Virtually Unbreakable
We believe that the only way to have a fulfilling life is to stay true to who you really are. To us that means building self-confidence, self-worth and resilience as well as accepting yourself for who you are. Virtually Unbreakable Podcast is dedicated to empowering you to create an identity that serves you and helps you embrace you true self. We talk about building a positive self-image and confidence, becoming resilient, changing your beliefs, setting boundaries and improving your relationships to create a more exciting and happier future. We are happy to see you here! Follow us and join us on this exciting journey of self-discovery and personal growth.
Virtually Unbreakable
Data Protection & Young People - What can we do?
TOPICS IN THIS EPISODE
- Most common mistakes when dealing with personal data?
- What can we all do to help protect sensitive private data?
HELPFUL LINKS
- About the Host - Ela Senghera
- Speak to Me - Book Here
- Get Free Brochure - Be True You in Your Relationship
- Audiobook - Finding Love
- Parenting Book (2nd Edition) - Teach Your Kids to Build a Positive Self-Image
- About the Guest - James England
Ela 0:11
Hi, James, how are you doing today?
James 0:56
Well, thank you, Ela. And thank you for inviting me to your podcast.
Ela 0:59
It's my pleasure. And can you tell us who you are? And what do you do?
James 1:07
So, my name as you said, is James England and I run a company called Data Protection Education. We provide data protection officer services to schools, you say the education sector, we also work with some small charities and some small businesses as well. And what we do is we help them understand the complexities of data protection legislation, ie: how do they look after their data, how do they protect their data? What tools to use to do that, policies, procedures, and all that kind of thing.
Ela 1:41
Okay, but just to remind our listeners, this is all within the education sector. And this is why we were talking about this today because there was a high level of significance with regards to data protection and young people. So can you tell me a little bit more? How did you end up working in this industry? Have you worked in the education sector before?
James 2:08
Yeah, so you may be able to tell by some of the instruments hanging on the wall behind me, I actually went to the University originally as a musician. And whilst I was at university, I started working as a music teacher for a local authority. And much as I hadn't seen a little career as a musician for a while, when that ended, I always knew I wanted to do something else. And that moved into more of an IT kind of environment. But it was actually I really enjoyed working with the education. So I have that you're working with E-learning, and education, tech, and educational technology providers. So some companies have provided virtual learning environments for schools eE-learning. And, you know, probably the most famous one I ended up working with was Cambridge University Press for a while, which is obviously a massive educational publisher known around the world. And then I started working on my own, and still doing some more education technology-related projects and in E-learning, and is talking to a colleague of mine, who, again, provide broadband and web infrastructure company that does that for schools. And it was 2016, GDPR, had just been published before it was enforced, as a general data protection regulation. And we said that there was an opportunity here, the schools are really going to not really know what to do about this. So starting off with, why don't we do a little E-learning course on the GDPR, so people can be prepared. And that led to a lot of awareness sessions, led to some more extensive training. And then when it came in as a law in 2018, yeah. By then we'd set up the business. And we decided to offer that service and additional support consultancy, and training services, to schools. And now we have around 375 300 made two different schools and multi-Academy trusts that work with us.
Ela 4:11
Fantastic, what a great story to start as a music teacher and then merge into this more and you could say innovative or role or more, perhaps less, not innovative, but perhaps more significant in a different way.
James 4:30
If you just said to me years ago that, you know, I'm going to end up with a master's degree in law and working in compliance, I'd have probably laughed at you. But you know, hey, there's always opportunities and opportunities to learn and develop as well. And I always encourage anybody to take those whenever they come along. And you know, there's a lot you do a lot of good for that as well.
Ela 4:52
Yeah. So based on your experience, James, what is the issue today with data protection in the education system?
