Redefining Security Standards In Education: Regulation On The Horizon

Safeguarding is an issue that governing bodies and senior staff within the secondary and tertiary sectors have a direct responsibility to engage with; one that often includes a close interconnection with education safety and security systems. The Department for Education regularly updates its statutory guidance, Keeping Children Safe in Education, according to new government requirements. While references to the Data Protection Act 1998 are made, it does not currently take into consideration regulations on the horizon, such as the General Data Protection Regulation (GDPR) set to come into motion in May 2018. As education institutions look to better support safeguarding initiatives through the use of security systems, an updated knowledge of the changing regulatory landscape will be key to ensuring both their effectiveness and compliance into the future.

Room for improvement: shortfalls in security standards

It is clear that there is significant progress to be made, with a number of institutions adopting an ‘implement and forget’ approach to security systems. This type of practice clearly falls short of regulatory requirements, with a report by the University of Salford, for example, identifying that several schools were breaking data protection laws by failing to inform pupils that they were being monitored by CCTV after installation. It comes as no surprise then that Tony Porter, the Surveillance Camera Commissioner, has been pressing for increased regulation to deliver more effective surveillance. Keen to put an end to the sector’s legacy of poorly-specified and maintained systems plus ensure public space surveillance is used transparently and effectively, he set out a strategy to do just that in the National Surveillance Camera Strategy for England and Wales earlier this year.
 

The need for guidance continues to grow partly as a result of the shift the surveillance industry has undergone over the last decade, with most institutions having made the transition from analogue to increasingly connected, IP systems. As security technology has become more advanced, higher quality footage has become possible, with more data captured than ever before. With this trend becoming increasingly prominent, regulations around data protection and student safeguarding continue to tighten. A number of education and government bodies such as The Education Union, The Information Commissioner’s Office (ICO) and the Department for Education have issued updated guidance relating to surveillance and safeguarding technologies for schools, colleges and universities.

 

Security and data: the regulatory landscape

 

GDPR, set to supersede the Data Protection Act, is a key driver for change for any organisation responsible for safeguarding Personally Identifiable Information (PII). GDPR contains a number of new requirements regarding how institutions should process and store data. It includes ensuring data breaches are reported to relevant authorities within 72 hours; implementation of policies to secure data portability and the employment of a Data Protection Officer, an investment in time and money that many in the education sector are likely to find challenging. The regulation’s primary objective is to strengthen data protection for individuals and simplify regulatory environments for institutions. Due to the sensitive nature of the information held by education security systems, from images of children to exam results, GDPR adherence will require significant planning around the people, systems and processes to enforce it.

The Education Union, ATL, is very clear about the need for regular review of security systems. It states that “CCTV systems should be constantly reviewed to monitor their effectiveness and impact. It is not acceptable for a school simply to install CCTV cameras and forget about the impact they may be having”. In its guidance on the use of surveillance systems in education, it stipulates that not only should the purpose of surveillance and the type of data collected be made clear, but also that the security of that data is made paramount with clear restrictions to its access. Similar to the requirements in the upcoming GDPR, it also recommends the appointment of a data controlling officer from the school's management team to oversee and control the use of surveillance technology.

The Information Commissioner's Office is another body emphasising the importance of the upcoming GDPR with Information Commissioner Elizabeth Denham telling businesses there’s no time to delay in preparing for the “biggest change to data protection law for a generation.” In its CCTV Code of Practice, targeted directly at education institutions as well as other industries, it outlines the need to establish a clear basis for the processing of personal information including what is recorded; how the information is used and to whom it may be disclosed. It also reiterates the need for recorded material to be stored in a way that maintains the integrity of the information, and an audit trail showing how information is handled if it is ever to be used as evidence in a court.

Preparing for change: Solidifying security standards

A common theme running through the various regulatory standards is that all information must be sufficiently protected to avoid a breach, including careful consideration of technical, organisational and physical security. Considering the recent proliferation of breaches, including the well-publicised ransomware cyber-attack on NHS hospitals, the consequences of non-compliance for public sector organisations are becoming increasingly clear. Regulations such as GDPR are expected to be taken very seriously, with clear penalties for non-compliance, including fines of up to 20 million euros or 4% of an institution’s annual turnover, whichever is higher. The impetus for schools, colleges and universities to fully understand the scope of regulations and ensure the effectiveness and security of systems is clear – from both a safeguarding and compliance perspective.  

With a tighter regulatory landscape on the horizon, senior education professionals have an opportunity to review systems and ensure compliance is achieved ahead of schedule. Institutions must be up to date with the latest regulations to ensure the safe and effective use of security systems, with the risk posed by growing crime and the complexity of technology used to manage it set to grow. With the amount of data captured in education on the rise, combined with an evolving threat landscape, risk is an element all institutions will continue to grapple with. Knowledge of best practice procedures followed through with informed systems and processes in place to pre-empt and rapidly deal with incidents will be key. Education professionals can then demonstrate that through regular risk assessments, they are not only mitigating security risk, but implementing best practice.

To find out more, download the newly released white paper on the topic: Security – A Need for Effective Risk Mitigation in Education.

 Follow NW Systems on Twitter: @nwsystemsgroup

 

Colin McKeown – Senior Consultant, NW Systems Group

With early experience as an ICT consultant in schools during the National Grid for Learning (NGfL) era, Colin brings over 25 years of experience in the education sector. He has a background in ICT consultancy, having previously run the Schools & Colleges Education Team at Compaq and HP as well as managing a regional ICT services company. Colin believes in transforming security solutions into safeguarding aids, with experience as a director of a leading Safeguarding Monitoring Service Provider. This approach has proved invaluable in ICT environments; with the right tools helping institutions to benefit from added value. As Senior Consultant, Colin is responsible for understanding customer challenges, providing solutions that protect stakeholders while balancing funding and staff workload constraints.

     
   
   
 
  Link to this article:
(Copy and paste the following code to your web page.)
 
 

Education Magazine | Advertising | Education Emails - More Articles