- Quite a few schools and teachers encourage colleagues and pupils to bring in their own devices to help to learn and use within lessons.
- However, considerations need to be well-thought through using personal phones or tablets.
- Data contained and held could be in breach of data laws.
- Ed Whittaker reminds in this article extract that individuals need to be mindful on how devices are being used.
- Article from August 2014 edition of UKEdMagazine (Click here to read the article free, and in full).
The rise in the popularity of BYOD in schools raises a number of data security issues for school leaders to consider.
What is BYOD?
There has been a huge rise in the popularity of handheld and tablet devices in the last few years, and some schools may allow staff to use their own personal devices to access school systems. This is commonly known as Bring Your Own Device or BYOD, and there are advantages in allowing staff to provide their own IT equipment. However, the use of personal devices to access school systems raises a number of questions regarding the school management’s duty under GDPR and the Data Protection Act (DPA). This is particularly so if the device is used to access the school MIS (e.g SIMS) or to hold any kind of staff or pupil information. It is important to remember that the school, as the data controller, is still responsible for the security of the information; regardless of the ownership of the device used to access or process the data.
Under the 1998 Data Protection Act, the school must take appropriate technical and organisational measure to prevent loss or unlawful processing of the data the device holds. This does not necessarily mean that schools should impose a blanket ban on the use of BYOD, as there can be some benefits; including: increased work efficiency and flexibility and job satisfaction. What is does mean is that schools considering the use of BYOD should first make sure they have a robust and well thought-through BYOD policy.
BYOD Policy – a good place to start would be an audit of all the types of device likely to be used by staff in the school. Then consider which, if any, personal data should be accessed by those devices and which should be held more securely. It is important that users are made fully aware of their responsibilities for keeping any data safe and secure. This can be done by drawing up an acceptable use policy for BYOD. The policy should make it clear which data can be accessed via BYOD and which cannot. You may also wish to consider whether the use of BYOD might conflict with any school policy on the use of social media.
It is important to determine how and where any personal data might be stored; on the device itself, on the school network or on externally on a public or private cloud. Regardless of where the information is stored, it is still the school’s responsibility, as data controller, to take appropriate measures against unauthorised access or loss of data. Be aware that some devices have removable memory cards, so the loss of data may not be apparent for some time.
Your BYOD policy should also consider how data is transferred, as the transfer process can present risks. For maximum security, ensure all data is transferred via an encrypted channel and treat any public cloud-based sharing or back-up facility with extreme caution. You should also consider whether to insist on the disabling of interfaces such as Bluetooth or Wi-Fi.
Finally, the BYOD policy should facilitate compliance with the data protection act. Although the security of the device might be the primary concern, care should be taken to ensure that data is not processed for any purpose other than the one for which it was originally collected. Users should be informed of their responsibilities to use the data strictly for school business. Also, if the data is stored on different devices there is the possibility of it becoming out of date. There is also the possibility that the data is stored for longer than necessary. There might also be some difficulty in responding to the right of the data subject to know-how and where the information is stored.
BYOD raises a number of data protection & GDPR concerns due to the fact that the device is owned by the user rather than the data controller. However, it is crucial that as the data controller the school ensures that all processing of personal data which is under its control is in compliance. In the event of a security breach, you must be able to demonstrate that you have secured, controlled or deleted all personal data on a device.
Ed Whittaker is a secondary school chemistry teacher of 28 years experience at the in the classroom and as behaviour manager. He is co-founder of Adaptsoft which supplies custom information management solutions to schools.