DATA PROTECTION COMPLIANCE

In SCHOOLS
By
HARRY DAVID

1
 OUTLINE
 Introduction.
 Privacy Notices In Schools.
 Technical safety and security measures in Data protection.
 Key players of NDPR.
 Student Subject Access Requests.
 Sharing Personal Information.
 Data Transfer to Other Countries.
 Publishing Exam Results.
 Data Protection Policies.
 Preventing Data Security Breaches in Schools.
 Conclusion.
 Recommendation.
2
 Introduction
 What is Data Protection?
 Process of safeguarding personal data from unlawful access, alteration,
processing, transfer or destruction.

 Need for Data Protection in schools.

 Data protection in schools is a must, Schools work with an incredible amount of
personal data, This includes information such as pupil names, addresses, medical
information, images, and more. Additionally, information related to job applicants,
governors, staff, and volunteers is often stored within a school database.

 What is Data Protection Act?

 The Data Protection Act is designed to protect the privacy of individuals. It
requires any personal information about an individual to be processed securely
and confidentially.

3
 NDPR
 What is NDPR?
 Nigeria data protection regulation(NDPR) are set of rules about how an organization
should process personal data of individuals.

 NDPR was issued on the 25th of January, 2019.

 NDPR’s objectives include:

 To safeguard the rights of natural persons to data privacy.
 To foster safe conduct of transactions involving the exchange of
personal data.
 To prevent manipulation of personal data which may lead to breach of
public peace and national security.

4
 NDPR Principles
 There are 7 key principles of NDPR that schools should be aware of in order
to comply efficiently.
 Lawfulness, fairness, transparency.
 All data must be obtained on a lawful basis, leaving individuals fully-informed, and
complying with NDPR legislation in full.
 Purpose Limitation
 When it comes to your privacy notice, it’s paramount that you inform all subjects
about the purpose of your school’s data collection.
 Data Minimization
 All personal data collected must be adequate, relevant, and limited to what is
necessary concerning the purposes for which they are processed.
 Accuracy
 Any personal data has to be “accurate and where necessary, kept up to date”.
Therefore, all old and outdated records, contracts, and personal data must be erased as
soon as this information is no longer essential.
5
 NDPR Principles
 Storage Limitations
 This principle relates to the process of data minimization and clearly states that
personal data has to be “kept in a form which permits identification of data
subjects for no longer than necessary”.
 Integrity and Confidentiality
 This principle states that personal data must be handled “in a manner ensuring
appropriate security”, which includes “protection against unlawful processing or
accidental loss, destruction or damage”.
 Accountability
 Finally, all schools are fully-responsible for compliance with the principles
outlined in the NDPR.

6
 Personal Information
 What is Personal Information?
 Personal information can be defined as anything relating to an individual that
identifies them. This applies to both physical and digital records.

 Examples of personal information that a school may store include:

 Names and dates of birth for both staff and students.
 Images of staff and students that confirm their identity and can be linked to
additional personal information.
 National Insurance numbers.
 Addresses of staff and students.
 Financial records, such as tax information and bank details.
 Exam results and class grades.
 School assessments and marks.

7
 Privacy Notices In Schools
 To ensure NDPR compliance, schools must display clear privacy notices in
the school premises, reception and on the school's website.
 The purpose of a privacy notice is to present and summarize what
information the school requires, why this information is being collected,
and which third-parties are privy to such data.
 The individual whom the information relates to must give full consent to
your school in order for you to store it.

 All school privacy notices need to cover these key areas:

 Information relating to how you intend to collect personal data.
 Any purposes relating to your intentions to process information.
 Guidelines for transferring or sharing data outside of the school.
 Information on how data will be kept up-to-date.
 Details related to computer security, such as firewalls and computer passwords.
8
 Technical Safety and Security Measures in
Data Protection
 Once personal information relating to staff, parents, and pupils is
acquired, it has to be kept secure.
 Loss of information or unauthorized access can cause severe damage to
individuals.
 Failure to protect this information can lead to severe penalties for a
school’s managerial team, not to mention the impact a data breach could
have on the school’s reputation.
 All manual and digital records must be protected with a level of security
that directly reflects the potential harm that could come from data loss or
misuse.
 Additionally, robust procedures must be put in place to respond to such
security breaches.

9
 Security Measures in Data Protection
 Potential security measures for school data protection include:
 The use of strong passwords.
 Encryption of all personal information stored electronically.
 Shredding of all physical copies of confidential waste.
 Installation of virus checking software and firewalls on school computers.
 Turning off all ‘auto-complete’ settings.
 Limiting access to personal information wherever necessary.
 Holding telephone calls in designated private areas.
 Ensuring that all storage systems are secure.
 Keeping digital devices locked away securely when not in use.
 Making sure that all papers and devices containing sensitive information are stored
securely.

10
 Key players of NDPR
 There are six main key players in data protection, they include the
following:
 National Information Technology Development Agency(NITDA)
 Data Protection Compliance Organization(DPCO).
 Data Protection Officer(DPO).
 Data Controller.
 Data Processor.
 Data Subject.

11
 Key Players
 Who is NITDA?
 National Information Technology Development Agency(NITDA).
 NITDA is a public service institution established by NITDA Act 2007.
 It has sole responsibility of developing programs that caters for the running of
ICT related activities in the country.
 NITDA is also mandated with the implementation of policies guideline for
driving ICT in Nigeria.

