Data Breaches - What Can Schools Do to Minimise the Risk?
We are seeing more schools get in touch because they are concerned that they have suffered a data breach.
A lot of incidents appear to stem from the measures that were put in place when Covid first hit. Even though pupils and staff have returned to the classroom, many of the new technologies and ways of working implemented at the start of the first lockdown remain. Problems include, for example, staff accidentally sharing a confidential email by forgetting to close down Outlook prior to screensharing during a lesson, and failing to set permissions correctly when using new software which meant pupils could access information meant only for staff.
Schools should ensure they are satisfied that the platforms are configured correctly and that staff are given appropriate training on how to use new platforms.
Information security continues to be the area of greatest risk in terms of data protection compliance and it remains the case that the majority of ICO fines for data protection breaches are as a result of security incidents. Schools must ensure that they put in place technical and organisational measures to safeguard personal data.
An Example of How Things Can Go Wrong
The recent ICO fine given to a Scottish HIV charity is a useful illustration of how things can go wrong and also the ICO's expectations around what organisations must do in practice to safeguard personal data.
The charity sent an email to a number of individuals, but their email addresses were visible to all recipients because they were mistakenly put into the CC field when they had intended to use BCC. The ICO had concluded that it could be inferred that the individuals were HIV positive or at risk of contracting the virus and this was a significant aggravating factor.
The charity had an awareness of data protection compliance (for example, by providing annual training), but the ICO still had a number of concerns:
- Although staff were directed to read the charity's public facing privacy notice, there was no dedicated policy covering the handling of personal data by staff.
- Whilst staff were expected to complete a data protection training module, it appeared that new staff were allowed to handle personal data prior to completing their data protection training.
- The charity was already in the process of implementing a secure way of sending bulk emails which would have negated the need to use BCC. Due to the new method not yet being in place, the ICO saw this as an aggravating factor because the Charity were aware that BCC was not secure but had decided to continue to use it in the short term.
This case illustrates that if a breach is considered to be serious enough then the ICO will closely scrutinise the measures that were in place prior to the incident and will, for example, carefully assess the effectiveness of any training and policies that were in place.
3 Things Schools Should Be Doing
- Policies
Make sure that your data protection policies provide meaningful and relevant guidance for staff. - Training
By the same token, you should check that the training you are giving to staff is sufficient and that new staff have had the training before they are allowed access to personal data. - Pitfalls of Using BCC
The ICO's decision confirms (as if such confirmation was needed) that relying on BCC to send bulk emails is insufficient for data protection compliance. The risks of someone making a mistake (as happened here) are too great. Instead software should be used that allows emails to be sent to multiple recipients in a secure way. Most school information management systems come with this functionality, so hopefully this should be easy for schools to implement where it is not already in place.