Do You Know Where Your School Data is Held?

‘We are using more and more online services, each requiring the sharing of data. Are we therefore at a point where we may not know as much as think we do about the school data we have and where it is stored?’- Gary Henderson.

Schools have always stored a lot of data on their students, parents, ex-pupils, etc. however the amount of data being stored continues to increase. In addition to this as schools seek to use technology to address workload issues, compliance issues and to better use educational technology in lessons, we are using more and more online services, each requiring the sharing of data. Are we therefore at a point where we may not know as much as think we do about the school data we have and where it is stored?
It is all to easy to answer the question “where is school data stored” by simply considering the Management Information System (MIS) and file storage.   These used to almost always be stored locally within the school making the answer an easy one; ‘The data is stored in the school’. More recently more and more of the MIS systems have moved to the cloud plus schools have increasingly moved to Office 365 or G-Suite for Education also placing this data in the cloud. Thankfully here the answer is still reasonably simple as both Microsoft and Google will confirm the location of your data within a specific geographical location or Geo. So, for a UK school this should be within the UK or at least within the EU. The cloud services will also create replicas of your data for the purpose of disaster recovery/resilience which would be in a different data centre but still within the same Geo. So, your data previously held in servers in the school is now held in multiple servers spread across a UK region, the UK as a whole or even the EU. The move to the cloud therefore hasn’t complicated things too much albeit you can no longer put your hands physically on the server or servers in which your school data is located.
Considering file storage, I think the use of cloud services has brought with it some significant benefits. Previously where local storage was used files might be emailed around before being downloaded by different users, copied to shared network drives, etc. Trying to find all copies of a particular file and the data within them was therefore difficult. It could be in a number of different users mailboxes, in PST files, on USB drives, in network folders among other locations. The tools didn’t really exist for the easy searching for files or e-Discovery as it is now more commonly referred to. With cloud services such as Office 365, storage related to email, personal user storage and shared storage are all collected under a single umbrella service; Office 365.    New compliance and e-Discovery tools have then been provided to make searching all these data locations both quick and easy (or as easy as is possible given the complexity of how files are created, shared and modified). These tools also make the exporting of reports or the exporting of the specific data items easy, whether they be emails or files. Office 365 also means users no longer need to use USBs as they can access their data anytime, anywhere.
The growth in online services being used and the growth in educational or other productivity apps is where I believe the main challenge rises. It is all too easy for someone to sign students up for a service to use in lessons. In doing so they may need to share the names of pupils, ages or date of birth and their school-based email. This constitutes personal data under GDPR. It constitutes school data. Suddenly, the school now may have data housed in US Servers or in fact in servers anywhere else in the world. The common approach to resolving this being to use school policies to require staff to register or seek approval for apps or services before they use them and before they share school data with them. This however is not always effective especially as enthusiastic staff seek to experiment and innovative with new apps and services as they arise. I should note I eagerly support experimentation and innovation with new EdTech tools and services however I am also keen to express the need for all to ensure that data protection is considered before any sharing of data.
Another issue linked to the above is the onward sharing of data or how data may be reused or how long it will be retained for. Some services indicate that they will share data with other services “for the purposes of improving their service” or for other vague reasons. They may equally be vague in the purposes for which they will use the data outside of providing the service for which a staff member may have signed up for.  The data itself may be retained well beyond the period during which the app will be used within lessons. All this vagueness being wrapped up in “legaleese” and headed “Terms and Conditions”. Not to mention the fact that most of us now simply click ‘Agree’ without reading the (purposefully?) complex and confusing Terms of Use. So, can we be confident in where school data is held?
Before trying to answer the above I think we need to step back for a bit of context. I no longer think any of us, or at least those who regularly make use of technology, can clearly identify where our data is held and what data exists. We live in world of big data, in a world where our personal data is worth money to companies and to advertisers. I have an Android phone and use Google Maps, I use Twitter and Facebook and a multitude of educations apps, not to mention email, web surfing and internet shopping. Each device and each app have data and with every use generates more data. Every new data point allows these systems and their algorithms to generate yet more data points through Artificial Intelligence and through statistical inference. I have little clue as to exactly what each app may or may not know about me and that’s before we even start considering how apps may miss-share data; think Facebook and Cambridge Analytica. There is also the potential, for the conspiracy theorists among us, to consider how devices such as Alexa and Google Home may be listening in on conversations. I have heard several people attest to having a conversation regarding a random item while within listening distance of a device with a microphone only to find that similar items appear in web adverts when browsing unrelated websites. Then there is also the Dark Web and whatever data has gathered there as a result of data breaches of services we are using or have used in the past. If we are hoping to know where 100% of our personal data is, I think we are going to be sadly disappointed.
So, in the case of schools I think it will be very difficult to identify with any certainty where 100% of data is. I know this might seem contentious or even non-compliant, but I believe it is simply the hard truth in the world we now live in. The reality is that we need to take a risk-based approach, both in schools and in the wider world. We need to consider the different types and volumes of data being stored and being shared and work from there. It is important that we know where our MIS data is as it will cover all pupils, their parents, ex-pupils, etc. It will also include a lot of data on each, potentially including sensitive categories such as medical or financial data. As a high risk we therefore need to know what is stored, where and who has access or who it is shared with. We need to have confidence regarding what data we have and its security, plus we need to have the detail. A privacy impact assessment may need to be conducted along with risk assessment, planning for incident management and disaster recovery. Third parties, whether hosting the data or just providing the software to be hosted on site need to be questioned as to how they ensure the security of data and how they will respond in the event of a data breach or the identification of a software vulnerability. Where the risk is lower, such as in sharing a name and school email alone with an educational app, we may need to suffice with knowing the app, the purpose and having reviewed the terms and conditions in relation to potential sharing, data security measures and data retention.
Do you know where your school data is held? My answer would be: I know where the data that matters is stored and with a lesser degree of certainty where lesser data “may” be stored, and a risk assessment has been conducted accordingly.

The author

Gary Henderson

Gary Henderson is currently the Director of IT in an Independent school in the UK. Prior to this he worked as the Head of Learning Technologies working with public and private schools across the Middle East. This includes leading the planning and development of IT within a number of new schools opening in the UAE. As a trained teacher with over 15 years working in education his experience includes UK state secondary schools, further education and higher education, as well as experience of various international schools teaching various curricula. In addition Gary is a Google and Microsoft Certified Educator, a Microsoft Innovative Educator Expert and an Apple Teacher plus holds CISSP, CISA and CRISC certifications.

https://techandlearning.wordpress.com/