 Who is a DPCO?
 DPCO is a NITDA(National Information Technology Development Agency)
licensed organization that provides data protection services.
 DPCO may be a professional service consultancy firm, IT service provider,
Audit or law firm.
 DPCO may be certified in data science, data protection and privacy.

12
 Key Players
 Who is a DPO?
 An employee responsible for overseeing a company’s data protection
strategy and its implementation to ensure compliance with NDPR(Nigeria
Data Protection Regulation) requirements.
 The DPO is responsible for informing the controller or processor and their
employees of data protection regulations, monitoring, and compliance.
 Who is a Data Controller?
 An entity who determines the purposes for and the manner in which
personal data is processed.
 Data controller determines the kind of personal data to collect and the
legal basis for doing so.
 Data controller also determines the means used to transfer personal data
from one organization to another.

13
 Key Players
 Who is Data Processor?
 An organization that processes data on behalf of a controller.
 Data Processors can only act under the authority of a controller.
 Data Processors major responsibility is to support the controller.
 Data Processors do not own or control the data they process.

 Who is a Data Subject

 Data subject refers to any individual person who can be identified,
directly or indirectly, via an identifier such as a name, an ID number,
location data, or via factors specific to the person's physical,
physiological, genetic, mental, economic, cultural or social identity
 Data subject also refers to the individual whose data is being processed.

14
 Student Subject Access Requests
 A student, or someone acting on their behalf, has the right to make a
request to see any personal data their school holds about them and why.
 Parents are only entitled to access the personal information held about
their child if the child is unable to act on their own behalf, or if the child
has given consent to their parent.
 Before responding to an access request for information, you need to
consider whether the child is mature enough to understand their rights. If
they are, then your response to the request should go to the child, not their
parent.
 A subject access request needs to be made in writing, whether it’s a letter,
email or social media message.

15
 Sharing Personal Information
 There are occasions where sharing personal data with local authorities,
other schools, different departments or social services cannot be avoided.
It may be that without sharing the data, actions cannot be completed.
 You must consider all the legal implications and ensure that you have the
ability to share the specified data.
 For example, what is the intention behind sharing? Who requires the data,
which data is needed and what will it be used for?
 Consent must be given by the individual before their personal information
can be shared.
 This is usually part of the privacy notice issued when the data is first
collected.

16
 Data Transfer to Other Countries
 Data should only be transferred to other countries if they have suitable or
equivalent security measures.

 Your school should obtain explicit consent from the individual if

personal data needs to be processed outside Nigeria.

 If the school cannot establish a safe system of data protection with

another country, they should not even consider sharing the personal data.

17
 Publishing Exam Results
 The Data Protection Act does not stop schools from publishing exam
results online or in the local press.

 However, if you intend to do so, you must act fairly.

 You must inform students first that their results will be published and how
the information will be displayed, so they have the opportunity to voice
any concerns and withdraw their result from the list if desired.

18
 Data Protection Policies

 The aim of a data protection policy is to help staff understand how to

safely and fairly process personal information.
 The policy should include practical guidance on what can and cannot be
done with data.
 Furthermore, it should be communicated to employees regularly.
 It’s important that all staff receive guidance on the confidentiality of
personal information.
 The policy will stipulate how individuals can use the internet and email
for private communications securely.

19
 Use Policy
 An acceptable use policy (AUP) is a document that outlines a set of rules
to be followed by users or customers of a set of computing resources,
which could be a computer network, website or large computer system.
 A use policy should cover the following:
 Email: Is homework or other personal data shared between students and staff via
email? Can it be done securely? Can you avoid emailing parents sensitive data?
When sending bulk emails, are staff using the BCC function to protect potentially
hundreds of parents’ emails?
 Mobile technology: The use policy should explain how people can use mobiles
securely and safely and what restrictions apply where needed. Aspects to consider
include video messaging, mobile access to the internet, entertainment services (e.g.
streaming), and information-based services.
 School websites: Your website should have a clear, detailed privacy statement that
states how your school intends to use the information they acquire about data
subjects and how they’ll process it securely.

20
 Preventing Data Security Breaches in
Schools
 Schools must prevent breaches of data through the internet, intranet, and
email systems.
 Therefore, your school should consider the following:
 Does the school have a Data Protection Policy in place?
 Does the school have a Use Policy in place?
 Is the use of the internet, email, and/or chat rooms monitored and regulated in
some way?
 Are filtering systems used to prevent access to inappropriate materials and sites on
the internet and network?
 Is there a reporting procedure in place for accidental access to inappropriate
materials or sites?
 Is internet safety taught as part of the curriculum?
 Does the school follow safe practices when publishing images and names of
students on their website?

21
 Conclusion
 In conclusion:
 Schools must display clear privacy notices in the school premises, reception
and on the school's website.
 Schools must ensure that robust procedures are put in place to respond to
security breaches.
 Key players of NDPR ensure that all NDPR(Nigeria Data Protection
Regulation) rules are followed to compliance.
 Schools must ensure that students give consent before their personal data is
shared.
 Schools must ensure that students give consent before publishing their exam
results.
 Schools must respond to access requests provided the demands are not
excessive.
 The Use Policy must be present in schools.

22
 Recommendation
 It is of great significance that schools commence the implementation of
NDPR, the benefits outweighs the drawbacks.
 The benefits include:
 School image and reputation are improved.
 Student trust and student confidence are built.
 Risk from data breaches and hackers are decreased.
 Security incidents are minimized.
 Avoidance of payments of fines.

23