Password Protection & Common Breach Errors – SchoolPro TLC Monthly Newsletter – Issue 15 – November ’20

There is supposedly a traditional Chinese curse that states: “May you live in interesting times”. Whilst it is highly likely that this phrase is not of Chinese origins, it is becoming abundantly clear that we are living in interesting times right now and that, regardless of its origins, it could be seen as a particularly powerful curse! Still, we are here to help you navigate the interesting times we live in and have some helpful information contained within this month’s newsletter. And if there is anything else that you need support with at this time, please ask and we will do whatever we can within our capacity to provide that support.

The main update this month is regarding password protection and how you can provide the best security for staff working in school and at home. There is also:

  • a reminder about common breach errors and the ways to mitigate their risk;
  • our budget saving referral discount for 2021-22;
  • a reminder of our new confidential waste disposal service;
  • an apology for the issues experienced over half term with our website and online training platform; and
  • a previously asked question about retaining emails as a school.

If you have any further questions about the topics below, or if you would like to book your next visit from us, either online using video conferencing or onsite once schools are accepting visitors, please get in touch via GDPR@schoolpro.uk.

Stay safe and healthy!

Password Protection

We talk about passwords in our Data Protection training. We all use passwords for a variety of systems in our day to day lives. Some of us have pretty good password security but there are still plenty of us who don’t. Recently, a password hacking computer set a record by guessing 100 billion passwords a second which makes even supposedly ‘secure’ passwords more vulnerable. So what should we be doing to keep ourselves and our organisations safe:

Longer passwords with combinations of letters, numbers and symbols are best, and are even better if they don’t feature words!

 

Hackers have access to social media and other tools so avoid using important dates, names of pets or other personal information in your passwords. They are easy to guess! Especially if you’ve been filling in quizzes on social media that share all of your personal information.

 

One of the most common pieces of advice about passwords is to not reuse passwords for more than one account. This can pose a problem when you have tens of different accounts all with strong passwords. The answer? Password managers! These are either built into your web browser or are standalone software applications that store passwords and link them to specific accounts for you. They can also help protect you from phishing attacks.

Make sure that you have changed the default passwords on internet-enabled devices including your home internet router. This will make it harder for hackers to access your home network for example.

 

Wherever possible, use multi-factor or two-factor authentication (sometimes shortened to 2FA). This gives you a second code that could be sent to a mobile phone or an authenticator app which is used along with your password. If your password is compromised, the hackers shouldn’t be able to access the account without the second part of the authentication. This can even be a biometric authenticator such as a fingerprint. Biometrics are likely to increase in use in the future and are likely to replace passwords altogether.

 

You can check if your accounts or passwords have been compromised in known data breaches by using sites such as Have I Been Pwned – https://haveibeenpwned.com/. If you have a password that appears on the site, change it!

For more information and the source of some of the material in this article, go to the following article by ReformIT – Password Security and The Road Ahead.

Common Breach Errors & What To Do About Them

We have discussed these errors in the past but they are still the most common breach errors we see. The majority of the breaches that we deal with involve the mis-use of IT systems including emailing sensitive data to an incorrect recipient, sharing the email addresses of recipients inappropriately, or sharing images without consent. Many of these breaches can be avoided by following a few simple tips which we’ve added to since we last published them back in March:

If you have to send personal data electronically, wherever possible, don’t use unencrypted or unsecure email. Tools like Egress are designed for sending information securely. Similarly, uploading a document to a secure shared area and notifying the recipient that it is there is a better solution than sending it by email.

 

If you are sharing data within your organisation, it is better practice to save documents to shared drives (whether on internal servers or in the cloud) and notify colleagues that the document is there, rather than emailing documents between you. That way, everyone is working from the most up-to-date version of the document and it is unlikely to be accidentally sent outside of your organisation by an email address being input incorrectly.

If you have no other alternatives to sending a document by email, ensure that it is password protected before it is sent. Then, send the password by a different medium – for example, by phone. If the email ends up with an incorrect recipient by mistake, they won’t be able to open the attachment. You will also identify quickly if your intended recipient hasn’t received the email when you contact them with the password.

If staff are sending emails to each other containing personal data (which we don’t recommend), ensure that they are double checking email addresses or mailing lists before hitting ‘Send’. Similarly, ensure that photo consents are double checked before posting photos or videos to websites, newsletters and social media.

 

As with the previous point, if staff have to email data to each other, ensure that the automated suggestions are switched off so that staff in a rush don’t click on the first address that appears in the ‘To’ field without properly checking it.

 

If you have a blank form that you send out to people, save it as a Word Template. This means that the recipient MUST save it as a separate file before the send it back. This reduces the risk of you sending out a ‘blank’ form later on which accidentally has a previous person’s information still completed.

 

This is referred to in our FOI Request guidance as well. Metadata on a file can reveal personal information such as the original author of the document. This can be done by following the steps found here.

 

Budget Saving Referral Discount for 2021-22

We recently emailed you about our budget saving triple referral discount deal because we know that budgets are tight.

We are offering you a triple referral discount for any new school that you refer to us and signs up to our DPO service between now and Christmas 2020. Our usual referral discount is 10% per school referred so this would mean you would get a discount of 30% off your school’s* subscription for 2021.