James 5:03
Yeah. So we sort of mentioned a little bit of think about the sort of, you know, the cyber risks that we're everybody's aware of, I was told that cyber security and data protection, one of the big issues is, I mean, start off with is that schools and particularly, we think about young people, primary school age and infant schools, those organizations or schools actually have an awful lot of data about young people about what they're doing there. They know about their family relationships, and I know about child protection concerns, they actually develop a lot of that information they know about their medical and mental health needs. There's an awful lot of data within these organizations, and these young people don't have the capacity aren't really able to understand what their rights are in relation to data. So, you know, there's a parental responsibility, but it's really very much about the organizations themselves need to understand what their responsibilities are to look after that data. When we talk about the difficulties, our schools with lots of different things, such as resources, specialists who are experts in compliance areas when schools are there, and their focus, quite rightly is wanting to be on teaching and learning. And we know to make sure that's, you know, the imperative part of the school. But you know, a lot of schools just don't have that capacity of the resource to, to manage our data protection program and understand the complexities of one particular law, update, cyber and data protection, cyber is really about the integrity and security of infrastructure and data on them. So that's not just about personal data, which is what we're talking about with data protection. And when we think about that, we actually have a lot of information on the cloud, and schools themselves have moved more to the cloud. And there's actually quite often great support around it and infrastructure in schools, it's actually very good levels of competencies around IT, techs, yeah. There are the technicians at organizations that they might outsource IT to, and particularly multi-Academy trusts have quite large teams around technology, they don't have these large teams around the data protection and other compliance generally from the role of the head teacher of a school business manager, or an operations manager or trust. And that's why they get us involved, or companies like us because they'd have the expertise, internally, you know, so data protection could be related to cyber, if you have a cyber attack, and somebody hacks into your systems and they steal personal data, we often hear about those on the news, the very big ones about people stealing things. But you know, there's more to that sort of risk around data protection than just cyber. Yes. So it's, it's a massive compliance issue. And it's, which goes across everything schools do because of that volume of data that they work with and process.
Ela 8:09
And yet, it is something that we parents are practically completely unaware of, or it would be the last thing on our mind, right when our child goes to school or is on holiday, whatever time of the year, there are so many other things to worry about with regards to kids and raising them. That is not something that we ever think about. And I'm not suggesting it should be our job, parents to think about that. But it's still very good to be informed and aware of what our school's responsibilities with regards to managing this very sensitive data regarding our children. So thank you so much for that.
James 8:57
Sorry for interrupting that. I mean, one of the ways that schools and any businesses are required to do that is that on their website, usually, they'll have their privacy notice. And just like we're very used to our websites, having to click on those cookies and sort of see privacy notices and privacy policies is very much a policy saying this is what we are going to do and the standards we adhere to. And then the privacy notices this element within data protection, a lot of transparency telling you what we do with your data. So that will should give you an indication of this is what we do with your data, why we collect it, what we do with it, who do we share it. It's in a school and as you go into the larger institutions, it's actually can be exponential the number of systems and data which are really knocking around and being used as an awful lot. There's an awful lot there's not also remember, database not personal days. It's not always on some system up on the cloud. This mysterious cloud is up on the internet. Yeah, it's there are a lot of papers that still use paper-based documents, it's about looking after that it's not that we want people to stop using it. It's just about making sure we look after it properly when they actually are processing that within the schools.
Ela 9:27
Sure. So that what are the most common mistakes you do see when it comes to in-school settings when it comes to data protection and cybersecurity?
James 10:26
I think it is interesting where, you know, as far as mistakes are concerned, I think it's actually most of them are probably human error related, in many ways. I think some of the mistakes are, if we're talking about mistakes, somebody's doing something wrong and making a mistake, or things just not necessarily being done, to begin with, I think the ability of schools to manage everything that needs to be done under data protection laws are thinking about what we call data protection by design, are we going to do this, think about how this has got the impacts of using this data in this way before we do it. Sometimes it just doesn't happen like that. You know, it's again, it comes back to resources. But we do have some data about the sort of things which happen. So there are a couple of datasets which are publicly available. So one of them, which I'll go back to is the cybersecurity breaches survey, which is done by a bit of Culture, Media and Sport, and they have an education on x. So one of the things that just to give you an idea of all the businesses that responded, and this is just regular businesses, 39% of them said that we've had some kind of cyber issue, primary schools 41, secondary schools 70%
Ela 11:46
Oh, my goodness
James 11:47
Pre-college 88, higher education colleges. 92. Education is very much targeted as a sector. But why are primary schools, so lower than secondary schools, and more businesses, because they've got a lot of different systems in play, and secondary schools, I've even more systems in play, there's more surface area for targets. I think also, as we go through those organizations, they've got larger teams as well. So there's probably more recognition of what's actually happening.
