Recently we supported a school to deal with an issue involving a stolen laptop. During the investigation we found that the member of staff had information from two previous schools including some personal and sensitive information. The ICO have highlighted the issue of the transfer of this kind of data between organisations. In their blog they described a case they prosecuted on involving a person who had worked for an employment agency and emailed the contact details of over 100 clients to her personal email address and used the information to contact them in her position at a rival recruitment company.
As schools, we have a duty to keep our data safe and this includes ensuring that data isn’t removed from site either inappropriately protected or that the person who removes it has the right to do so. In the case of a member of staff moving on to another school or going elsewhere, they no longer need information on the students, staff or parents in your school nor as we can see from the blog article, any legal right to it.
As part of any schools exit procedures, they should ensure that all personal and sensitive data is returned and deleted from any device owned by the teacher or support staff. Although the member of staff is unlikely to use the data in any form of commercial activity, they shouldn’t remove it and as a school we must ensure that this doesn’t happen.
To read more on this story, follow this link.