Keeping parents informed: what schools need to consider when using email

By Victoria Cetinkaya, Senior Policy Officer (Public Services).

The crumpled letter in the bottom of a school bag is probably most people’s first thought when they think of how schools communicate with parents. But while email and other technology is often a more efficient approach than ‘pupil post’, it does bring with it some challenges to ensure compliance with data protection law.

The first point to make is that eclassroommail communication with parents can comply with the Data Protection Act. The key is for schools, who as data controllers in England, Wales and Northern Ireland are responsible for looking after the personal data of their pupils, to first consider the security risks and put appropriate safeguards in place to protect that data. [It’s worth noting that in Scottish state schools, the local authority is considered the data controller, but an awareness of the principles of data protection is nonetheless important.]

A sensible starting point is to ask what damage or distress would result if the information in the email got into the wrong hands? This can guide a school’s decision as to whether it is appropriate to send the information by email, as well as whether to consider adding encryption.

This might seem excessive for a simple update on school life, but as ever, content is key. The ICO’s view is that sensitive personal data that could cause damage or distress if inappropriately disclosed should be encrypted if sent by email. That would include information about a person’s health, criminal offences or allegations and associated proceedings, ethnic origin, religious beliefs and sexual life. In addition, it’s easy to see how poor handling of other information (financial information, for example) could also cause damage and distress.

Schools should also take into account the likelihood of the information being inappropriately accessed or lost. For example, if parents use smartphones to access emails, it might be possible for anyone to read notifications of email messages received, sometimes with a preview of that message. This could significantly increase the risk of unauthorised access, especially if parents do not have access controls such as a PIN code set up.

Any risks identified with sending information electronically should be balanced against factors such as the need to get information to parents quickly and efficiently and what other alternative forms of communication are available (for example a telephone call, or a letter addressed to parents sent either by pupil post or by the postal system). As the data controller, it’s for the school to make a decision of what medium to use, based on their assessment of that risk.

If emails are going to be used, the next area to consider after encryption is how to guard against mistakes. The risks around human error, be it mistyping addresses or sending emails to the wrong parents, are clear. Schools should have policies and procedures in place to safeguard against such mistakes, even including something as simple as having a colleague check emails before sending. It’s important too to use the BCC function when sending bulk emails, to prevent disclosing parents’ email addresses to potentially hundreds of other parents.

That policy should include making sure the details you’re using are up-to-date and accurate. Clearly, if a school is relying on a mobile phone number or email address to communicate with parents, it is vital to ensure that it is checked for accuracy both at the outset and periodically. There are obvious risks to schools if they hold out of date or inaccurate addresses or numbers, and it is easy for a parent to forget to update the school when they change.

Finally, make sure parents are aware of how the school intends to communicate with them, and consider any preferences they have, where possible. Schools should also be aware that there are further requirements when sending marketing messages by email – consent from the recipients will be required for these.

Last updated 09/05/2014 14:21, to include reference to the system in Scotland

Simon EntwisleVictoria Cetinkaya is a Senior Policy Officer. Her current responsibilities lie in the area of public services, where she takes the lead in liaising with the education sector.Previous roles at the ICO have included working with private sector organisations in areas such as credit, fraud prevention and technology.
This entry was posted in Victoria Cetinkaya and tagged , , , , , , , , , . Bookmark the permalink.

16 Responses to Keeping parents informed: what schools need to consider when using email

  1. Richard I says:

    Useful article and I agree with much of what you say.
    However, in para 5: “Schools should also take into account…” we start to blur the lines between the accountability of schools versus the accountability of parents/ carers. If a parent has consented to provide an email address/ mobile number for school communication, you would anticipate that the parent takes on the responsibility for ensuring appropriate arrangements to protect privacy. I think we have to be sensible here and not apply pressure on schools to comply with something they may have no control over. By all means provide advice at the point of obtaining consent, but should a school’s remit extend beyond that?

    • icocomms says:

      Thanks for your comment.

      Under the Data Protection Act responsibility for ensuring appropriate security lies with the data controller, in this case the school. The fact there maybe risks at the point the email is received should be considered as part of the risk assessment and could, for example, influence the type of information they send. We agree it would be sensible to provide parents with enough information so they can make an informed decision as to whether they wish to supply their email address.

      – Victoria’

      • tim says:

        I think these are interesting points to consider but I do agree with other commenters that the inference that the data controller has some kind of responsibility for how a data subject chooses to receive and distribute their own email is quite flawed and takes into a realm where the data subject has all of the rights and none of the responsibility for their own data, which cannot be right or workable for anyone.

        It is entirely the parent’s choice to give an email address for communication and quite right that the school should confirm what sort of communication that may be used for before the parent agrees – but beyond that it is down to the parent – they may receive their email through a secure VPN to a fully encrypted and retina-locked computer in a bolted and windowless room, or they may receive their email via a popup on an entirely unsecured phone, or on a shared computer in an internet cafe, or automatically forwarded to the Jumbotron in Trafalgar Square for that matter – the school can have no way of knowing or controlling that. Likewise, letters by post are only as secure as whatever form of letterbox the parent chooses to have, and only as confidential as whoever they may choose to share that home with. Phone calls may be discreetly taken in private or blasted across a crowded train via speakerphone – all of this is entirely down to the data subject, not the data controller, and it is *their* choice how privately or otherwise they wish to regard *their* data.