Ela 12:21
And more risk for something to go wrong, right?
James 12:24
Yeah, yeah. And it also breaks it down into a type of breach. So the most common one reported by a country mile across everything is phishing. So this is where we get those dodgy emails and please click on this link, and you know, to receive whatever. So we've seen them all, we get them personally. Yeah. But organizations are also targeted, as well. So it's something which is a really big issue. I think, from the non-cyber attack stuff, we also know from some of the Information Commissioner's Office, and that's a regulator for data protection law, Freedom of Information Law, in the UK, you know, they've done some reports and audits around the education sector, and look at things which where they can improve, a lot of those are related to operational management issues, documentation, and general management of risk. And I think that you know, when we look at the stats and ICO about what gets reported to them, it is those human mistakes, the biggest one that they have, is that data has been emailed to the wrong person. And I challenge anybody on this call to say that they've never received an email that should have been received by somebody else. And then think, in a way, have you ever sent an email to somebody who you sent it to? Person? It's easy to do? Yeah, failure to use a BCC in your email. So people get copied in and you can see everyone's email address.
Ela 14:00
Such a common mistake, isn't it?
James 14:03
Um, data getting posted to the wrong person, this gets reported, lots of people will be sending letters out home, just getting sent out to the wrong person. So it's human error. And it's usually because people haven't got time to really do the checking.
Ela 14:14
Does that mean that our systems in schools, I'm sure this could be a question to a different person, like Education Secretary, for example, but does it mean that our systems of school are outdated and rely too much on humans and not enough on automation or AI? When mistakes like this could be prevented?
James 14:36
Well, the systems in place are generally pretty good. There are a lot of really very good school systems out there. I think there's a woman who I quite like talking about sometimes I won't go too much into it was a rear admiral in the US Department of Defense and her name was Grace Hopper, and she was one of the early pioneers of computer science. She came up with a phrase particularly around Information Governance, which is the most dangerous phrase in the English language or language is that we've always done it like that. I think there's a lot of things that are just about well, that's how we've always done it, when we introduced new systems is a lack of training familiarity with the system, which can be quite complex. You know, so are people knowing how to configure and use them safely? AI certainly has its advantages and certain things. But again, there are risks with artificial intelligence. So, you know, cases where a school in Finland was actually flying by the Finnish regulator for using AI for automatic facial recognition technology to check that students were actually in attendance in class, and that was deemed actually illegal in the regulation. So I think the systems are there. There's some very, very good technology in place. But there's sometimes it's not always used that that well, or as well as it could be,
Ela 16:00
So what skills are lacking in that case, in the way we look after young people's sensitive data? Can we parents do more, is it just totally up to the school staff to be better trained and more accurate, have more accurate procedures? Or is there anything parents can do to help?
James 16:23
So we'll look at a couple of examples here. So one thing we look at is sensitive data in school, the most sensitive data that a school holds is undoubtedly its child protection data, whether safeguarding concerns around the child and schools are really, really good at handling their safeguarding data. I'll be honest with you, I've only ever come across a couple of occasions in the last five years, in which I've had major concerns about how to handle data. But what happens everybody in schools knows and has been trained to understand that this is highly sensitive, it's highly confidential. It's only available to certain numbers of people, the designated safeguarding leads into school, everybody needs to report issues, it's very much on the front of everybody's mind safety of children is the first thing that everybody in a school is thinking about. And absolutely rightly so. Now, over the shoes, of course, you know, it's not always about, you know, horrible things like physical abuse, it can be mental health issues, bullying, mental health issue. So these will get logged on, everybody's aware of it, the data protection point of view, thinking, this information is the most important information we hold, we've got to keep it securely, we have a dedicated system to use to put that information on them and some very good dedicated systems for this purpose. When we have it on a paper-based system, which is a traditional way of doing it locked away in a filing cabinet. Only certain people have access to it, could that filing cabinet generally be in a locked room? It's very much the access control, people thinking, how important is that data? Therefore, how do we look after it who gets access to it, we need to extend that thinking to everything else? And on some online systems, we may very well do that. So imagine a network folder or an online folder, which you don't have access to, because you haven't gotten the right permissions.