If you were to refer 3 schools to us by Christmas who all signed up to our DPO service, you would receive 90% off your school’s* subscription fee for 2021! Refer 4 or more schools and it will be free*!


Please note – maximum referral discount is 100% which would apply if 4 or more schools were successfully referred.* Referral discount applies to annual fee for 2021-22 only.*

*Please note – the referral discount applies differently to MATS.
To discuss how this would apply to your MAT, please contact your DPO directly.

Confidential Waste Disposal Service

We would like to take the chance to remind you of our discounted secure confidential waste disposal service that we recently launched. This will have the added bonus of being fully documented and compliance checked by us as your Data Protection Officer.

Click on the button below and complete our short 30-second survey to register your interest and request a quote:

Previously Asked Question

We are asked data protection questions by schools on a daily basis and there are some questions that come up regularly. We are looking at how we can create a FAQs section either on the website or in the portal for these. In the meantime, here is one of the questions we’ve been asked recently and the answer we have provided. We will publish more in future newsletters:

There isn’t anything specifically in the GDPR or DPA 2018 that states how long you should or shouldn’t keep email. We recommend that schools keep them for the shortest amount of time that is practical and delete as soon as possible. It might be that some emails need to be kept for record but they could be copied to a pupil or personnel file. The rest could then be deleted. The length of time is up to the school really.

The guidance from the IRMS toolkit (Information and Records Management Toolkit for Schools Version 6.0) states the following:

How long do we keep e-mails?

E-mail is a communications tool, and e-mail applications are not designed for keeping e-mail as a record. E-mail that needs to be kept should be identified by content, for example:

  • Does it form part of a pupil record?
  • Is it part of a contract?
  • Does it relate to an employee?

The retention for keeping these e-mails will then correspond with the types of records found in the Retention Schedule for schools below. These e-mails may need to be saved into an appropriate electronic filing system or printed out and placed on paper files. Similarly, information contained within these e-mails should be recorded in the appropriate place (e.g. the MIS or behaviour management system). Once this is done the original could be deleted.

Consider implementing an electronic rule whereby e-mails in inboxes are automatically deleted after a period of time, assuming they have been filed away. This will assist greatly in reducing the amount of information potentially disclosable in the event that a subject access request is received. Consider implementing procedures for the management of inboxes of staff who have left the organisation.

Limiting the information which is retained will also mitigate the school’s liability in the event of a breach and will reduce the amount of electronic storage required.

The IRMS toolkit also makes the following point which is something that we discuss in our training:

It’s not a filing system

E-mail systems are commonly used to store information which should be stored somewhere else. E-mails and attachments should be saved into any appropriate electronic filing system or printed out and placed on paper files.

Where the text of the e-mail adds to the context or value of the attached documents it may be necessary to keep the whole e-mail. The best way to do this, and retain information which makes up the audit trail, is to save the e-mail in .msg format. Where you just want recipients to read a document, consider sending a link to the documents rather than attaching them.

New & Updated Resources on the Portal

This month we have two new document resources for you in Global Documents and three updated documents:

New Documents

  • DPIA template for online and live recorded lessons (remote learning)
  • DPIA template for the storage and communication of safeguarding information in CPOMS (including system implementation

Updated Documents

  • Data Protection Policy template
    • New text added to section 9.3 regarding SARs submitted by third parties.
  • Freedom of Information Policy template
    • Minor corrections and amendments
  • DPIA template for the storage and communication of health and medical data including updated processes associated with Covid-19 testing
    • Minor corrections and amendments

Coronavirus: How does Covid-19 test-and-trace work? – BBC

H&M Hit With Record-Breaking GDPR Fine Over Illegal Employee Surveillance – Forbes

Department for Education’s handling of pupil data ruled illegal – The Guardian

Cambridge Analytica ‘not involved’ in Brexit referendum, says watchdog – BBC

Ransomware: It’s time to bring cybersecurity audits up to GDPR status – ZDNet

Data breach reported as Hackney Council hit by ‘serious cyber attack’ – Sky

Privacy watchdog to probe Klarna after email backlash – BBC

Ransomware is growing: Here are four ways attackers are getting into your systems – ZDNet

As attackers evolve their tactics, continuous cybersecurity education is a must – Help Net Security

Historic data breach exposes practically all US voters ahead of election – TechRadar

Google removes 3 Android apps for children, with 20M+ downloads between them, over data collection violations – TechCrunch

Therapy patients blackmailed for cash after clinic data breach – BBC

EU investigates Instagram over handling of children’s data – BBC

Amazon Discloses Security Incident Involving Customers’ Email Addresses – Tripwire

Experian vows to drag UK’s Information Commissioner’s Office to court after being told off for data-slurping practices – The Register

British Airways fined £20M for data breach – ICO

Marriott fined £18.4M for data security failings – ICO

£40,000 penalty for firm sending spam emails selling face masks – ICO

ICO issues fine to company making “aggressive and rude” nuisance calls – ICO

​Please contact us if you do have further questions at DPO@schoolpro.uk.
 

SchoolPro TLC Ltd (2020)
SchoolPro TLC is not responsible for the content of external websites.