Professional Documents
Culture Documents
In SCHOOLS
By
HARRY DAVID
1
OUTLINE
Introduction.
Privacy Notices In Schools.
Technical safety and security measures in Data protection.
Key players of NDPR.
Student Subject Access Requests.
Sharing Personal Information.
Data Transfer to Other Countries.
Publishing Exam Results.
Data Protection Policies.
Preventing Data Security Breaches in Schools.
Conclusion.
Recommendation.
2
Introduction
What is Data Protection?
Process of safeguarding personal data from unlawful access, alteration,
processing, transfer or destruction.
3
NDPR
What is NDPR?
Nigeria data protection regulation(NDPR) are set of rules about how an organization
should process personal data of individuals.
4
NDPR Principles
There are 7 key principles of NDPR that schools should be aware of in order
to comply efficiently.
Lawfulness, fairness, transparency.
All data must be obtained on a lawful basis, leaving individuals fully-informed, and
complying with NDPR legislation in full.
Purpose Limitation
When it comes to your privacy notice, it’s paramount that you inform all subjects
about the purpose of your school’s data collection.
Data Minimization
All personal data collected must be adequate, relevant, and limited to what is
necessary concerning the purposes for which they are processed.
Accuracy
Any personal data has to be “accurate and where necessary, kept up to date”.
Therefore, all old and outdated records, contracts, and personal data must be erased as
soon as this information is no longer essential.
5
NDPR Principles
Storage Limitations
This principle relates to the process of data minimization and clearly states that
personal data has to be “kept in a form which permits identification of data
subjects for no longer than necessary”.
Integrity and Confidentiality
This principle states that personal data must be handled “in a manner ensuring
appropriate security”, which includes “protection against unlawful processing or
accidental loss, destruction or damage”.
Accountability
Finally, all schools are fully-responsible for compliance with the principles
outlined in the NDPR.
6
Personal Information
What is Personal Information?
Personal information can be defined as anything relating to an individual that
identifies them. This applies to both physical and digital records.
7
Privacy Notices In Schools
To ensure NDPR compliance, schools must display clear privacy notices in
the school premises, reception and on the school's website.
The purpose of a privacy notice is to present and summarize what
information the school requires, why this information is being collected,
and which third-parties are privy to such data.
The individual whom the information relates to must give full consent to
your school in order for you to store it.
9
Security Measures in Data Protection
Potential security measures for school data protection include:
The use of strong passwords.
Encryption of all personal information stored electronically.
Shredding of all physical copies of confidential waste.
Installation of virus checking software and firewalls on school computers.
Turning off all ‘auto-complete’ settings.
Limiting access to personal information wherever necessary.
Holding telephone calls in designated private areas.
Ensuring that all storage systems are secure.
Keeping digital devices locked away securely when not in use.
Making sure that all papers and devices containing sensitive information are stored
securely.
10
Key players of NDPR
There are six main key players in data protection, they include the
following:
National Information Technology Development Agency(NITDA)
Data Protection Compliance Organization(DPCO).
Data Protection Officer(DPO).
Data Controller.
Data Processor.
Data Subject.
11
Key Players
Who is NITDA?
National Information Technology Development Agency(NITDA).
NITDA is a public service institution established by NITDA Act 2007.
It has sole responsibility of developing programs that caters for the running of
ICT related activities in the country.
NITDA is also mandated with the implementation of policies guideline for
driving ICT in Nigeria.
Who is a DPCO?
DPCO is a NITDA(National Information Technology Development Agency)
licensed organization that provides data protection services.
DPCO may be a professional service consultancy firm, IT service provider,
Audit or law firm.
DPCO may be certified in data science, data protection and privacy.
12
Key Players
Who is a DPO?
An employee responsible for overseeing a company’s data protection
strategy and its implementation to ensure compliance with NDPR(Nigeria
Data Protection Regulation) requirements.
The DPO is responsible for informing the controller or processor and their
employees of data protection regulations, monitoring, and compliance.
