, and the extent of that possible harm. For processing activities that the PIA reveals as high level of risk, you must take steps to reduce it. You could do this by stopping that processing activity, but if you’ve shown that the processing is necessary and proportionate, you’ll more likely need to implement technical and/or organisational measures to lower the risk, such as applying additional security controls. Technical measures will need to be backed with organisational ones, such as additional policies and procedures, extra staff training, reviewing privacy notices and updating contracts.