In our first #BreachReady blog for schools series, we asked you to consider the types of breaches your school has experienced, what caused them, and steps your school can take to prevent them from happening again.
In this blog, we’ll consider situational analysis, how to assess what’s happening in the school and how to support staff to protect the data in their care.
Situational analysis – understand what’s happening now
There are several ways to reduce the likelihood and severity of data breaches. Whilst updating policies and procedures is crucial, the reality of how staff are actually accessing, sharing and protecting information – the human factor, should not be overlooked.
- Understand what’s happening on the ground: conduct a data walk
Taking a walk around the school helps identify what’s really happening with data and how it is (or isn’t) protected. This can be done with your DPO (data protection officer). Are office doors locked? Is data visible in the reception area? Who has access to the staffroom? Do staff leave computers logged on? Are drawers full of memory sticks? These are just some things to look out for. Use the initial walk round to create a checklist for future reviews.
- Review the email culture
Besides the risks of emailing personal data to unintended recipients, regularly sharing and emailing data to multiple people can also lead to issues around data retention and locating all the data if there is a subject access request. Introducing alternative ways to share information about pupils, such as via the MIS (management information system), helps reduce the number of emails sent. Introducing a retention policy where emails are automatically deleted after a specific length of time would also help reduce the amount of data floating around. Training staff in the use of Bcc (blind carbon copy) and Cc (carbon copy) when emailing should not be overlooked, as the ICO’s (Information Commissioner’s Office) incident trends demonstrate that this is the fifth most common breach reported.
- Introduce device encryption
Encrypting devices such as laptops, tablets, mobile phones and memory sticks protects the data they hold if they are lost or stolen. If staff use their own devices for school work, these should also be covered by the encryption policy, and you should also update the BYOD (bring your own device) policy. Alternatively, you could stop staff and pupils from using external devices by blocking USB drives.
- Protect staff working away from school
There are several ways to help protect staff when working away from school, as they may be completely unaware of the risks of using café Wi-Fi or sharing home devices with family members. Introducing secure ways to access the school network, e.g. through Cloud services like Office 365 or Google Drive, will limit the amount of downloaded information on external devices and emails to personal addresses. Introduce or update the working from home policy, alongside training covering the risks associated with using public Wi-Fi, using shared home devices, downloading information onto non-school and/or unencrypted devices, and even discussing pupils or staff in public areas.
- Review cyber security
Cyber security doesn’t need to be expensive or complicated – achieving certification to the UK government’s Cyber Essentials schemes starts at only £300 and should protect organisations from 80% of cyber threats. Training also teaches staff to identify common threats such as phishing emails.
- Instil a culture of openness and honesty
As well as knowing what to do if they discover a breach, staff must also feel confident to report one in the first place. It’s important they understand the consequences of not reporting a breach as soon as they become aware of it, as well as the breach reporting process.
In the next blog, we’ll look into what a data breach actually is and when the supervisory authority and/or data subjects need to be notified.
Think about the activities discussed in this blog and develop an action plan of priorities for your school.
If you haven’t already, develop an internal breach reporting process. Also consider how to best share this with staff, pupils and parents.