Sean Morris, Legal Manager at Navigator, a flexible employment and HR advice service, explores what steps independent schools can take to ensure that they meet all the ICO standards.
Education and childcare continue to feature consistently as the sector with the second largest number of data security incidents reported to the Information Commissioner’s Office (ICO).
On 30 March, following publication of the 2022 Cyber Security Breaches Survey by the Department of Digital, Culture, Media & Sport (DCMS), the government urged improvement in cyber security practices. The Survey included an annex specifically on findings in UK educational institutions, intended to give an overview of where schools, colleges and higher education institutions lie when it comes to cyber security.
Increased attacks + Low awareness of cybersecurity = High Risks!
Within secondary schools, there was a significant increase in the breaches or attacks identified this past year (70%, up from 58%).
Of greater concern was that there are still many educational institutions, particularly primary schools, which tended to have less sophisticated approaches to security, more akin to small businesses, despite the sensitive personal data which they hold. Many had not heard of various government guidance, initiatives, and communications campaigns on cyber security: 45% of primary schools and 55% of secondary schools knew of the government’s Cyber Aware communications campaign, with lower awareness of the Cyber Essentials scheme in primary schools (24%) and secondary schools (52%). This was lower than reported in further education colleges (88%) and higher education institutions (100%).
What will the ICO do about this?
Given the regulator shows increasing readiness to take enforcement action, with figures increasing year on year since the introduction of the UK GDPR, and in a context where parents informed on their privacy rights are also increasingly likely to raise concerns about how schools handle pupils’ personal data, the lack of awareness and responsiveness is surprising, to say the least.
Here in Scotland, earlier this year The Scotsman reported on complaints from parents about how pupil personal data was processed as part of a health and wellbeing survey as part of a Scottish Government exercise to understand young people’s needs. This is another high profile ICO regulatory investigation in the Scottish schools sector, following last October’s investigation into use of facial recognition technology at school canteens in North Ayrshire.
Situations such as this not only create risks of complaints to the regulator and civil court claims for compensation against schools. Dealing with investigations and complaints can be an operational nightmare, because of the amount of staff time involved, especially when it coincides with particularly busy periods around admissions or exams.
Changes in the air this spring?
It remains to be seen whether the new UK Information Commissioner, John Edwards will change the current approach to data protection law enforcement. The ICO’s public consultation on their regulatory action policy closed on 24th March.
Delivering his first speech in his new role at the IAPP Data Protection Intensive conference in London, the Commissioner explained that a three-year plan (called ICO25) setting out the ICO’s values, aspirations, and priorities, will be published later this year, making it clear that his focus will be on bringing certainty to what UK law requires of organisations processing personal data.
What should Scottish independent schools do?
Since the UK GDPR in 2018, it has been a legal requirement to ensure appropriate security for personal data. Clearly schools handle a large volume of sensitive personal data, including ‘special category’ personal data about children and its staff, such as health information.
Data protection law and the accompanying ICO guidance does not prescribe specific standards: there is no one-size fits all approach to security.
With regard specifically to cyber security, the government’s 10 Steps to Cyber Security helpfully breaks down the task of protecting an organisation into key components intended to mitigate against the majority of attacks.
But is essential to remember ‘appropriate’ measures involve more than just having technological and cyber-security safeguards in place. They must include organisational measures, like allocating responsibilities internally, having appropriate policies, and training staff on handling personal data securely. Mandatory annual training on the essentials of data protection is the ICO recommendation.
Practical steps to address concerns would include arranging high-level training on a school’s obligations under data protection legislation for those with responsibility for risk and legal compliance. Another would be getting expert advice on practical steps to improve compliance in practice, for example by arranging for an independent audit or review of the school’s policies and practices. These ought to meet standards set out in the ICO’s Accountability Framework, which have been updated since the introduction of the UK GDPR in 2018, as well as the regulator’s expectations following changes in last year’s statutory guidance on Data Sharing and the Children’s Code.
Navigator is facilitating a Data Protection Law in Independent Schools training package for member schools. For more information and booking please visit the SCIS website.
Or visit the Navigator stand at the SCIS Annual Conference