‘Don’t leave colleges to fend for themselves’: a journey towards GDPR compliance

Creative Commons attribution information

Students working at North Lindsey College

©Jisc and Matt Lincoln

CC BY-NC-ND

Colleges and other FE providers have done well and shown the power of community in the face of significant challenges, but this does not mean that they should be left to fend for themselves. Greater guidance from the government and regulators is required to support the FE sector in building a secure and compliant 21st-century education.

Battling finance and resource

One of the most prevalent issues for further education providers since the enforcement of GDPR is a lack of finance and resource.

The data collection I undertook for this research revealed that only 21 of the 220 FE providers who responded to a freedom of information (FoI) request, have a dedicated data protection officer. This is largely due to either a lack of budget to employ a dedicated member of staff for this role – the median FTE salary of a DPO in the FE sector being £36,993 pa – or the provider not being of a size where they feel such a dedicated role is justified.

The research also revealed a lack of clear guidance specifically for the sector. Guidance from the Department for Education (DfE) largely concerns schools, without a dedicated focus for further or higher education, and as such has been criticised by research participants as ‘substandard’.

This has led to inconsistency across FE in applying a lawful basis for parental contact to discuss the performance and progress of a student. 55% of providers are using the lawful basis of consent. I recommend all providers give serious consideration to this because it supports a privacy by default approach. Without clear guidance on the preferred practice, further education providers are left to implement policies that are only applicable for their own institutions.

Further challenges include safeguarding data. 6% of data breaches in FE since the enforcement of GDPR have met the criteria to be reportable to a supervisory authority. Although this doesn’t seem like a high percentage, any breach of this level is a serious threat. However, the fact that 94% of breaches have not met reporting criteria is a testament to the measures that FE providers that have identified and how they have mitigated breaches.

Making good progress

Despite significant challenges, FE providers have made some good progress in adapting data protection strategies and processes to comply with GDPR. The research shows providers consistently identify the same tasks on internal action plans, showing a harmonious approach despite a lack of formal guidance. It also reveals that the importance of data protection regulation is recognised across all levels of providers, and that students trust FE providers with their data.

It is this recognition that contributes to 98% of providers releasing staff training on data protection and ensuring data protection right requests are returned in good time. 98% of right-of-access requests, and 87% of right-of-erasure requests received in year one of GDPR had been responded to within the statutory timeframe.

The need to revisit data protection governance to ensure compliance with GDPR has also increased the focus on IT security throughout the sector. This is well-timed given that Cyber Essentials is becoming an Education and Skills Funding Agency (ESFA) requirement with more stringent frameworks on the horizon.

The power of community

A thriving FE community plays a large role in the maintenance of this best practice. There are JiscMail groups dedicated to data protection conversations, and even communities amongst local providers. It is common to see collaboration between providers in the same geographic area, with evidence of this working particularly well in Scotland. Partnerships also exist in other parts of the UK, where FE providers come together to confer on various issues, and there is a certain ‘safety in numbers’.

We also see that nationally, geographically disparate colleges can coincidentally employ the same processes and policies, independent of one another, again showing a consistency in approach, independent of government regulation.

This research project is just the beginning of the conversation – GDPR has been described as ‘the most monumental pan‐European regulation in the last decade’, and long-term, formal guidance is required.

The full research is available on the Solent Electronic Archive website.
 

For more discussion about data protection in FE, sign up to hear Benjamin speak at Jisc’s security conference, free to attend online from 3-5 November 2020. Book your place now.