In its latest security trends report for July to September 2020, the ICO (Information Commissioner’s Office) reveals that the education sector was second only to health in the number of reported data breaches. A personal data breach is defined by the ICO as any event that leads to the accidental or unlawful destruction, loss, alteration, unauthorised disclosure of, or access to, personal data.
Schools need to take data protection seriously because the risks to children and young people of their data being breached are more serious than for most adults as a breach can also put their safeguarding at risk.
An analysis of ICO data revealed that 90% of data breaches are caused by human error, so everyone has a part to play in reducing them.
Here are three easy ways to avoid the most common breaches reported by the education sector. In all cases, you should follow school policies to protect the data in your care.
1. Use email carefully
Emailing information to the wrong person and not using the Bcc (blind carbon copy) field are the two most common ways for data to be breached in the education sector. It’s understandable, as both mistakes are so easy to make, which is why email should be avoided as a way to share personal data.
If you have no alternative than to use email, use a secure way to send it and double-check the email address before sending. If you are emailing multiple people and the recipients either shouldn’t know who else is receiving it and/or their email addresses, then use the Bcc field.
2. Only download data when it’s necessary
Loss or theft of paperwork and loss or theft of devices containing data are other common ways data is breached in the education sector.
Once data has been saved into another file or memory device, emailed or printed out, it is much more likely to be breached, so these should only be done if necessary. Protect downloaded data by using encrypted devices and storing and disposing of paperwork securely. If your school has a secure shredding box for paperwork, use it for any containing personal data.
3. Learn how to spot a phishing email
Phishing is one of the most popular methods that cyber criminals use to attack the education sector – and cyber attacks on schools are a growing threat.
A phishing email is an attempt to trick the recipient into handing over sensitive information or installing malware. While all staff can be a target, those with higher privilege levels such as access to financial systems are particularly at risk. It is important to use the security measures available on your emails, such as two-factor authentication, and to be cautious when the sender asks for information they should already have or their message has a sense of urgency.
If in doubt, never click any links or open any attachments within the email, and contact the organisation that purportedly sent the email using information available from another source, such as their website. We explain how to avoid phishing attacks in this blog.
GDPR.co.uk’s DPO for service for schools
We are now offering a DPO service for primary schools with support from our law firm, GRCI Law. We have based the service on the needs of schools and the cost is only £395 per primary school.
Improve your data breach stance with our green paper
This green paper for schools explains the inevitability of data breaches and the importance of being prepared. We outline when a breach should be reported and guides you through developing a response plan.