• Contact Us

ICO Issues New Guidance Following School Reprimand - Is Your School in Compliance with Data Protection Law?

on Tuesday, 01 August 2023.

At the end of May 2023, the Information Commissioner's Office (ICO) issued a reprimand to a school following a data breach involving a whiteboard, and the inadvertent sharing of sensitive information whilst using it.

The ICO, in publishing its findings, provided some useful guidance for schools about some specific measures that need to be in place to ensure compliance with data protection law.

Some of the issues that the school in this case faced, related to missing guidance for staff on some key areas that assist with keeping information secure. We suggest reviewing your own policies and procedures to check that the following are covered, and review whether additional training might be required:

Sharing Sensitive Data Internally

Schools should ensure that there are clear systems in place for staff to follow when sharing sensitive information internally. This might include an email classification system, which flags to the recipient that an email might be sensitive. Staff should also understand when it is appropriate to open emails that might contain sensitive information - this might be limited to outside of the classroom, and/or when pupils are not present and may be able to see the relevant screen.

Guidance on Using Third-Party Systems

Third-party systems, such as those used to record safeguarding concerns, and technology in the classroom such as whiteboards.

Staff should understand how to use the various systems that are in place in such a way that data is safeguarded. For example, if using whiteboards, the implications of screen sharing should be explained, and guidance provided on how to do this without compromising information held on the device.

Reporting of Breaches

Staff should understand how and when to report data breaches, and near misses, and should be encouraged to do so. A clear process for reporting should be provided to staff, and regular reminders about the importance of reporting could be provided to encourage reporting.

Regular Reviews of Policies and Training

Policies and training should be reviewed and updated on a regular basis to meet the requirement of accountability. Any changes should be communicated to staff in such a way that it is clear what has changed. Records should be kept of the changes made, and how these were communicated.

Whilst compliance with data protection law can seem burdensome, one of the main purposes behind the legislation is to protect the information that organisations hold and use about people, to ensure that it is safe and respected. Regularly reviewing policies and procedures, and updating these to meet the latest guidance and requirements is key to assisting with this, and making sure that your employees understand how they can help.

For further advice on data protection law, please contact Vicki Bowles in our Data Protection team on 0117 314 5672, or complete the form below. For a free demo of our bitesize Data Protection and Information & Online Security eLearning for all school staff, contact Imogen Street.

Get in Touch

First name(*)
Please enter your first name.

Last name(*)
Invalid Input

Email address(*)
Please enter a valid email address

Please insert your telephone number.

How would you like us to contact you?

Invalid Input

How can we help you?(*)
Please limit text to alphanumeric and the following special characters: £.%,'"?!£$%^&*()_-=+:;@#`

See our privacy page to find out how we use and protect your data.

Invalid Input