Recently, an unfortunate data breach at a primary school has emphasised the importance of robust data protection practices in schools, colleges and MATs. The Information Commissioner’s Office (ICO) reprimanded the school for infringements of the UK General Data Protection Regulation (UK GDPR). Whilst this is clearly a concern for the school and data subjects involved, it also provides a valuable opportunity for all schools to reassess their data protection strategies.

The reprimand was issued to Parkside Community Primary School in relation to the infringements of Article 5 (1)(f), Article 24 (1) and Article 32 of UK GDPR and can be read in full on the ICO’s website:

Parkside Community Primary School ICO Reprimand

“The Information Commissioner (the Commissioner) issues a reprimand to
Parkside Community Primary School (Parkside) in accordance with Article
58(2)(b) of the UK General Data Protection Regulation (UK GDPR) in
respect of certain infringements of the UK GDPR.”

The incident involved the inappropriate disclosure of personal and special category data in a classroom setting, affecting four data subjects including three children. According to the reprimand published, key contributing factors to the breach included insufficient data protection policies, inadequate guidance around email security, and a lack of explicit procedures regarding the use of a case management system.

In this post, we delve into the key lessons to be learned from this unfortunate event, and provide you with a checklist to ensure that you are adequately protecting the personal data of your pupils and staff.

 

Lessons to Learn

 

The reprimand presents several key lessons that could apply to other schools in the UK:

  1. Ensure Adequate Data Protection Policies:
    The reprimand highlighted that the school lacked detailed data protection policies, specifically on the safe handling of personal data over emails and the usage of a specific case management system. Policies should clearly outline the procedures for maintaining data security and confidentiality, especially when it involves sensitive or special category data. Schools should have policies specific to high risk software and platforms they use, created in conjunction with risk assessments or Data Protection Impact Assessments (DPIAs).
  2. Provide Clear Procedures and Guidance:
    The lack of written guidance for employees was a significant issue. Clear instructions need to be in place for using security and confidentiality classifications on emails, and for the usage of any case management system or software. Guidelines regarding when and where to open sensitive emails, and how to operate electronic devices securely (like electronic whiteboards), should also be clearly provided.
  3. Staff Training:
    Regular and thorough training for staff is necessary to ensure compliance with data protection regulations. This should include training on the operation of specific software or systems, data breach reporting procedures, operation of electronic devices, and general data protection principles.
  4. Incident Reporting Mechanisms:
    In this case, staff failed to report the data breach internally. An effective incident reporting mechanism should be in place, and staff should be well aware of the process to follow if a data breach is suspected or has occurred.
  5. Sensitive Data Handling:
    Emails or alerts containing sensitive information should be appropriately labeled and only accessed under safe conditions (e.g., not in the presence of children or during teaching hours). Controls should be in place on who can access highly sensitive information and when.
  6. Policy Enforcement and Review:
    All staff and stakeholders should be familiar with the school’s data protection policies. Policies should be reviewed and updated regularly, especially in response to incidents, and staff should be required to affirm their understanding and acceptance of these policies.
  7. Testing and Audit of New Processes:
    Any new processes or procedures introduced in response to a data breach should be tested to ensure they are effective and embedded within the organisation.

Action Plan / Checklist

 

 

Taking those lessons into consideration, what key actions can a school, college or MAT take to reduce their data breach risk and improve practice?

✅ Policies and Procedures:

 Training and Awareness:

 Email Security:

 Software and System Security:

 Monitoring and Review:

By following this checklist along with your existing practices, and continually investing in data protection, you can better protect the personal data of your pupils and staff, and ensure compliance with the UK GDPR. The incident highlighted by this ICO reprimand serves as a stark reminder of the potential repercussions of insufficient data protection, and the importance of making data protection a priority in your school, college or MAT.

If you have any other questions about this or any other data protection topic, please contact us at DPO@schoolpro.uk.

Stay safe and healthy,

The SchoolPro TLC Team

SchoolPro TLC Ltd (2024)

SchoolPro TLC guidance does not constitute legal advice.

SchoolPro TLC is not responsible for the content of external websites.


Fatal error: Uncaught Error: Call to undefined function wc_get_cart_url() in /home/schoolpro/public_html/test.schoolpro.uk/wp-content/themes/hello-theme-child-master/functions.php:122 Stack trace: #0 /home/schoolpro/public_html/test.schoolpro.uk/wp-includes/class-wp-hook.php(324): redirect_menu_cart_to_cart_page('') #1 /home/schoolpro/public_html/test.schoolpro.uk/wp-includes/class-wp-hook.php(348): WP_Hook->apply_filters(NULL, Array) #2 /home/schoolpro/public_html/test.schoolpro.uk/wp-includes/plugin.php(517): WP_Hook->do_action(Array) #3 /home/schoolpro/public_html/test.schoolpro.uk/wp-includes/general-template.php(3208): do_action('wp_footer') #4 /home/schoolpro/public_html/test.schoolpro.uk/wp-content/themes/hello-elementor/footer.php(24): wp_footer() #5 /home/schoolpro/public_html/test.schoolpro.uk/wp-includes/template.php(810): require_once('/home/schoolpro...') #6 /home/schoolpro/public_html/test.schoolpro.uk/wp-includes/template.php(745): load_template('/home/schoolpro...', true, Array) #7 /home/schoolpro/public_html/test.schoolpro.uk/wp-includes/general-template.php(92): locate_template(Array, true, true, Array) #8 /home/schoolpro/public_html/test.schoolpro.uk/wp-content/themes/hello-elementor/index.php(36): get_footer() #9 /home/schoolpro/public_html/test.schoolpro.uk/wp-includes/template-loader.php(106): include('/home/schoolpro...') #10 /home/schoolpro/public_html/test.schoolpro.uk/wp-blog-header.php(19): require_once('/home/schoolpro...') #11 /home/schoolpro/public_html/test.schoolpro.uk/index.php(17): require('/home/schoolpro...') #12 {main} thrown in /home/schoolpro/public_html/test.schoolpro.uk/wp-content/themes/hello-theme-child-master/functions.php on line 122