When are schools required to report personal data breaches?

Under the GDPR (General Data Protection Regulation), all personal data breaches must be recorded by the organisation and there should be a clear and defined process for doing so.

Additionally, there are circumstances in which schools must report breaches to the ICO (Information Commissioner’s Office) within 72 hours of their discovery.

In this blog, we take a look at the scenarios in which data protection breaches in schools must be reported.

What constitutes a personal data breach

The ICO defines a personal data breach as any event that results in

the accidental or unlawful destruction, loss, alteration, unauthorised disclosure of, or access to, personal data.

Examples of personal data breaches in schools include:

  • An unauthorised person accessing the data: this will be the case when a pupil, unauthorised staff member or criminal hacker views or possesses sensitive information.
  • Deliberate or accidental action (or inaction) by the school or one of the processors: an example would be sending old PCs, laptops or filing cabinets to be destroyed without first removing the data held on them.
  • Sending personal data to the wrong person: this includes any message sent by email, post or fax. It’s most likely to occur when completed data collection sheets are sent to the wrong parents.
  • Alteration of personal data without permission: for example, someone accessing the school’s payroll system and changing staff pay grades.
  • Loss of availability of personal data: this might happen when networks or systems are forced offline, either due to a technical error or in a cyber attack.

When must breaches be reported?

Data breaches must be reported to the ICO when they risk the rights and freedoms of natural persons.

The GDPR states that this refers to anything that could lead to physical, material or non-material damage to an individual. This will be the case when the breach has the potential to cause one of the following:

  • Discrimination, including bullying

This occurs, for example, when a pupil’s special needs information, staff and pupil health records, child protection records, staff pay scale and payroll information or pupil progress and attainment records are compromised.

  • Identity theft or fraud

This will be the case when the school breaches names, dates of birth and addresses (when breached together) or completed pupil data collection sheets.

  • Financial loss

This typically occurs when banking information from payroll data is breached, or unauthorised personnel access school parent payment software, billing information or bank accounts.

  • Reputational damage

This will be the case when staff performance management records, pupil behaviour records or child protection records are compromised.

  • Loss of confidentiality of personal data protected by professional secrecy

This will be the case when staff performance management records or child protection records are compromised.

Schools must also report data breaches when sensitive personal data is compromised.

Sensitive personal data is a specific set of “special categories” that must be treated with extra security.

It covers information related to racial or ethnic origin, political opinions, religious or philosophical beliefs, trade union membership, genetic data, health data, sexual orientation life and criminal convictions and offences or related security measures.

These types of details are likely to exacerbate any discrimination, so organisations are expected to take extra precautions to protect them – and to treat breaches of such information more seriously.

Sensitive data is held in many places across the school, including the school’s management information system (such as SIMS, iSAMs or Progresso), staff and pupil recruitment forms, data collection sheets, minutes from trade union meetings, medical records and DBS (disclosure barring service) paperwork.

How to avoid data breaches

The large volume of staff and students, all of whom will have detailed records, makes the education sector an attractive target for cyber criminals and increases the possibility of an accidental breach.

Moreover, many schools have tight budgets and therefore can’t commit to data protection in the way that other organisations might.

But with the help of our sister company GDPR.co.uk, effective security is a lot more affordable than you might think.

GDPR.co.uk specialises in data protection solutions for schools, and with more than 15 years’ data privacy and cyber security expertise, their team can help you streamline essential compliance practices quickly and effectively.

Find out more