        For the data controller to attempt to second guess and police how the data subject may receive this data actually takes away choice and crucially interferes with the data subject’s right to their own information. It also helps to enable a society where nobody feels responsibility for the safety or security of their own information, which cannot be good for anyone – if people are going to use smartphones (and nobody is forced to, let’s not forget) then they should be encouraged to understand how to make them secure – not told that it is someone else’s job to keep sensitive information away from it.

  2. FOOTPRINTMATTERS2U says:

    Reblogged this on Footprintmatters2u.

  3. Pingback: How OpenText can assist Schools by following the ICO Guidelines | Graham Walsh

  4. Footprint Limited says:

    Thank you for this Victoria. What e-mail encryption do ICO recommend schools use? The most common – PGP / GPG – is all very well but the creation and the sharing of public keys is far too technical for most people; the same people who are helping to drive the demand for schools to communicate with them by e-mail and other convenient electronic methods.
    You are quite correct to point out that bulk e-mails should always be BCC’d but while having a colleague check every e-mail before sending can moderate content related issues it will rarely catch miss-delivery errors.
    Also, if considering the security of e-mail / sms communication when it arrives at someone’s smartphone is important, so is the consideration of the security of printed letters sent by pupils, the postal service and the security of post when it has arrived at the parents premises. Children loose things; the postman miss-delivers regularly and parents may not have adequte security of delivered postal items. Is it the place of a school to ensure that all of these ‘holes’ are covered or are more traditional methods of communication beyond the need of such scrutiny?
    While it is helpful for the ICO to highlight what schools need to consider when communicating personal data electronically the help is limited by the lack of any practical guidance about how it can be achieved.

    • icocomms says:

      Thank you for your comment.

      Whatever the means of delivery used, possible issues with security at the endpoint should at least be considered as part of the overall security assessment and may assist in deciding whether that particular medium is appropriate to use.

      Our Group Manager for Technology, Simon Rice, has published a blog on the encryption options available to schools and other organisations, which you may find useful and is available at:

      http://ico.org.uk/news/blog/2013/why-encryption-is-important-to-data-security

      • Footprint Limited says:

        Thank you for the link to Simon Rice’s post. While the post is an informative overview to those less familiar with encryption, it fails to address the practical issues surrounding the communication between school and parents using encrypted e-mail. A far more practical approach is to provide a SSL / TLS secured extranet or ‘parent portal’; where each parent has an individual login and this is used to communicate personal data, using e-mail only to notify the parent that new correspondence has been made available on the secure parent portal.

  5. Graham says:

    Rather than having to setup a parent portal, a much simpler approach would be use a 3rd party based service that can do the encryption and handle all the headache of this. There are many services out there many paid for and some free. Schools should sign up and try a few services and see what works best for them. One example would be integration to either a back end system such as SITS or just simple for the user by integrating with say Microsoft Outlook on the desktop. All the parent needs to do is register to see the email and the school/teacher and track to see when the partner has read the email. Also as mentioned above, the teacher has the ability to recall/delete the email in case it was sent in error, just destroy the encryption token by clicking a recall button in Outlook. One example of this can been supplied by OpenText

  6. Chris says:

    I have recently just gone through the steps of setting up E-mail encryption through Office 365, as this is where we host our Staff and student e-mails. While this does come with a cost you don’t have the additional headache of the sharing of keys.
    When a user (parent or otherwise) receives an e-mail that has been encrypted they are prompted to log on with a Microsoft account. If they already have an Office 365 account like many schools now they can use this, if the email address is a Microsoft email address (@hotmail.com, @outlook.com, etc) they can use this.If it isn’t they can easily create a Microsoft account linked to that email address.
    The whole process takes less than 5 minutes. Once that is complete the message opens for them and they can reply in a fashion which is also encrypted.

    It is one of the simplest encrypted communication setups I have ever seen.

    The only thing i would like to see are some clearer guidelines about what constitutes sensitive data. I have set up some policies to automatically detect certain types of data but others are more difficult to catch as they all depend on context.

    Chris.

    • footprint says:

      Hi Chris
      This is all fine and dandy if parents are happy to have a Microsoft Account but we cannot take this for granted and surely it is not a schools place to force this upon parents?
      You can spend a time on the ICO site to get an understanding of what constitutes personal data, then audit / assess this in the context of your school and the types of parent (and other sensitive) communications that take place, then attempt to apply policy / logic to everything that is written by users in their e-mail but this will be a mammoth task, And there will be exceptions that get through. Best to just consider all e-mail to potentially contain personal data and train all staff to be aware of their obligations under the data protection act (and keep on it at regular intervals!)

  7. Alice says:

    I’m not sure Bcc is the right way to go if you’re sending bulk emails, it’s all too easy for someone to make a mistake and use Cc instead – Applications such as Outlook include mail merge facility which not only send a unique email to each recipient in the mailing list but also allow some simple personalisation. I’m more likley to read an email that’s sent to me than one that says “Dear All”

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out / Change )

Twitter picture

You are commenting using your Twitter account. Log Out / Change )

Facebook photo

You are commenting using your Facebook account. Log Out / Change )

Google+ photo

You are commenting using your Google+ account. Log Out / Change )

Connecting to %s