School Data (mis) Management
Yup, this, for me, is more about how school's manage data, rather than the hardly new revelation that Google/Facebook et al are not-so-secret data slurpers/profilers/sellers.
Let's not forget, schools are full of kids. The personal data they capture & manage includes name, address, date of birth, ethnicity, special ediucation needs, contact details etc on vast swathes of the population, most of whom are under 16. This stuff should be treated *way* more carefully than it is at present.
I started looking into how my kid's school manages data earlier this year. It's not pretty...
The ICO registration that schools use are all the same and deficient. How many will even have read it?
The data processing consent forms schools send to parents don't tell anything like the whole story on data processing or sharing. Consent to process & share is assumed if forms are not returned.
There is no data retention policy in place either within the school, or with 3rd party data processing providers with whom data is shared.
Ask your kid's school how many external organisations they voluntarily share data with (not many are legally mandated). You might expect a few. Try over 40. WTF!?!?!
Ask them to justify on a case by case basis the fields they send to each 3rd party. They can't. They run the same extract and send it to them all. It's easier that way apparently.
Due diligence relating to external data processors is laughable: 'Everyone else uses them so it must be OK'. Doh!
Once personal data leaves the school they realistically have no idea where it is stored, what safeguards are in place, who has access to it, what they do with it and if they sell it on for profit.
The upcoming GDPR is intended to address some of these issues, Brexit notwithstanding:
https://en.wikipedia.org/wiki/General_Data_Protection_Regulation
/rant
Biting the hand that feeds IT