James 16:231
Check the privacy policy that they've got, you know, you are entitled to know how this stuff is going on. I think the more practical thing for preparing to say about the online safety aspects of things. This is where, you know, we've got what's you know, online safety is often telling children teaching children about sort of the online harms, which are out there in the world. And I think it's a really important part of school life to get children to understand what's going on in the world. We've got new technologies, developing different AI technologies, the metaverse, what awaits young people out there, online, schools can do quite a lot about online safety. But I think parents need to know when you're giving a child a mobile phone that's got internet connections on it, you need to be very sure about what they're accessing on that phone, put controls on yourself, think about what do I want them to see? Yeah, take an active part in helping them understand the risks which are out there, don't just give them the device and leave them to it and think why to put some software on to stop them from seeing all the bad stuff, take an active engagement in what they're doing, what they're looking at what they should be looking at, show some interest right. Now some interest and how they're using that device. Who are they texting? You know, is it a child who's a few years older, is that sort of those communications are appropriate on the device. So take an interest in watching what they're doing. And using that film for, it's not always just playing a little game harmless game. So it's, it's something that's what I would recommend is, you know, schools do quite a lot, take an interest in what the school is doing in this area. But also, you know, take an active interest in actually what's actually happening with your child when they use that device at home, as well as in school.
Ela 20:14
And what access do what devices do they have access to, to start with, right? Because in so many households, there are so many different devices, mobile phones, tablets, TV, laptop, and depending on the child's age, especially now, when we live in times post COVID times when loads of lessons have moved online. And homeschooling has happened and it's now a common thing, as well as doing homework. Children are completing their homework and submitting their homework via different apps and websites, which I'm sure have the right security and protection built in if they work with a school. But what else does our child have access to like you said, and being extra aware, and not shy to ask those questions to school stopped during parenting evenings? And so I have some of us have email addresses for our children, and teachers. And there is nothing wrong with asking a question, how is my child's data being handled? Where is my child's photo going to be posted? And having a look and reminding yourself whether you definitely gave consent to that? Because this is your child, and it's your child's mental health? That might potentially be an act. And yes, we are parents and we are responsible for their safety.
Ela 21:50
Thank you so much. This is super helpful. Any final bit of advice for our listeners, James? Is there anything other than what we've mentioned before that we can do to help protect the sensitive data in the education system?
James 22:06
Yeah, I'll just give you a couple because I know I've been rambling on a little bit. So the first one is actually a little adage, which I say all the time, to treat other people as dangerous. You know, think about it, would you leave your own passport or birth certificate lying on a desk where anybody can access it probably not, don't do that when everybody else is, think about what data it is. And think if that was my data, would I just leave it lying around? And chances are, you wouldn't treat other people's data as if it was your own. And finally, always lock up. So whether it's your computer when you're leaving it, and you know, I think nobody else is gonna have a look at something, leave your computer, lock it. If you're working in an office, and you need to have some files open recovered open with files in it. Or lock your door when you leave. Don't leave things unattended.
Ela 22:55
Lock your computer, right?
James 22:57
Always lock your computer, you know, if you're on a Windows machine that Windows can allegedly, get in help, it's very easy to do. But always lock your machine, don't rely on it timing out after 15 minutes, somebody can do damage in 15 minutes. So lock everything, beat your device or think about the security of your devices, and also the actual physical area where you've got all the data. So don't leave it accessible, and at risk of somebody else accessing it.
Ela 23:30
And if you have any doubts, ask questions, raise concerns, and start a conversation with school staff. And there is no shame in doing so. James, this has been a fabulous conversation and a very important one to have. Thank you so much for your time today. To any of you who are interested in James' work, I will include the link to his profile and his website underneath in the show notes section. Thank you, James. It was a pleasure talking to you today.
James 24:04
Thanks and thanks for listening
