Can data protection be breached in schools?
THERE IS THIS MISCONCEP TION held by most school owners and stakeholders in Nigeria about data protection. They often think that data protection doesn’t apply to them. Yet, the Nigerian Data Protection Regulation(NDPR) makes it clear that any organisation that manages data must pay attention to their data protection programs. In this week’s piece, I will enumerate, for clarification purposes, when schools can breach data protection.
Before I delve into copious examples of how schools can breach data, I would like to state clearly that without a robust data protection framework, any organisation— private or public—expose themselves to data protection breaches. I have mentioned these in past articles, but it is worth reiterating here again.
Nigerian parents love education, and they want their children to get the best of it. However, they barely ask whether their children’s data is protected and if these schools pay attention to the protection of the freedoms and rights of their children. Research shows that Nigerian institutions don’t pay apt attention to data protection. They only pay attention to the business at hand and miss the importance of what protects their business functionalities which is data governance.
There are many ways schools can breach data.
A university staff’s laptop contains the names of students who just paid their school fees, and this laptop includes the payment details of these students, which comprises account numbers, addresses and their names. The staff closed on one sunny day and was in a hurry to get to a church meeting organised by the university, and forgot to shut down his system correctly. He rushed out of the office. Then, some minutes later, a cleaner within the same university stumbled upon the open laptop and downloaded the whole document as a CSV file and sends to his friend. Days later, the individual, pretending to be the university, extracted funds from the parents. It was an embarrassing experience for the said school. The university kept the situation quiet and worked internally to crush the case. But, their actions were too late.
An unauthorised person accessing data is a significant example of data breaches in Nigerian schools. What’s more, they don’t place the right encryption tools on staffs’ personal computers. There are numerous examples of this case.
Another case comes to mind here, a primary school somewhere in Lekki, changes their computer systems. They dispose of their old computers without doing the right deletions or wiping out the data from the hard drives and therein lies the problems. After some months, they get complaints from parents getting unusual requests. The primary school headmaster is confused as to how parents are receiving these messages. Here, there is a clear breach. Without appropriate deletion of data within the systems, the primary school has breached the data protection regulation. Schools must have a proper deletion strategy, or if they need to use the information for further development of their information systems, they must pseudonymise the data.
Sending wrong information to the wrong parents is another common situation. A parent receives information about another student. The parent is surprised as to why she is getting the data of another student. She calls the school, and they apologise about their actions. That in itself is a breach on two levels. One, the school sends a student’s information to another recipient and thereby exposing that student to risk.
Loss of availability of personal data is a big one within schools. You must have heard about the situation of missing results or missing receipts or missing information about students. It is a daily occurrence. Data integrity is not adhered to by many schools, and therefore, they breach data protection regulation here.
There are many scenarios where schools can breach data protection. This article is a call to Nigerian schools to pay attention to their data protection frameworks. It will save them from reputational, financial and legal damages. Stakeholders within the Nigerian educational system must step up when it comes to data protection or face the repercussions presented by their lackadaisical approach to data privacy.
*Dr. Irene is Data Protection Consultant and writes in from London.