Welcome to the new education sector blog series
In our first blog (sign up to the series here), we explore data breaches. We will consider why they happen, what you can do to reduce their likelihood and impact as well as which breaches need reporting to the supervisory authority and what information they will need from you.
The human factor
Across all sectors and organisation sizes, simple mistakes such as emailing and posting or faxing information to the wrong people top the Information Commissioner’s Office’s (ICO’s) quarterly statistics in data security incidents. In education, losing information – either on paper or unencrypted devices and cyber incidents follow closely as does a failure to redact data with breaches in general seeing a 32% rise across the sector.
Most of these incidents could have been prevented if individuals thought privacy first. Protecting data should be part of a school’s culture much in the same way as safeguarding. Data privacy needs to be on everyone’s mind and not just the focus of an individual or the data protection officer. It needs to permeate throughout the organisation and staff should be supported by policies and procedures to protect the data in their care, to be able to identify a data breach and importantly, feel confident and understand the process to report one to the appropriate person in school.
Why is this so important?
As well as holding thousands of pieces of personal and sensitive data about hundreds of, mostly vulnerable, data subjects, a key principle of the GDPR is that you process personal data securely by means of ‘appropriate technical and organisational measures,’ known as the ‘security principle.’ The Regulation also requires all organisational data breaches to be recorded and that serious breaches are reported to the supervisory authority which, in the UK, is the ICO. This must happen within 72 hours of discovering the breach and, in some cases, all affected data subjects must be informed. There are no exceptions for schools and these rules apply across weekends and during school holidays.
The ICO will ask you a set of detailed questions about any breaches reported to them. They will expect you to know why and when it happened, the categories of data breached, the number of records breached and who the data subjects are, what the impact could be on them and the measures your organisation will put in place to reduce the risk of it happening again.
As well as needing to report serious breaches within 72 hours of their discovery, the longer it takes you to discover the breach, the higher the potential risks could be to the data subjects. The likelihood of the breach leading to reputational damage and higher financial costs also increases.
Understanding what a data breach is
Before staff can report a breach to you, they must understand what one is. Typical examples that have happened in schools include, the loss or theft of a school device such as a laptop, loss or theft of a personal device that has school work or information on it, a member of staff’s house being broken into, a teacher losing their markbook, pre-populated data collection sheets being given to the wrong children, unencrypted memory sticks being lost, emailing using CC instead of BCC and of course the very common mistake of emailing information to the wrong people. Whenever there is a chance that personal information can or has been accessed by unauthorised people, including other staff and pupils, this constitutes a data breach.
In the next blog we will discuss situational analysis and how to assess what’s happening in school and how to support staff to protect the data in their care.
Work through these questions to think about the kinds of breaches your school has or could experience.
- List potential and actual data breaches that your school has experienced. Put them into the following categories:
- Data posted or faxed to the incorrect recipient
- Loss or theft of paperwork
- Data sent by email to the incorrect recipient
- Failure to redact data, e.g. when fulfilling a subject access request
- Failure to use BCC when sending email
- Cyber incident
- Data left in an insecure location
- Loss or theft of an unencrypted device, e.g. memory stick or laptop
- Verbal disclosure
- Identify why they happened or could happen.
- Consider what steps the organisation can take to reduce the risk of them happening again or at all, such as staff training, updating policies or improving cyber security.
More advice about being #BreachReady
Don’t forget to follow #BreachReady across social media and protect yourself this summer… with IT Governance.