logo-education
0370 270 6000

already registered?

Please sign in with your existing account details.

need to register?

Register to access exclusive content, sign up to receive our updates and personalise your experience on brownejacobson.com.

Privacy statement - Terms and conditions

education sector accounts for 15% of data breaches

10 March 2020

The Information Commissioner’s Office (ICO) has recently published the latest statistics on reported data breaches. Between November 2019 and January 2020 a total of 2,795 data breaches were reported, with just over 15% of the occurrences originating in the education sector.

In this article Dai Durbridge reviews the data and highlights some lessons learned that could be implemented in your school to help you reduce risk and avoid unnecessary financial penalties.

Over the three-month period, 429 data breaches were reported across the education sector. Of the 24 different business areas recorded, only the health sector reported more – with 542 individual cases reported.

We should not, however, read too much into these numbers, as they could tell us very different things: on the one hand yes, there are still a lot of breaches in the sector; but on the other hand, education institutions could just be much better than others at reporting them. Or what is more likely, it could be something in between. What is of interest – and extremely useful – are the types of breach reported.

Data breaches are divided into 20 different breach categories, covering everything from malicious cyber threats to the incorrect disposal of data. The list below includes the top five types of breaches reported in the education sector, along with a couple of other interesting ones:

Type of breach

Number of breaches

Data emailed to wrong recipient

48

Loss of paperwork

41

Phishing attacks

39

Posted/faxed to wrong address

26

Loss of devices

24

Unauthorised access to data

20

Failure to redact information

15

 

You probably recognise these are risk areas in your school. The two interesting ones are, well, interesting: 15 reported breaches for schools failing to redact information, and a further 20 breaches caused by unauthorised access to data.

Over the last couple of years we have advised many clients following data breaches. If you asked me to guess the top three behaviours likely to cause a data breach in schools, I would say:

  1. Emails sent to the wrong recipient;
  2. Loss of paperwork; and
  3. Unauthorised data access.

The wider sector statistics reported by the ICO are certainly in line with what we are seeing from our clients.

Now you know what the key risks are, you should consider the extent to which they are risks in your school or trust and what steps you may need to take to minimise them. You should consider the following:

Emails

  • If you still have the autocomplete function turned on for email addresses you should disable it. The autocomplete function can lead to emails being sent to the wrong person because the sender tends to assume the autocomplete has chosen the correct recipient.
  • Make sure you are using password protected documents and not putting personal data in the main body of emails.

Loss of paperwork

  • Reflect on whether your staff needs to take paperwork off the school site or whether there is a better way for them to access the data they need.

Unauthorised access

  • In many cases, unauthorised access to data can be avoided by individuals being vigilant. Staff should be reminded to lock their computers when they leave their desks and take notice of those around them (especially the more mischievous pupils) when personal data is being viewed on screen. It is very easy for photos to be taken and shared.

Given that the top three types of data breach account for over a quarter of all education breaches, you can improve your GDPR compliance by simply focussing on these issues.

training and events

8Jun

PraxisAuril 2021 Conference Online

Come and meet our Head of Higher Education, Bettina Rigg and colleagues who will be online throughout this four day conference to discuss how our full service team can support your institution. Please note that this event was postponed from June 2020.

View event

1Jul

ISBL regional Conference Marriott Hotel, Southampton Road, Cosham, Portsmouth, PO6 4SH

Join our Partner Julia Green at this regional conference as she provides an overview of key legal developments that you should be aware of ahead of the 2021/22 academic year. Please note that this event was postponed from July 2020.

View event

focus on...

Legal updates

Preparing to award teacher assessed grades

Schools will now be tasked with reading a vast amount of information to get themselves ready to provide teacher-assessed grades (TAGs) for students following the recent publication of the suite of Joint Council Qualifications (JCQ).

View

Legal updates

Future-proofing your Centre Policy

Exams centres, including schools, have between 12 and 30 April 2021 to develop and submit their Centre Policy. This policy will set out the centre’s approach to assessment and quality assurance during this summer’s teacher assessed grading (TAGs) process.

View

Legal updates

Everyone’s Invited – Ofsted to review safeguarding policies

Ofsted has announced that it will begin an immediate review of school safeguarding policies. It is now time that you take steps to ensure your policies and procedures are up to date.

View

Legal updates

Grades without exams - FAQs

In the absence of exams, the Department for Education (DfE) and Ofqual have confirmed that the 2021 GCSE, AS and A level and vocational and technical qualification grades will be determined by centre assessment.

View

The content on this page is provided for the purposes of general interest and information. It contains only brief summaries of aspects of the subject matter and does not provide comprehensive statements of the law. It does not constitute legal advice and does not provide a substitute for it.

mailing list sign up



Select which mailings you would like to receive from us.

Sign up