South African schools are increasingly embracing the digital universe and the Covid-19 pandemic has accelerated their adoption of online communication and digital strategies.
Out of pure necessity, as school gates shut in March, many schools made the agile pivot to online education, as well as intensive online communication with learners and parents alike.
But dangerous risks are emerging as schools take this online leap and parents should be sure to ask important questions.
For instance, asks Willem Kitshoff, CEO of the d6 Group, is personal information held by the school safe?
Schools hold a vast amount of private information on their learners and their families. This can include anything from their home address, parents’ occupations, work name and address, ID numbers, bank account details for debit orders, the number, age and name of children in the family, closest relatives, telephone numbers, health conditions and more.
In addition, he questions whether schools have the systems in place and defence mechanisms to keep learners’ and parents’ details secure.
Finally, are schools abiding by the laws which require them to protect our privacy, such as the Protection of Personal Information Act (PoPIA)?
Some experts have warned that up to 95% of schools may not be POPIA-compliant.
Kitshoff warns that not all schools are harnessing smart technology, which is leading to increasing concerns about data security.
“There are so many advantages to the adoption of online strategies and the increasing use of digital platforms to improve a wide range of relationships within school communities,” he says. “But school communities comprise real people, with real rights – who also need to be protected online. So it’s essential to balance speed, efficiency and ease-of-communicating with very best security and privacy protocols.”
Ross Saunders, who advises d6 as a specialist in data privacy and cyber security, explains some of the risks to parents and learners: “Information that is insecurely stored carries a tremendous risk of being leaked out.
“Once information is leaked, it’s like toothpaste from a tube. Risks to the person who the data belongs to would likely be identity theft, fraudulent transactions, and extortion.”
For schools, Saunders advised, there are further potential concerns: “Risks to the school would most certainly be reputational damage, but under PoPIA there would likely be an inclusion of fines, civil liability (being sued) or both. Schools can also be held to ransom for the information they hold, should a ransomware attack occur due to insecure practices.”
Saunders says parents should be asking questions around the security of platforms in use by the school, as well as any other manual processes within the school.
“Parents should hold schools accountable for the way the school stores, processes, and retains information and individuals have the right under PoPIA to request a breakdown of what information a school holds about them and their children, and schools are obliged to provide the information,” he adds.
“Schools, in turn, should only keep the minimum information required to fulfil their obligations, and ensure that this information is stored securely whether it’s in electronic or physical form.”
On the management front, many school governing bodies (SGBs) take on much of the responsibility for deciding what systems their schools adopt.
Saunders explains: “Part of the law is to ensure that security safeguards are in place when it comes to data. The SGB should focus on the school’s policies and procedures, ensuring that secure practices are in use and that privacy is front-of-mind.
“Cyber security and network security are critical for electronic data, while access control and physical security measures need to also be addressed for hard-copy information. SGB’s need to review the processes and any data transfers, satisfying themselves that security and privacy has been considered within a school’s day-to-day operations.”
Kitshoff says both schools and parents are well-advised to interrogate the systems in place at their own school, to ensure they are secure and compliant.