Dealing with confidential information in schools

• Introduction
• Red
• Amber
• Green
• Applying

Using a simple traffic light system for categorising types of information commonly found in schools and the classroom.

Introduction

This isn’t intended to be an exhaustive list but is a good overview of the types of information found in schools and how they should be best handled to ensure data protection and confidentiality.

Red

High confidentiality data (such as that listed below) should only be stored on a secure system, encrypted both in transit and at rest. Access to this data should be secured by two-factor logons and should only be given to authorised users within your organisation, and to outside contractors/individuals only when necessary.

External users should also adhere to equivalent security practices (e.g. restricted access and two-factor logins). This type of data should not be removed from your systems and duplicated, unless under exceptional circumstances.

Most of the data below would typically be held within an MIS system, but there may be other sources, such as a SEN Register or spreadsheet that would also be considered to contain highly confidential data.

• Personal Data (Staff, students, parents, contacts etc)
  • Medical or health information
  • Dates of Birth and personal information (such as religious beliefs)
• Student Data
  • Sensitive personal information, such as family/home situation
  • SEND information
  • Pupil UPNs
  • Passport or ID information
  • In-Care details
  • FSM details
  • Telephone numbers or personal email addresses
• Parental Data
  • Sensitive information, such as legal or financial data
• Web logs or Browsing Histories
  • Retention of these forms of data should only be undertaken for specific purposes, with details about this process clearly communicated to all users

Amber

Medium confidentiality data should only be stored on a organisation system or device, encrypted both in transit and at rest. Access to this data should be secured by two-factor logons.

This sort of data may be shared with third-party contractors, organisations and individuals where required for the fulfilment of services (e.g. trips and visits) but only where people have been informed (generally via data processing or consent forms).

Typically, medium confidentiality data may reside under the control of individuals within the organisations (e.g. teacher markbooks in their Google Drive) rather than fully centralised systems.

• Personal Data (Staff, students, parents, contacts etc)
  • Trip contact forms and details
  • Emergency allergy or conditions that need to be widely known to ensure safety (e.g. peanut allergy, asthma, heart arrhythmia)
    • Names and addresses
  • Emergency contact details, such as Telephone numbers or email addresses
• Teacher Markbooks
  • Admission numbers / Student Identifiers (except sensitive identifiers such as UPNs)
  • Names
  • Groups or Sets
  • Grades
  • Comments about academic progress
  • Brief markers about handling medical or SEND conditions (such as ‘sit near front of class’ or ‘may need to leave the classroom urgently’)
  • Not details about actual SEND (brief non-specific markers) conditions or medical information
• Registers and Attendance Data
  • Names
  • Absence Codes
  • Parental letters containing sensitive, medical or personal information should be treated as highly confidential information

Green

Low confidentiality information should not contain any personal data at all. This means they can be stored on any device, and do not need any special handling or logons.

They can be widely shared with other colleagues both inside and outside your organisation. Continuity of access is more critical with this type of information (e.g. ensuring lesson plans are not lost when staff leave).

• Lesson Plans Data (Staff, students, parents, contacts etc)
  • Should never refer to individuals, if specific instructions are required for particular students, then this should be phrased generically (e.g. students with attention issues should be checked at frequent intervals to make sure they understand the task in hand)
• Teaching Materials
  • Handouts
  • Worksheets
  • Slides
  • Model answers for exams (with any personally identifying information redacted)
• Departmental Resources
  • Workbooks
  • Equipment Lists
  • Experiment details
  • Safety and material handling procedures

Applying

Overlaying this information onto your documents is an excellent way to ensure everyone knows what sort of information they are dealing with! You can use Google metadata and this handy Chrome Extension to do just that. Simply install it and sign in with your Google Account. Then you can add tags to your documents to indicate how confidential the information is with them.