By Victoria Cetinkaya, Senior Policy Officer (Public Services).
The crumpled letter in the bottom of a school bag is probably most people’s first thought when they think of how schools communicate with parents. But while email and other technology is often a more efficient approach than ‘pupil post’, it does bring with it some challenges to ensure compliance with data protection law.
The first point to make is that email communication with parents can comply with the Data Protection Act. The key is for schools, who as data controllers in England, Wales and Northern Ireland are responsible for looking after the personal data of their pupils, to first consider the security risks and put appropriate safeguards in place to protect that data. [It’s worth noting that in Scottish state schools, the local authority is considered the data controller, but an awareness of the principles of data protection is nonetheless important.]
A sensible starting point is to ask what damage or distress would result if the information in the email got into the wrong hands? This can guide a school’s decision as to whether it is appropriate to send the information by email, as well as whether to consider adding encryption.
This might seem excessive for a simple update on school life, but as ever, content is key. The ICO’s view is that sensitive personal data that could cause damage or distress if inappropriately disclosed should be encrypted if sent by email. That would include information about a person’s health, criminal offences or allegations and associated proceedings, ethnic origin, religious beliefs and sexual life. In addition, it’s easy to see how poor handling of other information (financial information, for example) could also cause damage and distress.
Schools should also take into account the likelihood of the information being inappropriately accessed or lost. For example, if parents use smartphones to access emails, it might be possible for anyone to read notifications of email messages received, sometimes with a preview of that message. This could significantly increase the risk of unauthorised access, especially if parents do not have access controls such as a PIN code set up.
Any risks identified with sending information electronically should be balanced against factors such as the need to get information to parents quickly and efficiently and what other alternative forms of communication are available (for example a telephone call, or a letter addressed to parents sent either by pupil post or by the postal system). As the data controller, it’s for the school to make a decision of what medium to use, based on their assessment of that risk.
If emails are going to be used, the next area to consider after encryption is how to guard against mistakes. The risks around human error, be it mistyping addresses or sending emails to the wrong parents, are clear. Schools should have policies and procedures in place to safeguard against such mistakes, even including something as simple as having a colleague check emails before sending. It’s important too to use the BCC function when sending bulk emails, to prevent disclosing parents’ email addresses to potentially hundreds of other parents.
That policy should include making sure the details you’re using are up-to-date and accurate. Clearly, if a school is relying on a mobile phone number or email address to communicate with parents, it is vital to ensure that it is checked for accuracy both at the outset and periodically. There are obvious risks to schools if they hold out of date or inaccurate addresses or numbers, and it is easy for a parent to forget to update the school when they change.
Finally, make sure parents are aware of how the school intends to communicate with them, and consider any preferences they have, where possible. Schools should also be aware that there are further requirements when sending marketing messages by email – consent from the recipients will be required for these.
Last updated 09/05/2014 14:21, to include reference to the system in Scotland
|Victoria Cetinkaya is a Senior Policy Officer. Her current responsibilities lie in the area of public services, where she takes the lead in liaising with the education sector.Previous roles at the ICO have included working with private sector organisations in areas such as credit, fraud prevention and technology.|