Technology & Innovation - Issue 12

ALL SYSTEMS SECURE? Mat Pullen explains why schools can’t afford a failing grade when it comes to their standards of data protection... F rom the management of pupil records, to the producing of lesson plans with the aid of digital platforms, educational technology is now omnipresent. These tools have become so valuable for expanding learning opportunities, however, that it’s sometimes easy to forget that they present fresh challenges too. Most mobile devices used in school will hold some amount of personal and sensitive information about students. It’s part of a school’s duty of care to keep that data safe, but it’s inevitable that data privacy will come a distant second to teaching priorities during the day-to-day – or even come to be seen as a niche technical concern. Yet as both a teacher and an edtech specialist, I’ve seen for myself how quickly a seemingly small issue can derail a classroom. Here, we’ll explore the most commonmistakes schools make with respect to data protection, why they happen and how to build strategies that will protect both information and learning outcomes. Device security isn’t a chore Regular maintenance of device security and data privacy should form a key part of any school’s technology programme. Endpoints need to be kept up to date with the latest patches and managed with content controls to ensure their safe use by students. Schools risk non- compliance fines if devices are found to not meet the needs of regulations such as GDPR. There can also be potential safeguarding concerns if any private information is stored on a device. Having spent years in the classroom, and worked with schools since then on developing their technology strategy, I’ve seen how seemingly minor issues can rapidly escalate and ultimately disrupt teachers’ ability to teach. Falling out of privacy and security compliance can also result in whole stocks of devices becoming unusable. I once worked with a school that built its lessons around iPads, only to discover mid-term that their devices were too old to accept the latest security updates. Overnight, they had to pull most of them from classrooms. Teachers scrambled to rewrite said lessons, having to accommodate a sudden shift from one-to-one device access to, in some cases, having just one device per classroom. The lesson is clear – without secure, up-to-date devices, you can’t deliver consistent, safe teaching. Hidden cracks These issues tend to creep up because it’s easy to take digital technology for granted while (understandably) keeping your focus on lesson content and students’ support needs. When I was teaching, I didn’t have time to check every vendor’s security claims. That’s still true inmost schools, especially smaller ones relying on outsourced IT support. Even larger trusts with compliance officers on staff risk similar problems if those roles are too cut off from teachers and frontline IT staff. There are some structural issues that tend to make such problems worse – particularly siloed budgets and a lack of planning between departments. IT teams will be expected to keep devices secure on tight funds, while teaching teams may be pushing for more tech without planning for long-term costs. Both departments are often unaware of the other’s priorities and how their respective needs might clash. Another issue is misunderstanding compliance. Many will assume that buying a ‘GDPR-compliant’ tool makes the whole device or network compliant. It doesn’t. An unlocked tablet or pupil list left on a desk is still a breach. Non- compliance may leave devices unusable until the relevant issues are fixed, or else land the school with a hefty fine it can scarcely afford. With GDPR having now been in place for more than seven years, it can be easy to “Toooften, IT, compliance and teachingdepartments work in isolation” 56 teachwire.net