Schools need to consider that students have rights to see their personal information. They can make a subject access request to see the personal information you hold about them. They, and their parents, also have the right to see their educational records. Under the new GDPR a student can also exercise their right to be forgotten. Both these requests will present a significant challenge to a school and a heavy burden on busy staff, as well as the risk of penalty if not handled efficiently and correctly.
Practical steps towards compliance
The first steps are to develop a records management policy and conduct an information audit. You are then in a good position to decide how to implement access controls for your documents.
Compliance can be complex and problematic if you are working with scattered documents that are stored in several different ways. For example, you may have some paper child protection documents in a locked cabinet accessible only by your child protection officer. Other documents relating to the same pupil may be stored in your admin office or held in your SIMS database, computer files and applications (such as email inboxes) or digital storage devices. A sensible first step is to minimise variations in document formats and locations. A good electronic document and records management system (EDRMS) can assist this by bringing documents and storage systems together for access via one reference point.
Whether you are working with paper or digital files – or a mix of both - there are some important legal compliance questions to address. These are explained by Arena in more detail on their website, and cover the four key areas of storage, completeness, movement and confidentiality.
For examples the IRMS toolkit recommends that: "Pupil records should be kept securely at all times. Paper records should be kept in lockable storage areas with restricted access, and the contents should be secure within the file. Equally, electronic records should have appropriate security."
But how do you guarantee that records are never left unattended and/or seen by unauthorised people? With an EDRMS such as mstore, you are able to allocate login details and access rights to individual users so that they can only access file types that they are authorised to see. For example, your child protection officer will be able to see sensitive records that a secretary working in your admin office will not be able to see. You can prevent sensitive documents from being shared, printed, deleted and/or overwritten. Computer monitors can be set to switch to standby after a set period of inactivity, requiring the user to enter a password to reactivate the screen. This means documents left on-screen at unattended desks will be protected.
To access more information from Arena on managing school records visit www.arenagroup.net/articles/guidance-on-managing-student-records or contact firstname.lastname@example.org / 0344 863 8000.