Sound data protection practices vital for universities as they embrace 'edtech', say experts

There was a 40% rise in the number of data security incidents reported to the UK's Information Commissioner's Office (ICO) by organisations in the UK education sector during the final quarter of 2016, the watchdog recently announced.

According to the ICO's data, there was a total of 56 data security incidents in the education sector that were disclosed to the ICO between the beginning of October 2016 and the end of the year, which was second only to the volume of incidents reported by health bodies during the period.

The 56 incidents recorded included four cyber incidents, eight cases where unencrypted devices were lost or stolen, as well as other instances where personal data was sent to the wrong recipient or wrong disclosed via email. It also included cases where personal data was not redacted where it should have been, and others where paperwork was not disposed of properly or was lost or stolen.

Information law expert Kathryn Wynn of Pinsent Masons, the law firm behind Out-Law.com, said that issues relating to the security of personal data must be taken as seriously be universities as the way they manage highly sensitive research data or valuable intellectual property (IP). She said that stiffer penalties, potentially of up to €20 million, could be imposed on universities that fail to keep personal data secure under the new General Data Protection Regulation (GDPR).

Wynn said that universities, like many other organisations, will for the first time be obliged to disclose certain personal data breaches under the GDPR. Currently, most organisations that disclose data breaches to the ICO do so voluntarily, although some business, such as financial firms and telecoms providers are already required by regulation to make such disclosures in some instances. Voluntarily disclosing data breaches can help organisations escape penalty or reduce the level of fine imposed on them for lapses in security, Wynn said.

Chris Martin of Pinsent Masons said that the need for universities to deploy sound data protection practices is particularly pressing given that many institutions are adopting new edtech solutions in a bid to improve the teaching and learning experience for students.

Martin said: "Digital transformation is high on the agenda for the UK higher education sector’s senior management, both in terms of maximising research impact and delivering a modern and customised teaching experience. Many of the potential benefits that may be harnessed derive from increased and more effective collection, interrogation and use of data."

"The use of learning analytics tools is a good example. The use of such tools and the growing importance of data to the UK’s research and teaching communities make information security a critical issue for the UK’s higher education community, particularly at a time when third party cloud-based solutions are increasingly being adopted by UK universities for the hosting of applications and data," he said.