Data protection in schools: ensuring compliance in your international school

Regardless of the country, international schools will need to comply with data protection regulations. To help ensure your international school is compliant, we’ve got together a short guide on best practices and an overview of the regulations.

What is data protection?

Data protection is a set of guidelines that regulates and controls how personal information can be used and stored by businesses and public sector organisations, such as schools. Organisations collecting information on individuals will need to comply.

While slightly different from country to country, everyone is responsible for adhering to the relevant authorities’ data protection regulations. Complying with data protection regulations shows you use people’s data responsibly and fairly, helping to build trust.

Schools must take necessary precautions and conduct proper assessments to regularly check their compliance with data protection regulations. While schools may have a data protection officer, all staff have a duty to adhere to data protection guidelines.

What counts as personal data?

What information counts as personal data and falls under data protection can sometimes be unclear. However, personal data that falls under data protection is any personal data about an individual.

Even if the information is not considered personal or private, it still falls under data privacy and protection. Information publicly available still needs to adhere to data protection regulations.

Other personal data that falls under data protection is any paper records, including those that will be transferred digitally. However, anonymous information that doesn’t identify anyone doesn’t fall under data protection. Only data that can identify somebody is covered under data protection.

Common data protection problems

There are many problems that can occur when trying to keep data safe and protected, including in schools. Knowing the issues that can occur can help you to better deal with them. Here are the most common data protection problems:

Ransomware

Ransomware is a malicious attack where software blocks access to data unless a sum of money is paid, is a growing problem with data protection. These malicious attacks encrypt data so it cannot be accessed or read and is decrypted once the ransom is paid.

The criminals responsible for a ransomware attack also have access to the data and may threaten to publish the data unless the ransom is paid. While traditional backup and data storage methods have kept data safe, more sophisticated ransomware can overcome such systems.

The malware that encrypts data can enter a network through phishing (deceiving emails or messages that purpurate reputable companies or individuals). Malware can enter a network long before the virus is activated.

When data is continually backed-up, the malware virus can also be unknowingly backed-up, making it difficult to remove through old backups. Organisations, such as schools, that operate open and less secure networks should take care to minimise ransomware attacks.

To help reduce the risk of ransomware in your international school, consider:

  • Maintaining your backups and test for infection
  • Develop plans and policies, such as an incident response plan, so your school knows what to do in the event of an attack
  • Check your network port settings, including remote desktop protocols
  • Keep systems and software up to date
  • Set up secure configuration settings
  • Train staff in spotting and preventing malware attacks

Data breaches

A data breach is an incident where personal information covered by data protection regulations is stolen or removed from a system without consent from an organisation. Data breaches are a common occurrence in education, being the second worst-hit in 2021.

Data breaches can happen for a variety of reasons, including malware, loss of computers, inside leaks, or unintended disclosure. Intentional data breaches will often happen in a process of research, attack, and exfiltrate.

To minimise the risk of data breaches, consider:

  • Training staff on how to recognise and respond to data breaches
  • Review your school’s security arrangements
  • Conduct a risk assessment
  • Implement safeguards and authentications to protect data

Endpoints

In a school learning environment, a multitude of endpoints will be connected to the network. Whether staff computers, classroom tablets, or portable hotspots, all endpoints pose a risk to data protection.

Ensure that all endpoints are securely protected, using encryption if possible. All devices should have up-to-date cybersecurity software. Staff should also be encouraged to only access data from a work-issued device to minimise data leaks.

Keeping up to date on data protection laws

In the last few years, many countries have updated their data protection laws, affecting how organisations and schools can collect, store, and use personal data. Countries such as Saudi Arabia, Thailand, United Arab Emirates, and the European Union have all introduced new or revised laws on data protection.

Saudi Arabia

In Saudi Arabia, the Personal Data Protection Law (PDPL) covers data protection. First issued in 2021, amendments have recently been made to align data protection regulations more closely with GDPR in the EU.

The most significant changes to the Personal Data Protection Law include:

  • Creating friendlier business data transfer mechanisms
  • Changes to the criminal offences linked to data breaches
  • Removing certain registration requirements for data controllers
  • Easing the timeline for data breach notifications

Find out more about the recent changes to PDPL in Saudi Arabia.

Thailand

Data protection laws in Thailand are covered by the Personal Data Protection Act (PDPA). The law, first introduced in 2019, is heavily influenced by GDPR from the EU but with regional differences.

However, there are unique differences in PDPA that organisations must adhere to, including:

  • Pseudonymised data
  • Less specific requirements and protection guidance on children’s personal data
  • Slight differences in the roles of data controllers and data processors
  • Security measures assessments

United Arab Emirates

Data protection laws in the United Arab Emirates are covered by the Personal Data Protection Law (PDPL). Entered into the law in 2021, the law regulates the collection and processing of personal data in the country.

The law sets a framework for organisations to ensure individuals’ confidentiality and protection of privacy. This applies to all institutions established or operating in the UAE that process personal data.

There are several main features of PDPL, including:

  • Legal basis
  • Consent
  • Data subject rights
  • Data protection officer
  • Marketing
  • Purpose limitation
  • Impact assessment

Find out more about the main features of the Personal Data Protection law in UAE.

European

In 2018, the European Union introduced the General Data Protection Regulations (GDPR). Set to align data protection across all EU countries, GDPR helped modernise laws on data protection.

Many significant changes were made to bring data protection laws up to date, making GDPR one of the strongest sets of data protection rules. Many countries have since updated their own data protection laws to follow GDPR.

GDPR sets out 7 main principles on data protection, including:

  • Data minimisation – not collecting information you don’t need about someone.
  • Integrity and confidentiality – any personal data must be protected to keep individual identity protected.
  • Accountability – ensuring your organisation complies with data protection regulations.
  • Lawfulness, fairness, and transparency – ensuring your organisation has a reason for processing personal data.
  • Purpose limitation – setting limits on only using data for specific purposes/activities.
  • Accuracy – ensuring data collected is accurate and up to date.
  • Storage limitation – setting limits on the duration that data can be stored without justification.

How to check your international school is compliant

To make sure your international school is compliant with data protection regulations, there are some steps you can take:

  • Be aware of all the personal data that enters your system
  • Appoint a data protection officer in charge of compliance
  • Maintain a data register of how your school complies with regulations
  • Review and evaluate the data you collect, deleting any unnecessary data
  • Report data breaches as soon as they occur
  • Assess any potential third-party data risks
  • Provide training for staff on data protection and compliance
  • Recognise and properly handle any information rights requests

Data compliance is an ongoing process that will require every member of the organisation to adhere to. Regularly reviewing your data and security arrangements can help minimise the risk of attacks and ensure your internal school is compliant with relevant data protection laws.

Find out more about Learning Space Solutions and the services we offer