Assessing Risk in Data Processing – SchoolPro TLC Monthly Newsletter – Issue 27 – November ’22

The start of this academic year has been a whirlwind, both in and out of schools! It has been great to see so many of you in person again and we are looking forward to getting out and seeing even more of you over the next few terms. If you are not in the diary yet, we will be endeavouring to get in touch over the next few weeks!

Our last newsletter focused on the new UK Data Protection and Digital Information Bill. But that was a couple of governments ago and since then, the bill has been shelved. BUT, the new head of the DCMS has said that there are still plans to reform our data protection laws and they are now expected to be potentially more radical and pro-business than the aforementioned DPDI Bill. There is currently no known timeline for this new reform and we don’t have any further details. When that changes, we will pass on all we can! 

This month, there have been a couple of events that have made us think further about risk assessing data processing activities so we wanted to cover those off and remind you of our risk assessment guidance for data protection. There is also:

  • a reminder of the information on making online checks on job applicants as per KCSIE 2022;
  • a number of updates from the DfE that may impact data protection work; 
  • our partner spotlight highlighting a company we work with and recommend;
  • the latest information on recent and current cyber threats;
  • a previously asked question about ensuring only blank forms can be sent to data subjects and not forms filled out with details from another individual; and
  • the latest on the new & updated resources in Global Documents since the last newsletter.

As always, if you have any further questions about the topics below, or if you would like to book your next visit from us, either online using video conferencing or onsite now many schools are accepting visitors, please get in touch via our new email address DPO@schoolpro.uk.

Don’t forget, if there is anything else that you need support with at this time, please ask and we will do whatever we can within our capacity to assist.

Stay safe and healthy!

Assessing Risk in Data Processing

A couple of events recently have made us re-visit and review our guidance regarding assessing risk in data processing – in other words, when conducting Data Protection Impact Assessments (DPIAs).

The new biometric data guidance from the DfE clearly states that “the decision to use automated biometric technology rests with individual schools and colleges” and that in order to make that decision, “careful consideration should be given to the purpose for use, whether the processing is necessary and proportionate including the implications of using this technology for example, any operational requirements, the use of personal information and possible data breaches as well as the legal requirements associated with the management of it”. This clearly highlights two fundamental aspects of risk assessing data processing activities – necessity and proportionality.

Processing data includes “obtaining, recording or holding the data or carrying out any operation or set of operations on the data including (but not limited to) disclosing it, deleting it, organising it or altering it.” If you are going to process biometric data, it is your responsibility as a data controller to ensure that you have identified the possible risks with the processing of data by conducting a DPIA and that you are “aware of the wider duties placed on [you], for example under the Human Rights Act 1998 and Public Sector Equality Act Duty using automated biometric technology”.

Necessity
Part of the DPIA is to assess the necessity of the data processing that you want to carry out. You can ask yourself a basic question – is this type of data processing necessary to achieve what we are setting out to achieve? Or can we do it in a different way that doesn’t involve processing biometric data?

Biometric data is special category data which means it is particularly sensitive and should have more protection to other personal data. You also have to meet a higher legal bar for processing as you need to identify both a lawful basis under Article 6 UK GDPR as well as a separate condition for processing under Article 9 UK GDPR. It should also only be used if it is absolutely necessary which is why it is important to assess necessity. If there isn’t another, relatively straightforward, way to carry out your aim, it may be that it is necessary.

Proportionality
Part of the DPIA is to assess the proportionality of the data processing that you want to carry out. Another question – is the use of sensitive personal data proportionate to the aim we are looking to achieve? Would it be more proportionate to use less sensitive data to achieve the same aim?

The guidance gives the example of facial recognition:

Facial recognition will often not be appropriate in schools and colleges if other options are available to achieve similar goals, like paying for school lunches. Schools and colleges must establish that facial recognition is both necessary and proportionate within the school and college environment.

It is fair to say that the word “often” is not needed in that sentence! A few years ago, a school in Sweden was fined by the supervising authority there for using facial recognition for attendance purposes. It was judged that this was not a necessary or proportionate use of the technology and that the school hadn’t adequately risk assessed the situation or consulted with the supervisory authority.

The second article that we linked at the start of this section was of a school in Bristol that has been referred to the ICO regarding their use of CCTV cameras. This is still an ongoing case and we have seen arguments on both sides of the debate, for and against what the school are doing.

We aren’t going to pass judgement here as we don’t have all of the information but wanted to highlight it as an important example of making sure that you have risk assessed your processing activity before conducting it. Is what the school are doing here necessary and proportionate for their purposes…?