Who is a Data Controller?
An entity who determines the purposes for and the manner in which
personal data is processed.
Data controller determines the kind of personal data to collect and the
legal basis for doing so.
Data controller also determines the means used to transfer personal data
from one organization to another.
13
Key Players
Who is Data Processor?
An organization that processes data on behalf of a controller.
Data Processors can only act under the authority of a controller.
Data Processors major responsibility is to support the controller.
Data Processors do not own or control the data they process.
14
Student Subject Access Requests
A student, or someone acting on their behalf, has the right to make a
request to see any personal data their school holds about them and why.
Parents are only entitled to access the personal information held about
their child if the child is unable to act on their own behalf, or if the child
has given consent to their parent.
Before responding to an access request for information, you need to
consider whether the child is mature enough to understand their rights. If
they are, then your response to the request should go to the child, not their
parent.
A subject access request needs to be made in writing, whether it’s a letter,
email or social media message.
15
Sharing Personal Information
There are occasions where sharing personal data with local authorities,
other schools, different departments or social services cannot be avoided.
It may be that without sharing the data, actions cannot be completed.
You must consider all the legal implications and ensure that you have the
ability to share the specified data.
For example, what is the intention behind sharing? Who requires the data,
which data is needed and what will it be used for?
Consent must be given by the individual before their personal information
can be shared.
This is usually part of the privacy notice issued when the data is first
collected.
16
Data Transfer to Other Countries
Data should only be transferred to other countries if they have suitable or
equivalent security measures.
17
Publishing Exam Results
The Data Protection Act does not stop schools from publishing exam
results online or in the local press.
You must inform students first that their results will be published and how
the information will be displayed, so they have the opportunity to voice
any concerns and withdraw their result from the list if desired.
18
Data Protection Policies
19
Use Policy
An acceptable use policy (AUP) is a document that outlines a set of rules
to be followed by users or customers of a set of computing resources,
which could be a computer network, website or large computer system.
A use policy should cover the following:
Email: Is homework or other personal data shared between students and staff via
email? Can it be done securely? Can you avoid emailing parents sensitive data?
When sending bulk emails, are staff using the BCC function to protect potentially
hundreds of parents’ emails?
Mobile technology: The use policy should explain how people can use mobiles
securely and safely and what restrictions apply where needed. Aspects to consider
include video messaging, mobile access to the internet, entertainment services (e.g.
streaming), and information-based services.
School websites: Your website should have a clear, detailed privacy statement that
states how your school intends to use the information they acquire about data
subjects and how they’ll process it securely.
20
Preventing Data Security Breaches in
Schools
Schools must prevent breaches of data through the internet, intranet, and
email systems.
Therefore, your school should consider the following:
Does the school have a Data Protection Policy in place?
Does the school have a Use Policy in place?
Is the use of the internet, email, and/or chat rooms monitored and regulated in
some way?
Are filtering systems used to prevent access to inappropriate materials and sites on
the internet and network?
Is there a reporting procedure in place for accidental access to inappropriate
materials or sites?
Is internet safety taught as part of the curriculum?
Does the school follow safe practices when publishing images and names of
students on their website?
21
Conclusion
In conclusion:
Schools must display clear privacy notices in the school premises, reception
and on the school's website.
Schools must ensure that robust procedures are put in place to respond to
security breaches.
Key players of NDPR ensure that all NDPR(Nigeria Data Protection
Regulation) rules are followed to compliance.
Schools must ensure that students give consent before their personal data is
shared.
Schools must ensure that students give consent before publishing their exam
results.
Schools must respond to access requests provided the demands are not
excessive.
The Use Policy must be present in schools.
22
Recommendation
It is of great significance that schools commence the implementation of
NDPR, the benefits outweighs the drawbacks.
The benefits include:
School image and reputation are improved.
Student trust and student confidence are built.
Risk from data breaches and hackers are decreased.
Security incidents are minimized.
Avoidance of payments of fines.
23