Skip to main content

Data breaches in schools – Mitigating risk

Data protection - laptop cables padlocked

Data breaches, unfortunately, are increasingly becoming a common concern across all sectors, including education. Here we aim to provide an overview of what a data breach is, the impact they have, prevention measures to put in place, and response strategies.

As set out on the Information Commissioner’s Office’s website, a data breach refers to “a breach of security leading to the accidental or unlawful destruction, loss, alteration, unauthorised disclosure of, or access to, personal data. This means that a breach is more than just losing personal data.” Such breaches can occur due to various reasons, including cyberattacks, human error or system vulnerabilities.

The consequences of a data breach can be severe and far-reaching, including:

  • financial losses from legal fees, fines, and compensation to affected parties;
  • reputational damage leading to loss of trust and business opportunities; and
  • identity theft, fraud, and misuse of compromised information.

Mitigating the risk of data breaches

Mitigating the risk of data breaches requires a multi-faceted approach including, but not limited to the below:

  • strong cybersecurity; implementing robust security measures such as firewalls, encryption, and intrusion detection systems;
  • employee training; educating staff about data security, including safe handling of information (e.g. using designated email addresses, no personal accounts or devices) and recognising phishing correspondence;
  • access control; restricting access to sensitive data based on roles and responsibilities; and
  • regular updates; keeping school software and operating systems up to date to address vulnerabilities.

However, a breach may still occur even if you implement robust security practices. Should this be the case, the Data Protection Act 2018 outlines specific legal requirements that must be followed, in particular, in respect of reporting.

If a data breach is likely to result in a “risk” to individuals’ “rights and freedoms”, you must notify the ICO without undue delay and within 72 hours of becoming aware of the breach. The notification should include details of the nature of the breach, the likely impact, and the measures taken to address it.

If the breach is likely to result in a “high risk” to the “rights and freedoms of individuals” (note that this is a higher threshold), you must also notify the affected individuals without undue delay. The notification should again include details of the nature of the breach, its potential consequences, and the measures taken to mitigate the risks.  Depending on the circumstances, such concerns may need to be handled very carefully and we recommend taking advice, especially if the breach is potentially serious.

The ICO’s website contains a helpful self-assessment tool to help data controllers to assess how to respond to a breach. The ICO can also provide helpful guidance following a breach via its helpline: 0303 123 1113.  You may also need to notify your insurers / RPA and, if you are subject to a cyber-attack, the Police.

You are required to maintain records of all data breaches, regardless of whether they are reported to the ICO. These records should include details of the breach and the actions taken in response.

What happens if you have a data breach

A data breach, as well as non-compliance with the data breach notification and response process, can result in an investigation being instigated and conducted by the ICO, as well as potential penalties bring imposed, though in our experience the ICO tends to take a reasonable and pragmatic approach.

Given the huge amount of data held, including significantly sensitive data, data breaches pose a significant risk to schools. By understanding the nature of breaches, implementing preventive measures, and having a robust response plan in place, you can better safeguard sensitive information and protect the school’s reputation.

If you require any assistance with your Data Breach Response Plan, or should you have an incident you would like to discuss, please do not hesitate to contact a member of the team.

Share this article