If you haven’t read our original DPIA guidance yet, you can do so here – Data Protection Impact Assessments | What and Why they are important | SchoolPro TLC!

KCSIE 2022 – Online Checks for Job Applicants

Paragraph 220 of Keeping Children Safe in Education 2022 states that “schools and colleges should consider carrying out an online search as part of their due diligence on the shortlisted candidates. This may help identify any incidents or issues that have happened, and are publicly available online, which the school or college might want to explore with the applicant at interview.”

We have sent out advice and guidance on this before but it is still a hot topic that we know is in discussion in schools. Our guidance can be found here:

Data Protection and DfE Updates (including New Cyber Security Standards)

Over the past few months, the DfE has sent out a number of updates to their guidance which impact on data protection work. These are as follows:

  • DfE appropriate policy document | GOV.UK
    • Information about the legal basis and safeguards in place for the sensitive processing of special category data and criminal offence data.
    • Update – first published by the DfE. For information – no requirement to update school/trust data protection documentation.
  • Data protection: privacy notice model documents | GOV.UK
    • Privacy notice templates provided by the DfE.
    • Update – the DfE has provided an update to some of the templates in the section ‘Requesting Access to Your Personal Data’. The wording of the bullet points on data subject rights as well as the introduction to the list of rights have been updated and made more robust. This has been reflected in our relevant privacy notice templates in Global Documents on the portal. Details can be found further down the newsletter in the New and Updated Resources section.
  • Apply for Department for Education (DfE) personal data | GOV.UK
    • How to apply for access to personal data from DfE and its executive agencies.
    • Update – uploaded new versions of the National Pupil Database data tables, Higher Education Statistics Agency data tables, and the application form and guidance. For information – no requirement to update school/trust data protection documentation.
  • How DfE shares personal data | GOV.UK
    • Information on how the Department for Education (DfE) and its executive agencies share personal data.
    • Update – updated the section ‘Vision for sharing data’, to show which data can now be accessed through the ONS Research Accreditation Service. For information – no requirement to update school/trust data protection documentation.
  • Choosing a school management information system (MIS) | GOV.UK
    • Table helping schools compare systems and choose the right one for their setting.
    • Update – updated the comparison table with additional information for each supplier. For information – no requirement to update school/trust data protection documentation although will be of use when preparing DPIAs for new MIS implementation as required.
  • Meeting digital and technology standards in schools and colleges | GOV.UK
    • How schools and colleges can meet IT service and digital equipment standards.
    • Update – cyber security standards for schools and colleges – new section added (Cyber security standards for schools and colleges | GOV.UK). This contains useful information/guidance for schools regarding cyber security. See below for some of the key points we’ve identified from this*.

*From Meeting digital and technology standards in schools and colleges | GOV.UK, here is a selection of the guidance that we feel is important:

You must conduct a Data Protection Impact Assessment by statute for personal data you hold as required by General Data Protection Regulation

The importance of meeting the standard
The protection of sensitive and personal data is vital to:

  • the safety of staff and students
  • the reputation of schools and colleges
  • the confidence placed in schools and colleges
  • avoid the legal liabilities which security breaches expose schools and colleges to 

How to meet the standard
You should control access to data in consultation with your IT service provider and the Data Protection Officer. This is to safeguard staff and students as required by the General Data Protection Regulation (GDPR).

To meet the standard, you must:

  • understand the definition of personal data
  • assess the risk of compromise, and the degree of damage caused by a security compromise, to work out the resources required to protect the data
  • pseudonymise or encrypt any personal data while stored and in transit to a third party
  • ensure the confidentiality, integrity and availability of the data and systems processing them
  • restore complete and accurate data after an incident in a timely fashion
  • design and apply processes for testing and assessing the effectiveness of all measures used to safeguard data and its use

There is DfE guidance on:

You should have at least 3 backup copies of important data, on at least 2 separate devices, at least 1 must be off-site

The importance of meeting the standard
A backup is an additional copy of data, held in a different location, in case the original data is lost or damaged. If all copies were held in the same location, they would all be at risk from natural disasters and criminal damage.

Backups of important data are crucial for quick recovery in the event of disaster. The safest way to achieve this is to have a pattern of backing up on a rolling schedule. You should keep these backups off the network when not in use and check them regularly.

