A duty of care

Why data security must be a priority for UK education

By Holger Bollmann, Director, WPM Education

There’s an assumption within UK education that a great student experience is a matter of academics: offer the right programmes, put the best available lecturers in charge of them, and you’re good to go.  

This is wrong. Student experience is made up of a whole range of elements, and while some may be perceived as more important than others, none should be neglected.

At WPM, we recently conducted a study in collaboration with YouGov that surveyed students at HE and FE institutions – and their parents about what matters to them most when it comes to choosing an institution. While the research indicated that academic standards remain a critical issue, it also suggested that more factors play into opinions and decision-making than conventional wisdom might suggest. For instance, some 91% of all students surveyed think that adherence to data protection regulation is important – an overwhelming majority, and one that institutions would be well-advised to listen to.

Of course, no university or college falls short on information security on purpose, but in the wake of several highly publicised security incidents inside and outside of education, it’s vital to think about what your organisation can do to achieve, sustain, and promote information security and compliance programmes.

Meeting security standards

So what can institutions like yours do about it? Well, it falls on your college or university to do what it does best: educate. A 2015 study found that 52% of data breaches are directly attributable to human error. If you can make staff aware of relevant best practices and the underpinning security standards, you can instantly bolster your organisation’s defences. Naturally, the first thing to do is make sure that everyone knows what these standards are.

There are two main benchmarks to be aware of. The first is enshrined in UK law: The Data Protection Act 1998 (DPA) decrees that any organisation which processes the information of ‘identifiable living people’ has to ensure that it is kept private and secure.

The latter isn’t legislative in nature, but it might as well be: The Payment Card Industry Data Security Standard (PCI DSS) was established to ensure that identity control, information safety, and network protection are all properly accounted for. Non-compliance resulting in a compromise will almost certainly also put you in breach of the DPA and can cost you up to £500,000 in fines from the Information Commissioner’s Office (ICO). Your institution is almost certainly also already contractually obliged to comply with this, as it will form part of your merchant agreement under which you are able to process credit and debit card payments.

A commitment to data security should be absolute and unyielding. Teaching quality and academic standards are a vital part of the student experience, but universities and colleges also have a duty of care

Adhering to these rules requires vigilance, regular training and constant promotion of the standard’s values. This doesn’t amount to anything as simple as making sure every member of staff watches the same video and takes the same course: they need to understand how to manage key systems and handle key data in a manner fitting to their job requirements.

Data security training should therefore be tailor-made to each role, and kept as current and simple as possible: best practice from a couple of years ago will often be slightly outdated, and best practice from several years ago may as well come from ancient Egypt – for all the relevance it has to contemporary IT.

Again, your college or university needs to be able to assign resources to the promotion, maintenance, and management of information security compliance programmes. Hackers are nothing if not persistent, and will often find a way: make sure you’ve allocated the funds needed for routine monitoring of your data security processes – and how they’re affecting critical operational drivers. The first step towards improving your performance is knowing where you’re going wrong. Your company needs to embody proper information security values, and that requires a level of self-scrutiny: you have to understand the flaws in your processes, and adjust your compliance programmes to address them.

Safety first

Naturally, in an age of belt-tightening, budgeting for information security compliance programmes is easier said than done, and you may well bristle at the idea of investing in something that will have no meaningful effect on your league table rankings.

Nonetheless, rankings aren’t everything, and security is important to students and parents alike, particularly as it pertains to making payments to their institution. Our research reveals that some 71% would be less likely to recommend a college or university in the event of an unsatisfactory payment experience. To bolster your reputation and safeguard your finances, investment in data security compliance programmes is an absolute imperative – and one that will require resources on an ongoing basis. If your institution is having difficulties, organisations such as the HE/FE PCI DSS Special Interest Group (SIG) can offer valuable guidance and support to any colleges and universities striving towards adherence. When you can draw from a pool of collective wisdom, you can make sure you don’t repeat the mistakes of your peers. 

Nonetheless, British colleges and academic institutions are in a period of deep uncertainty. The Department for Education has broadened its portfolio, and the overseeing minister is a relative unknown; budgets have been dwindling for years, and may diminish further; the looming exit from the European Union may change the makeup of student bodies and research programmes alike.

Amidst all this change, a commitment to data security should be absolute and unyielding. Teaching quality and academic standards are a vital part of the student experience, but universities and colleges also have a duty of care.

Information security is critical to the safety and welfare of your enrolees – if you can guarantee it, you can protect their interests and boost your own reputation in the process. 

Send an Invite...

Would you like to share this event with your friends and colleagues?