Now is the time to check the robustness of your security measures.
Do staff check their work emails on their mobile or use their own computer to work at home? This is commonly known as 'Bring Your Own Device' (BYOD) and the National Cyber Security Centre has recently updated its guidance on BYOD owing to the high risks associated with staff using their own devices for work.
The updated guidance contains practical advice primarily on the technical measures that your school should have in place. These are likely to be the responsibility of your school's IT team who should work with your data protection lead. Schools must also adopt organisational measures (eg training and guidance for staff) to be UK GDPR compliant in this area.
Another area where a rush to implement new systems might have led to vulnerabilities is the use of processors - service providers that process personal data on your school's behalf. Processors include payroll providers, cloud storage, video call providers. Your school must only use processors providing sufficient guarantees that they comply with the UK GDPR. This means that before using a processor you must check its UK GDPR compliance which includes the information security measures it has in place. In addition, certain mandatory provisions must be included in your contract with the processor. This is important because if you haven’t taken these steps and your processor breaches the UK GDPR then your school might be held responsible.
Without adequate protection your school is more vulnerable to a cyber-attack which could result in a costly data breach. Phishing emails and texts which try to trick people into providing information, or clicking on a link, are becoming increasingly sophisticated.
All staff (including governors) should receive data protection training that includes how to recognise phishing and other information security threats. Many schools have charitable status and during Charity Fraud Awareness Week the Charity Commission warned charities about the risks posed by cyber-crime. School with charitable status should also remember that a data breach might trigger the requirement to a make a Serious Incident Report to the Charity Commission.
One of the most common types of data breach is sending an email to multiple recipients and not hiding the email addresses. HIV Scotland were recently fined £10,000 by the Information Commissioner's Office for this. This is a reminder to schools to review their bulk email procedures to ensure that personal data is adequately protected. Relying on staff to remember to use 'bcc' has its risks and therefore your school should consider alternatives which protect against human error.