Schools are risking children's security by adopting an inconsistent and sometimes eccentric approach to data protection with potentially serious implications, new research based on information from more than 1,000 schools has found.
A survey of 1,059 schools by researchers at the University of East Anglia and the University of Plymouth showed that nearly half had policies on children’s personal data security which fell below recommended levels.
They either had no policy at all for how personal data is to be handled – for example having taken no legal advice around the storage of physical data from fingerprints or information including home addresses – or they had a policy which was still “in development”.
And the position may not get better any time soon, as student teachers who are about to enter the profession appear to have a relaxed attitude towards online security themselves, the research says.
Dr Sandra Leaton Gray, from UEA’s school of Education and Lifelong Learning
, will present the findings to the British Educational Research Association’s annual conference in Manchester tomorrow.
She said: “Schools have created large databases with information about where children live, who their parents are, their routes to school, whether relatives are on the sex offenders’ register, whether they have special needs or whether they are known to social services, for example.
“If this information gets into the wrong hands, it can have big consequences for individuals. Yet security levels in schools are inconsistent, and generally not as high as they should be.”
Among the problems could be identity theft, parents wrongly being sent confidential information about someone else’s child, or, potentially in the future, pupils’ “biometric” data being accessed by strangers.
Research by Dr Leaton Gray and Prof Andy Phippen of the University of Plymouth has looked closely at this biometric element - schools’ use of fingerprint, iris or palm recognition software, for example, to identify pupils wanting to take out library books or to pay for their school lunch. It has been estimated that 40 per cent of UK secondary schools and 10 per cent of primaries currently use biometric systems.
But Dr Leaton Gray said schools often seemed to view collecting pupil data in this way as a simple matter of convenience, with little thought about security or the implications for children.
The research included a survey in September 2011 of 1,059 schools across England.
All were users of the South West Grid for Learning (SWGfL), an internet service provider used by almost all schools in the region, and also by those in other areas of England. The SWGfL has developed a tool which allows schools to self-review their online safety procedures, against a scale of one (most safe) to five (least safe) in 28 different categories.
The paper highlights results from three categories: “personal data” – the general security of personal information - “password security” – policies around preventing the misuse of password information – and “technical security” – the practical measures such as virus protection that the school has in place to protect its systems.
The weakest link was personal data, with 48 per cent of schools rating this either at level five – “there is no agreed personal data policy” – or at level four – “a personal data policy is being developed”. Only seven per cent of schools had policies at levels one or two.
The research’s final aspect saw 574 trainee teachers from a university in southwest England questioned on their own use of social media, and on their attitudes towards digital copyright and privacy issues.
“We have an emerging new generation of teachers who are no better equipped to be aware of data protection risks in schools than current staff and who have an even more relaxed attitude towards the protection of personal access to that owned by others,” concluded the research.
Regarding the evidence on biometric security, the paper concludes that the “studies highlight the fact that biometrics are being introduced into schools with little consideration of the sensitivity of collection of children’s biometric data and moreover demonstrate that schools are not in a position to store and manage such data safely.”
It adds: “With the loss of one’s biometric data having potentially disastrous implications for managing one’s identity in a connected society, education institutions cannot be relied upon to use biometrics responsibly.”
‘Identity and biometrics – convenience at the cost of privacy in UK schools’
is being presented as part of a session on “head teachers and the database state” to BERA by Dr Sandra Leaton Gray and Prof Andy Phippen on Wednesday, September 5.