Many schools keep personal and health information about pupils in their management information or similar systems, where it can be freely seen by teachers, teaching assistants, technicians, IT support staff and anyone else who has access
One school nurse has reported the situation to the Royal College of Nursing, who said it would investigate.
The nurse, who asked not to be named, told SecEd: “Many of these systems used in schools are intended for information such as registration and pupil progress tracking. They are not meant to be used for sensitive information such as medical and health details.
“Of course, information about pupils who have allergies, asthma or are required to take medication are recorded and may been seen by anyone who needs to know. But not everyone needs to know, for example, that a girl may require emergency contraception or is pregnant, or that a male student has a sexually transmitted disease. This would be a violation of their privacy.
“But many schools are taking these risks. In some cases, nurses have drawn attention to the possible problems and security has been increased in their schools, but then headteachers have insisted they should be among those who have access to the information, and even this is not always appropriate.”
School nurses must enjoy a position of trust and confidence with pupils who may have no-one else to turn to in case of medical and health problems, the nurse added. This is compromised if other members of staff have access to sensitive information.
“Pupils need to feel they can approach and talk to a school health professional in a way they can’t speak to any other adult, if they have a particular problem,” she added.
Organisations and companies found to be violating data protection legislation could be fined by the UK Information Commissioner’s Office (ICO). Among its powers, the ICO can prosecute and issue fines of up to £500,000 and undertake proceedings that can result in prison sentences.
The nurse said the situation was a particular problem in many independent schools. However, state schools may also fall foul of the law.
David Fox, director of the IT consultancy Plasma Network, has issued warning about this issue and the dangers of data protection violation.
He said: “Sensitive information, such as medical records, especially relating to children needs to be encrypted to it doesn’t fall into the wrong hands. Schools need to be aware as this also may have clear implications on schools’ safeguarding and child protection policies.”