🔓 Lessons from a Data Breach: 📋 Guidance for Schools, Colleges & MATs

The incident involved the inappropriate disclosure of personal and special category data in a classroom setting, affecting four data subjects including three children. According to the reprimand published, key contributing factors to the breach included insufficient data protection policies, inadequate guidance around email security, and a lack of explicit procedures regarding the use of a case management system.

In this post, we delve into the key lessons to be learned from this unfortunate event, and provide you with a checklist to ensure that you are adequately protecting the personal data of your pupils and staff.

Lessons to Learn

The reprimand presents several key lessons that could apply to other schools in the UK:

1. Ensure Adequate Data Protection Policies:
   The reprimand highlighted that the school lacked detailed data protection policies, specifically on the safe handling of personal data over emails and the usage of a specific case management system. Policies should clearly outline the procedures for maintaining data security and confidentiality, especially when it involves sensitive or special category data. Schools should have policies specific to high risk software and platforms they use, created in conjunction with risk assessments or Data Protection Impact Assessments (DPIAs).
2. Provide Clear Procedures and Guidance:
   The lack of written guidance for employees was a significant issue. Clear instructions need to be in place for using security and confidentiality classifications on emails, and for the usage of any case management system or software. Guidelines regarding when and where to open sensitive emails, and how to operate electronic devices securely (like electronic whiteboards), should also be clearly provided.
3. Staff Training:
   Regular and thorough training for staff is necessary to ensure compliance with data protection regulations. This should include training on the operation of specific software or systems, data breach reporting procedures, operation of electronic devices, and general data protection principles.
4. Incident Reporting Mechanisms:
   In this case, staff failed to report the data breach internally. An effective incident reporting mechanism should be in place, and staff should be well aware of the process to follow if a data breach is suspected or has occurred.
5. Sensitive Data Handling:
   Emails or alerts containing sensitive information should be appropriately labeled and only accessed under safe conditions (e.g., not in the presence of children or during teaching hours). Controls should be in place on who can access highly sensitive information and when.
6. Policy Enforcement and Review:
   All staff and stakeholders should be familiar with the school’s data protection policies. Policies should be reviewed and updated regularly, especially in response to incidents, and staff should be required to affirm their understanding and acceptance of these policies.
7. Testing and Audit of New Processes:
   Any new processes or procedures introduced in response to a data breach should be tested to ensure they are effective and embedded within the organisation.
   
   

Action Plan / Checklist

Taking those lessons into consideration, what key actions can a school, college or MAT take to reduce their data breach risk and improve practice?

✅ Policies and Procedures:

• Review your data protection policies and procedures, ensuring they cover all aspects of data handling, including specific written guidelines for using software and systems that process sensitive data.

✅ Training and Awareness:

• Develop a regular training schedule on data protection for all staff. Emphasise what constitutes a data breach, the importance of reporting breaches promptly, and the consequences of failing to do so.
• As a guide, staff should receive data protection training as part of their induction to the organisation, and refresher training should be completed at least biennially if not more frequently. Annual refresher training would be best practice.

✅ Email Security:

• Implement security measures for emails that contain sensitive data, such as security classifications or labels. Provide clear guidelines on when and where such emails can be safely opened.
• Where possible, use alternative methods of communicating sensitive data such as access-controlled, secure, shared folders, or internal secure data transfer systems if available to your school.

✅ Software and System Security:

• Review the security measures for all software and systems that process sensitive data. Ensure staff are trained on how to use these systems securely such as the use of strong passwords and multi-factor authentication.
• Also, include procedures, guidance and training for those systems that could be used to view sensitive data such as electronic whiteboards and screensharing from staff members’ electronic devices.

✅ Monitoring and Review:

• Regularly monitor and review your data protection measures to ensure their effectiveness and make improvements where necessary.
  
  

By following this checklist along with your existing practices, and continually investing in data protection, you can better protect the personal data of your pupils and staff, and ensure compliance with the UK GDPR. The incident highlighted by this ICO reprimand serves as a stark reminder of the potential repercussions of insufficient data protection, and the importance of making data protection a priority in your school, college or MAT.