e-Safety risk assessment is an important part of school governance.
Schools risk assess all the time; sometimes this is a formally documented process, sometimes it is assessment through experience.
The following is taken from my latest e-safety newsletter which is written specifically for schools. You can subscribe for free HERE.
If you think about it, you are already risk assessing constantly: when you get into your car to go to work you take into account the weather, the amount of traffic on the roads, children waiting to cross the road and much more. This is assessment through experience.
You know what to do in situations such as these. But, when something happens that is unfamiliar you have to re-assess and make a decision, you have to weigh up all the factors and the unknowns.
You see blue lights coming up behind you; an emergency vehicle that needs to make progress. But you have traffic coming towards you. If you pull over can the emergency vehicle get past you? Is it better to speed up where you know there is a better passing point? By pulling over does the emergency vehicle have to slow down to get past you and negotiate the oncoming traffic?
That is a decision that only you can make, but you do it all the time.
Risk assessing something totally new is quite a different ball game. It’s a matter of guessing all the unknowns and then coming up with a plan to mitigate against the risks. If you can’t mitigate the risks, are they so low that you can accept the risk?
There are many ways to risk assess and it very much depends on what you are assessing against: is it health and safety; a school trip; the parking situation outside at end of school?
But here we’re talking about e-safety; mitigating safeguarding risks to the children and the liability of the school. What do I mean by the liability? The liability is not doing something, or doing something incorrectly, perhaps through ignorance, so that the school is then held liable.
There are four fundamental principles that you need to consider:
- The foreseeability of something happening.
- Risk assessing.
- Mitigating the risk
- Making a decision.
For the purpose of being concise, I’m going to take you through this from a pragmatic sense rather than a formal one.
THE FORESEEABILITY OF SOMETHING HAPPENING
With e-safety, foreseeability can sometimes seem like scaremongering, but it isn’t. You are considering what “could” happen, not what “will” happen. Let’s use a simple example:
A common occurrence, you are getting or have got iPads to use in your school. So, you have done your due diligence: in your strategic school plan you are going to drive various initiatives this school year to improve outcomes; a number of staff have expressed a wish to use ICT as the tool to be the initiative enabler. After a process of testing and value for money exercise you have decided iPads are the way ahead. In other words, you have decided what you want to use technology for, before picking the technology that fits the bill.
An important part of that process is the safeguarding and liability risk assessment. So having decided on iPads, before you even ask for quotes you need the assurance that any risks are sufficiently low or can be mitigated. Let’s think of some risks; don’t forget we’re considering what “could” happen, not what “will”, this is the foreseeability.
- An attractive item – risk of theft.
- You would like to use the devices for videos/images. Does your wireless network infrastructure have the capacity to handle that amount of data; do you have the broadband capacity?
Students may use the devices to
- access illegal or inappropriate material in school.
- There is no “login” on these devices, cannot filter age-appropriate material using the school/LA Internet filtering.
- Staff and students will be allowed to use the devices at home; there is a risk of illegal or inappropriate use. No Internet filter at home.
- Inappropriate or illegal material could be stored on the devices and then uploaded to school network.
- You are going to use the devices to allow social networking: blogging; Twitter. There are inherent e-safety risks, what are they?
- Chances are you have technical support in your school, whether the LA or an outsourced provider. Will they support these devices for you on your network? Will they charge extra?
There are many more, but we’re keeping things simple.
As you can see you there are lots of things to think about. The start of the process is very much about blue-sky thinking; get all the staff together and get input from everyone. Use the experience of the people you are buying the devices from; have they come across these risks? If so what was their advice to other schools?
Talk to other schools to see if they have identified more risks than you. Working collaboratively makes far more sense than trying to do it all by yourself.
So, you now have all your risks in a nice list and you need to decide whether it is a low, medium or high risk.
By far the easiest way to do this is by scoring using “likelihood” and “impact”. The other reason for doing it this way is that you have a documented process which can be reviewed and is also evidential, e.g. to Ofsted.
Essentially, likelihood is the process to determine how likely something is to happen. Impact is the impact if it actually happens. Both have a score between 1 and 3. 1 is low, 3 is high. Scores are rated as follows:
1-3 is low risk.
4-6 is medium risk.
7-9 is high risk.
So, let’s use one of the examples from above: Staff and students will be allowed to use the devices at home; there is a risk of illegal or inappropriate use. No Internet filter at home.
Let’s look at staff first. The likelihood of this happening? I would say 1. The impact would definitely be 3 if it were to happen. Therefore 1 x 3 is 3, it is low risk.
Now for the children. Likelihood could be 3 (it’s your choice), impact would definitely be 3. It is 9 – high risk. You MUST mitigate this risk otherwise you cannot deploy the devices.
MITIGATING THE RISK
So, having identified the risks and likelihood, you now need to mitigate.
For the staff, you have already decided the risk is low, but you must also consider the school liability. Therefore you decide to incorporate use of the devices within the school e-safety policy and acceptable use policy – essentially you are setting the goalposts of use – appropriate and inappropriate. Staff must sign as read and understood, any breach is a disciplinary matter.
For the students you have a high risk. You CANNOT deploy these devices until this risk is mitigated. You decide on a two-pronged approach using education and technology.
Education – you embark on a period of empowering the students (and potentially parents) with e-safety knowledge. This will include all the social networking e-safety risks you have identified.
Technology – you are going to use some behaviour management software (or app). This software will capture illegal or inappropriate behaviour that can then be used evidentially for disciplinary or police intervention. Again, this is all stated within your e-safety policy and the student acceptable use policy, which is then signed by the students and/or parents (depending on age).
MAKING A DECISION
You have now mitigated the risk to both staff and students, and you have reduced the liability to the school. Although the risk is low there is still a risk. No risk assessment will ever give you 100% assurance that nothing will happen.
You now need to decide whether you are comfortable with going ahead and purchasing the devices.
NOTE: where I have stated “you” in this post, the ultimate decision and responsibility lies with the governing body, therefore it is vital that governors are fully aware of what technology is being used in the school, what it is being used for, what the associated risks are etc.
It may seem like a lot of work, even with this small example, but you have to do it. Once it is done that isn’t the end. There are two instances when you must review: in response to an incident to ensure that your assessment is still valid (reflection); and annually as part of policy review.
I would love to know your thoughts, and don’t forget to subscribe to the school e-safety newsletter HERE