In a world where technology is constantly evolving and developing, keeping information safe is an ongoing challenge. Cyber-attacks can be very sophisticated and dangerous. They can affect anyone, from an individual's personal email account to websites belonging to large multi-nationals. As well as malicious attacks, cyber risks can materialise because computer systems have not been configured correctly or because staff have not been sufficiently trained. Schools are particularly vulnerable owing to the large amount of sensitive information that they hold.
This article explores some of steps which schools should be taking to manage these risks. Cyber security is about protecting computer systems from unauthorised or unintended access. It is relevant to all aspects of a school's ICT infrastructure including software, hardware, emails accounts and cloud services.
The core requirements are set out in the Data Protection Act (DPA), and requires schools to put in place appropriate 'technical and organisational measures' to keep personal data safe.
The DPA is set to be replaced by the new General Data Protection Regulation (GDPR) from May 2018. This will significantly increase the regulatory burden on schools, particularly around information security. The GDPR introduces the concept of privacy by design, which involves making data protection issues an integral part of any decision making process that involves the handling of personal data, such as when a school procures a new IT system.
The GDPR will increase the penalties for non-compliance, with the maximum fine currently £500,000 increasing to the higher of €20 million and 4% of turnover.
In addition to the requirements under data protection law, an assessment of cyber risks, and action to minimise them, is core to a school's fundamental duty to promote and safeguard the well-being and welfare of its pupils. The latest version of Keeping Children Safe in Education (KCSIE) emphasises the need for an effective approach to online safety to protect and educate the whole school community in their use of technology and establish mechanisms to identify, intervene in and escalate any incident where appropriate.
What Should Schools Be Doing
Below are some of the issues which schools should consider when trying to identify and mitigate cyber risks.
- Assess the threats - the best way to work out how to protect information is to first understand what information you hold and what the main risks are. Carrying out risk assessments are a good starting point. You should look at all processes that involve personal data, consider how sensitive the personal data is and what measures you have in place to keep it secure.
- Technical security - Schools should ensure that they have technical measures in place to secure their systems. This should cover everything from encryption, using firewalls and anti-malware, to carrying out penetration testing on the school's network. As lawyers we cannot advise on what schools need to do from a technical perspective, but there are a number of resources available to assist, such as the Government's Cyber Essentials Scheme.
- Policies, procedures and training - Having comprehensive but easy to read policies around information security are key to helping staff understand their responsibilities and to demonstrate compliance with the DPA. The policies should include practical examples and tips to avoid common mistakes, for example, when to use encryption, what to do when working from home, and reminding staff to always lock computer screens. Written policies and procedures should be backed up with the appropriate training and awareness.
- Home working and working 'on the go' - Schools should ensure that staff are given the tools they need when working away from the school. For example, consider providing remote access for staff (please see the sidebar). In addition, if staff are permitted to use their own handheld devices for school work then consider using mobile device management (MDM). MDM should help protect anything school related (for example, by encrypting it or giving the school the ability to remotely wipe the device if it is stolen).
- Information management systems - School information management systems are becoming increasingly sophisticated in terms of allowing information to be shared amongst staff and with pupils. Schools should therefore check that their systems are robust from an information security perspective and that they have been configured correctly. We have seen numerous cases of staff inadvertently sharing confidential information with pupils, for example by not setting access permissions correctly.
For further information, please contact Andrew Gallie in our Data Protection team on 0117 314 5623.