How to meet the standard
Ask your IT service provider to install and configure your devices to meet the standards described in the technical requirements. If your IT service provider is an external contractor, the scope of this should be included in your service agreement…

Train all staff with access to school IT networks in the basics of cyber security

The importance of meeting the standard
The most common forms of cyber attack rely on mistakes by staff members to be successful. Avoiding these mistakes prevents the attacks.

Basic cyber security knowledge amongst staff and governors is vital in promoting a more risk aware school culture.

How to meet the standard
Staff with access to your IT network must take basic cyber security training every year.

At least one member of the governing body should complete the training.

Remember that the training may change over time with changing cyber threats.

Technical requirements to meet the standard
Staff who require access to your IT network must take basic cyber security training every year. The training should be part of the induction training for new staff.

This training should focus on:

  • phishing
  • password security
  • social engineering
  • the dangers of removable storage media

The National Cyber Security Centre has published suitable training materials:

At least one current governor must complete the same basic cyber security training. These governors should read the NCSC publication school cyber security questions for governors.

When to meet the standard
You should be looking to implement this standard as soon as you can but within 12 months as a minimum.

** Don’t forget, as your DPO, we have given you access to the NCSC’s Cyber Security for School Staff course through our training site as well. Please come and speak to us if you still have questions about how to access this and get your staff onboard.

Partner Spotlight

 

Jane Bee Safeguarding

Each month we throw the spotlight on a different partner. This month it is Jane Bee Safeguarding.

Jane has worked in Safeguarding and Child Protection for more than 18 years and was the manager for Safeguarding in Education for a large Local Authority in the South West of England. Jane Bee Safeguarding provides a range of safeguarding services.

 

Recent and Current Cyber Threats

 

NCSC Annual Review 2022

The National Cyber Security Centre (NCSC) has published its Annual Review for 2022 including topics such as ‘Threats, Risks and Vulnerabilities’, ‘Resilience’, ‘Technology’ and ‘Ecosystem’. You can read the full report here:

NCSC Annual Review 2022 – NCSC.GOV.UK

 

How to assess and gain confidence in your supply chain cyber security

Useful guidance for Multi-Academy Trusts and large schools – practical steps to help medium to large organisations gain assurance about the cyber security of their organisation’s supply chain:

How to assess and gain confidence in your supply chain… – NCSC.GOV.UK

 

Choosing the right type of authentication methods

We would certainly recommend that organisations are looking to move away from just using passwords wherever possible and we know that many schools and Trusts are already implementing multi-factor authentication. Here are some recommended authentication models for organisations looking to move ‘beyond passwords’:

Authentication methods: choosing the right type – NCSC.GOV.UK

 

Recent Threats Identified…

 

  • Google Chrome’s Reported Security Issues – New research by Atlas VPN claims that Google’s Chrome browser has had 303 discovered vulnerabilities this year, and that an unusually high number of cumulative vulnerabilities have been spotted in the browser. The advice is to make sure that your browser is up to date, care is taken if choosing plugins, and to look out for potential phishing emails.
    (Cheltenham IT Support | Reform IT)
  • Beware Malicious WhatsApp Lookalike Apps – Kaspersky has warned users about the dangers of malicious WhatsApp knockoff apps YoWhatsApp and WhatsApp Plus. Although both appear to offer the same functionalities as the real WhatsApp, they are reported to be able to download the Triada Trojan to smartphones, and steal legitimate WhatsApp’s access keys, thereby giving attackers access to the user’s real WhatsApp account. The advice is not to visit suspicious websites, and not to use unofficial clients for messaging apps, or to download hacked versions of programs via torrents.
    (Cheltenham IT Support | Reform IT)
  • Beware Energy Bills Scam – Energy regulator Ofgem is warning consumers to beware of scam email messages claiming to offer discounts on energy bills. The phishing scam messages invite recipients to apply for the £400 “non-repayable discount” by following a link to a fake Ofgem phishing website to provide personal details and set up a direct debit to receive the money. The advice is to be vigilant, avoid clicking on links or downloading attachments from suspicious emails, and to report any such emails to Action Fraud and forward them to The National Cyber Security Centre at report@phishing.gov.uk.
    (Cheltenham IT Support | Reform IT)

Previously Asked Question

We are asked data protection questions by schools on a daily basis and there are some questions that come up regularly. We now have an FAQ section on the website for these and all of our answers are published there. You can find this on the Data Protection page of the website or in the blog. Here is one of the questions we’ve been asked recently and the answer we have provided. We will publish more in future newsletters:

Answered July ’22.
 
