A lot of incidents appear to stem from the measures that were put in place when COVID first hit. Even though pupils and staff have returned to the classroom, many of the new technologies and ways of working implemented at the start of the first lockdown remain. Problems include, for example, staff accidentally sharing a confidential email by forgetting to close down Outlook prior to screensharing during a lesson, and failing to set permissions correctly when using new software which meant pupils could access information meant only for staff.
Schools should ensure they are satisfied that the platforms are configured correctly and that staff are given appropriate training on how to use new platforms.
Information security continues to be the area of greatest risk in terms of data protection compliance and it remains the case that the majority of ICO fines for data protection breaches are as a result of security incidents. Schools must ensure that they put in place technical and organisational measures to safeguard personal data.
The recent ICO fine given to a Scottish HIV charity is an illustration of how things can go wrong and also the ICO's expectations around what organisations must do in practice to safeguard personal data.
The charity sent an email to a number of individuals, but their email addresses were visible to all recipients because they were mistakenly put into the CC field when they had intended to use BCC. The ICO had concluded that it could be inferred that the individuals were HIV positive or at risk of contracting the virus and this was a significant aggravating factor.
The charity had an awareness of data protection compliance (for example, by providing annual training), but the ICO still had a number of concerns:
This case illustrates that if a breach is considered to be serious enough then the ICO will closely scrutinise the measures that were in place prior to the incident and will, for example, carefully assess the effectiveness of any training and policies that were in place.
Pitfalls of using BCC: The ICO's decision confirms (as if such confirmation was needed) that relying on BCC to send bulk emails is insufficient for data protection compliance. The risks of someone making a mistake (as happened here) are too great. Instead software should be used that allows emails to be sent to multiple recipients in a secure way. Most school information management systems come with this functionality, so hopefully this should be easy for schools to implement where it is not already in place.