In its recent revision of the guidelines for inspection, Ofsted stated schools must seek to protect and educate pupils and staff in their use of technology. This includes having the appropriate mechanisms in place to intervene and support any e-safety incidents. A school’s network infrastructure, and more importantly the data on it concerning pupils, staff and core admin functions, is arguably its key asset. As such, any e-safety plan needs to extend to the appropriate protection of confidential data.

Ofsted has stated that one indicator of inadequate performance is through unsecured personal data and leaving school websites without adequate encryption. If lost or stolen, the impact upon a school’s finances or reputation can be severe. So how should an adherence to compliance be addressed?

The IRMS curates a regularly updated toolkit to assist UK public sector schools in their compliance with the Freedom of Information Act (2000). Arena Group's Neil Maude has written for us a series of articles looking at the practical application of its key principles. In Part 6, Neil looks at disaster recovery planning and risk mitigation.

The 7th principle of the Data Protection Act (1998) is quite clear on the obligations with regard to data security and risk: "Appropriate technical and organisational measures shall be taken against unauthorized or unlawful processing of personal data and against accidental loss or destruction of, or damage to, personal data."

The IRMS Toolkit makes the very valid point that: "In the event of a major incident, your school should be able to stay open and will at least have access to its key administrative and teaching records."

Clearly, compliance with this legislation requires on-going management of the risks to your information stores and how these risks will be mitigated.

Information stored by schools has a fairly fixed working life - but relevant data may be required to be held for a considerable period after a particular student has left the school. This can be for all sorts of purposes, including confirmation of attainment and a whole host of legal matters. Obviously, this means that there is a considerable storage burden which is borne by the final school which a given student has attended – a burden which may persist for many years, in some cases until the former student has reached 30 years of age.

What the law says

Two key pieces of legislation come into play with regard to the long term retention of student files (and any other information generated by the school).

Do The Data Protection Act & Freedom of Information Act in Education apply to you? It depends on who you are, where you are and how you are funded. A simple answer is that all schools in the UK have to comply with the Data Protection Act. It’s a reserved power.

Even this simple answer is complicated by whether you are a state funded school in Scotland in which case the work will be done for you by the local council.

In Scotland, state schools have a Parent Council which doesn’t have the status of a Board of Governors in England. Schools do not have to notify - the local council handles it. In England, the Board of Governors is responsible for compliance with all law not just information related law.