Unfortunately, this is a fairly common problem that we come across. There are a multitude of forms that schools will send out from new starter forms for staff to travel allowance forms or referral forms. The issue comes where an individual is sent a supposedly blank form and it turns out on receipt that it is filled in (or partially filled in) with another data subject’s data. And depending on the nature of the form, this can be very sensitive data in some instances!
 
The problem often comes from ‘master templates’ being over-written by mistake or saved over with a completed document. So, how can we reduce this risk. There are a number of different options that could be used if this type of breach becomes an issue for you:
 
  • Train staff to copy master documents prior to filling them in (rather than filling in the master document and then using ‘Save As’) so the original master is not completed and potentially saved over by mistake.

     

  • Make the master document a ‘template document’ so that it can’t be saved over but has to be saved as a separate file.
  • Make the master document a ‘read-only document’ so that it also can’t be saved over but has to be saved as a separate file.
  • Keep master documents in a separate folder to completed documents. Combine this practice with the first bullet point so the document has to be copied into the ‘completed document’ location prior to filling in.

New & Updated Resources on the Portal

Since our last newsletter, we have added 4 new documents and updated 13 documents:

New Documents

  • DPIA – Data Protection Officer (DPO) – SchoolPro TLC
  • DPIA – Pupil Progress
  • Letter – SAR Acknowledgement Template – Extension Notification
  • Policy – Retention and Disposal for the ICO
  • ICO Guidance – Access to Information Held in Complaint Files

Updated Documents

  • Letter – SAR Acknowledgment Template
  • Letter – SAR Response Cover Template
    • DPO contact email updated to DPO@schoolpro.uk
    • Some exemptions removed to reduce possible confusion over inclusion in response – link added to exemption guidance on SchoolPro TLC blog
  • Policy – Acceptable Use
    • More robust terms added regarding monitoring of network/internet/emails of staff including for SARs.
  • Policy – Acceptable Use Agreement (Staff)
    • More robust terms added regarding monitoring of network/internet/emails of staff including for SARs.
  • Privacy Notice – Job Applicant
  • Privacy Notice – Hosp & Alt. School Pupils & Parents
  • Privacy Notice – Primary Academy Pupils & Parents
  • Privacy Notice – Primary School Pupils & Parents
  • Privacy Notice – School and Trust Governance Roles
  • Privacy Notice – Secondary School Pupils & Parents
  • Privacy Notice – Visitors
  • Privacy Notice – Workforce Academy
  • Privacy Notice – Workforce School
    • All privacy notices updated in ‘Requesting Access to Your Personal Data’ to reflect new DfE wording regarding data subject rights. Bullet point list has been updated as well as introductory text to the list. 

The abortion privacy dangers in period trackers and apps | BBC News

California gun dashboards expose 10 years of personal data | The Register

UK security services must seek approval to access telecoms data, judges rule | The Guardian

UK signs US border deal to share police biometric database | The Register

Marriott Hotels suffers third data breach in 4 years | The Register

Call for ban on Chinese CCTV cameras ‘which recognise faces and emotions’. | Yahoo

Hackers have access to bank details, signatures, addresses and national insurance numbers, Gloucester councillor reveals | Gloucestershire Live

How data on a billion people may have leaked from China | The Register

UK health authorities slammed for WhatsApp use in pandemic | The Register

Children’s rights groups call out TikTok’s ‘design discrimination’ | TechCrunch

Log4j software flaw ‘endemic,’ new cyber safety panel says | AP News

Twitter probes privacy breach claims affecting 5.4m users | The Register

Europeans’ data shared 376 times daily in advertising sales, report says | BBC News

Liverpool City Council: No action over data breach, watchdog says | BBC News

Google sign-up ‘fast track to surveillance’, consumer groups say | BBC News

Bromford Housing Association targeted by cyber attack | BBC News

Report shows a third of employees don’t understand importance of cybersecurity | VentureBeat

NHS 111 software outage confirmed as cyber-attack | BBC News

What your car knows about you | POLITICO

A view from Brussels: Reflections on the CJEU decision on special categories of data | IAPP

CURIA – Documents | Europa.EU

Sensitive data ruling by Europe’s top court could force broad privacy reboot | TechCrunch

If you have any other questions about this or any other data protection topic, please contact us at DPO@schoolpro.uk.

Stay safe and healthy,

The SchoolPro TLC Team

SchoolPro TLC Ltd (2024)

SchoolPro TLC guidance does not constitute legal advice.

SchoolPro TLC is not responsible for the content of external websites.