2020 School Predictions: Data Protection & Cyber Security
Technology is transformative. In 2020 schools and universities worldwide are dependent on the IT infrastructure that supports them. As schools...
New technology has changed the way we communicate. Instant messaging makes sharing information easy, which is one reason mobile apps including WhatsApp have become so popular. While there are many benefits for using instant messaging, what challenges does this present for schools? Should schools use platforms like WhatsApp, or are there risks to consider?
From carrier pigeon and telegram to email and instant messaging applications, methods of communication have evolved dramatically over time, propelled by advances in technology. In recent years, the rise of the smartphones and the extensive reach of mobile networks have facilitated real-time communication through apps including WhatsApp, Facebook Messenger, and WeChat. These apps have transformed how we communicate, removing the need for calls, allowing for quick exchanges of information through text, voice, and even emojis (which itself can be a problem but hey, who doesn’t like an emoji 😀). The shift towards instant communication has made tools like WhatsApp popular, even within professional environments like schools for internal communication. But should WhatsApp really be used in schools?
Having a communication tool like WhatsApp enables efficient messaging between school departments in a less bureaucratic way than email, its easy to operate, informal, and most people are now familiar with digital conversations. The ease of WhatsApp and it’s common day-to-day use in personal communications is its ultimate downfall for use within the workplace, particularly in schools. People are so used to conversing with friends over instant messaging services, it’s not surprising that this method has crept into how colleagues interact during the working day. The easy ability to share information in real time or capture photographs on your smartphone and share over WhatsApp is just one facet of many crossover issues relating to child protection, data protection and managing personal/work accounts, evidencing paper trails.
Having a secure and integrated internal communication tool, such as Google Chat, is great for driving productivity and accountability for the way we communicate with each other. The use of WhatsApp in schools, however, is not often internally managed by the organisation themselves.
9ine advises not using WhatsApp as a method for official internal communication within schools. There are two overlying issues: the first, compliance/business quality management; the second, GDPR.
Any business seeking to be audited for ISO 9001 quality management, would fail.
This is because the business, or school, has no lawful way to gain access to the data or information stored or processed by WhatsApp should they need to. This is particularly important for cases which may need to include HR investigations, legal action, defense against a legal claim, or instances that require the ability to demonstrate to external agencies that the school's records are kept in a managed structure.
Staff members are likely to use WhatsApp on their personal devices for personal communication and of course this is not a problem. It becomes a workplace problem when staff members begin to communicate internally with other staff members using their personal WhatsApp accounts, sharing school-related information which could include categories of personal data, such as photographs for example. The ability to create communication groups based on the contacts in your phonebook is a popular function of using WhatsApp. The creation of staff WhatsApp groups that include contacts external to the school, however, presents a further risk to the organisation's data as the school has no control over the sharing or propagation of information outside of their formal structures. An additional security issue is that you cannot control who has access to group chats other than the individual who created the group, so the security is difficult to manage.
Without formal policies adhering to the boundaries of personal/ workplace communications, the individuals involved are likely to be sharing a multitude of school information without necessarily realising what they are doing. It’s also likely that this may not even surface as an issue unless there is an incident which brings the underlying risks to fruition. This is when the school might decide to intervene, however if required, they would struggle to argue their right of access to a member of staff's personal WhatsApp account.
One of the major problems here is that, where information related to the school is being shared outside of the organisation, the school themselves have not entered into a controller to processor / data sharing agreement with WhatsApp. The agreement lies in the individual’s personal account with WhatsApp instead. Where schools are using other services to process personal data on their behalf e.g. media platforms, MIS, finance systems, under international data protection law (GDPR), they are expected to have these agreements or contracts in place. This is so both parties can evidence the shared accountability and responsibility to the personal data that’s being processed on behalf of the school. Without a lawful basis, the sharing of personal information with third party organisations outside the school is not allowed. In specific circumstances, some governmental organisations may have a legal right to access certain information, however, this must be checked with the data protection lead/team/officer prior to disclosure.
In terms of the GDPR and WhatsApp, there is a data privacy clash between information processed on staff members personal accounts / devices, and personal data pertaining to the school. The school cannot invoke information rights, such as right of access or right or right to be forgotten with staff personal accounts on WhatsApp. The use of WhatsApp also has additional hidden consequences. By using WhatsApp you are providing your consent for WhatsApp to access your contact list or phonebook in order to provide and use the service. The app profiles your contacts and profiles the conversations between individuals. It then correlates this with Facebook and Instagram and other available data within your phone (cookies, browsing history etc). There are likely to be significant privacy issues with official and usually confidential conversations being profiled by WhatsApp, in addition to the likelihood of the platform also seeking to use the information in those conversations (possibly relating to named people) for its own purposes.
We advise that schools have an overall Data Protection Policy stating that social media is only to be used for communicating the theme of “community” or advancing the school’s brand, and that social media for internal communications has no lawful basis under the school’s parameters. The school’s stance should state that the use of social media (Facebook, Instagram, WhatsApp, LinkedIn, Dropbox etc.) by school staff for school business purposes, should only be permitted on accounts and profiles which have been approved by the Data Protection Lead/team/officer. Personal accounts should not be used for school business purposes.
A policy is of course useless if it is not followed. Under the requirements of international data protection law, schools are required to demonstrate accountability and have the confidence that any school policies and procedures are followed by their staff. Schools will need to be able to evidence each year where they have provided training to their staff in relation to their data privacy / ePrivacy policies. When it comes to reviewing policies, schools need to ensure they are updated regularly in line with legislative and best practice change, enforcing the high standards expected for the school.
When mentioning any data protection concerns in relation to communicating via technology in schools, the crossover with child protection / safeguarding is never too far away. Safeguarding incidents can have a significant impact on students, staff and the school itself and as such, rigorous operational measures need to be implemented. That is why it is important for schools to have the appropriate safeguarding measures in place for identifying, managing and mitigating potential child protection risks. The increased exposure and scope of safeguarding risks brought about by technology and the internet are an area that require ongoing management and review. With risks such as cyber bullying, grooming and radicalisation being presented in online environments, the collaboration between safeguarding personnel and IT teams is increasingly important for ensuring that the available tools are used effectively and any interventions can be planned accordingly.
For the above reasons, WhatsApp communication between staff and students is inadvisable. Online communication with students should only be carried out through a school-approved channel that provides a managed learning environment where all communications are transparent. Schools are expected to have stringent professional boundaries set out in their social media policy to ensure staff understand. The UK’s statutory guidance for schools, Keeping Children Safe in Education, sets out a clear code in reference to professional relationships and the appropriate use of social media, including Facebook, Twitter and WhatsApp.
The school has a duty under data protection law to ensure that the personal data it processes is safe, secure and protected from unauthorised or unlawful processing and against accidental loss, destruction or damage. The use of WhatsApp for internal communication places this duty at risk. Lastly, if a school chooses to continue communicating via instant messaging or other online methods, we'd suggest having a corporate chat platform available.
At 9ine, we understand the busy environment of schools and how easy lines of communication are a necessity. We can provide the data protection, child protection and business management support for any of the issues discussed above. Our DPO Essentials subscription service provides outsourced expertise and resources to support your data protection team. We have a suite of best practice documentation for schools, including a social media policy, that supports with evidencing and managing compliance for challenges like the use of WhatsApp for internal communication.
Technology is transformative. In 2020 schools and universities worldwide are dependent on the IT infrastructure that supports them. As schools...
Risk management is an important component of the governance regime of a school, yet for many schools, there is a struggle to operationalise it. Many...
In the current climate, it is important that schools do not use data protection regulations to discourage remote working or data sharing, but instead...