Data Protection in Schools: Safe Harbor and US/EU Privacy Shield

Some schools based websites and tablet apps use US provided services to store personal data.  In the past the data has been protected by an agreement called ‘Safe Harbor’.  Due to concerns expressed by the EU a new agreement called the US/EU Privacy Shield came into effect on the 1st August. (see ICO blog link ).

All schools must audit where there personal data is stored.

If the data is held in the US then the school should find out if the company is seeking US/EU Privacy Shield approval.  Either looking at the terms and conditions or sending an email will usually find an answer.

If the company is not then the ICO have made it clear that: ‘Any transfers that continue solely under the Safe Harbour framework will breach the eighth data protection principle, and there could be circumstances where we would contemplate enforcement action, in line with the ICO enforcement policies’.  Because of this the use of services or apps that only have ‘Safe Harbor’ should be discontinued.


Where is my data?

in the recent post by the ICO ( they asked the question about what was happening to the data given to mobile phone apps.

Schools need to ask this question as well.  what is happening and who is using all the data they have about their learners?

Especially with the oncoming GDPR schools need to complete an audit of where (and who) stores personal data.  It is not as easy as just asking the office:

  • What about the teachers – have they subscribe to cloud services?
  • What about the peripatetic Music teachers – what data do they hold?
  • What about the PTA?
  • Are there any other places you can think of.

Now is the time for an audit.

Can I use a personal email address for school business?

The school must try to make sure that the technology that people use ensures that they prevent breeches of the Data Protection Act.

One of the ways in which it can do this is to make sure that one of the major channels of communication used in schools is secure. They do this by providing an approved email service.

In the question about cloud storage there was a discussion about the storage of data outside of the EU and this also applies to attachments to email. Many personal email accounts store the data outside of the EU. There is also an issue that if you use personal email you might accidentally send an email that contains personal data to a friend with a similar name to someone you work with.

It is for these reasons, and also one of tracking, that mean that many schools have a policy that you only use the school provided email account. Remember, if this is the schools policy, then you have to follow it or face disciplinary action if you do not.

Can outside companies process personal data for the school?

The school acts as Data Controller for all the personal data that it uses or creates. This means that it has responsibility for the security of the data no matter where it is.

If the school uses an outside company to process data then it must make sure that the companies processes agree with the Data Protection Act. This is normally indicated within the contract but can agreed with a separate Data Exchange Agreement.

If a school does use someone else to process its personal data it also needs to inform parents of this through the Fair Processing notices

Can pupil’s photos be displayed on noticeboards?

It depends on what permissions have been given by parent’s and what data accompanies the photo.

If the photo is displayed on a noticeboard for publicity purposes or for the furthering of learning then the agreement that the parents has signed on their child joining the school normally covers this use. Again safeguarding takes precedence and if there are any doubts it should not be displayed.

But what about the displays that normally go up in staffroom that illustrate those learners who are not going to get 5A*-Cs at GCSE or those that list allergies. Both of these examples involve sensitive data and although staffrooms are not public places, visitors still visit and can easily see the data.

With the list of allergies parents are normally quite happy to give permission for this information to be displayed but they should be asked.

The display of student’s photos and the exam predictions is against the principles of the Data Protection Act and many parents would probably not give permission for this data to be shown in a public area such as a staffroom. Other ways of sharing this data should be used.

Can I store pupils personal data in ‘The Cloud’?

‘The Cloud’ is a term that is little understood. It really means that you are using a file server that is located on the Internet – away from the computer you are using and also from any secure local file storage.

This causes issues with the Data Protection Act as the eighth principle states that the data should be kept within the EU. Many of the cloud services either do not do this or use an agreement called ‘Safe Harbor’. This agreement is not a law and could be changed at any time. It is because of this, that the use of the cloud for storing personal data has been discouraged by many companies.

There are versions of cloud services which are secure. The DfE have asked companies to self certificate and both Google and Microsoft have done this. However it is to be remembered that these are for the services that schools as establishments have created and not the personal version that they also offer. There are also cloud services that can be provided by companies that run VLEs and even by schools themselves that are known to be secure because of information provided in contracts or agreements.

So to answer the question, you can store personal data in the cloud but only on schools approved services

Can I be sacked if I lose pupil’s personal data?

It is very unlikely that this would happen, but disciplinary action could take place, especially if you had not paid heed to training and advice. It also very much depends on the type of data, the training you received and how you lost the data.

The school has a legal duty to report any loss of personal data to the ICO making a judgement as to the severity of the issue. The ICO have the ability to tell the school to improve it practices or even in severe cases fine them especially if schools have not improved their practices from previous instances.

Imagine if you lost data that included the medical details of you class by leaving an unencrypted memory stick at an Internet café you. If you had received training and had been given access to secure remote storage then there would not doubt be questions asked of your practices. This might end up with disciplinary procedures. However accidentally losing your record book might not even be reported to the ICO.