Information security
If you cannot find the answer to your question from the information provided on each of the Information Governance pages, schools should contact their Data Protection Officer (DPO). If your school has purchased the DPOaaS from SPS or Cantium Business Solutions please email
sps-dpo-services@isystemsintegration.com or call 0208 0501387 or 07487 264222.
Article 5(1)(f) of the GDPR concerns the ‘integrity and confidentiality’ of personal data. It says that personal data shall be:
'Processed in a manner that ensures appropriate security of the personal data, including protection against unauthorised or unlawful processing and against accidental loss, destruction or damage, using appropriate technical or organisational measures'
You can refer to this as the UK GDPR’s ‘security principle’. It concerns the broad concept of information security.
This means that you must have appropriate security to prevent the personal data you hold being accidentally or deliberately compromised. You should remember that while information security is sometimes considered as cybersecurity (the protection of your networks and information systems from attack), it also covers other things like physical and organisational security measures.
The security principle goes beyond the way you store or transmit information. Every aspect of your processing of personal data is covered, not just cybersecurity. This means the security measures you put in place should seek to ensure that:
- the data can be accessed, altered, disclosed or deleted only by those you have authorised to do so (and that those people only act within the scope of the authority you give them);
- the data you hold is accurate and complete in relation to why you are processing it; and
- the data remains accessible and usable, ie, if personal data is accidentally lost, altered or destroyed, you should be able to recover it and therefore prevent any damage or distress to the individuals concerned.
These are known as ‘confidentiality, integrity and availability’ and under the UK GDPR, they form part of your obligations.
The UK GDPR does not define the security measures that you should have in place. It requires you to have a level of security that is ‘appropriate’ to the risks presented by your processing. You need to consider this in relation to the state of the art and costs of implementation, as well as the nature, scope, context and purpose of your processing.
This reflects both the UK GDPR’s risk-based approach, and that there is no ‘one size fits all’ solution to information security. It means that what’s ‘appropriate’ for you will depend on your own circumstances, the processing you’re doing, and the risks it presents to your organisation.
So, before deciding what measures are appropriate, you need to assess your information risk. You should review the personal data you hold and the way you use it in order to assess how valuable, sensitive or confidential it is - as well as the damage or distress that may be caused if the data was compromised. You should also take account of factors such as:
- the nature and extent of your organisation’s premises and computer systems;
- the number of staff you have and the extent of their access to personal data; and
- any personal data held or used by a data processor acting on your behalf.
‘Confidentiality, integrity, availability’ and ‘resilience’?
Collectively known as the ‘CIA triad’, confidentiality, integrity and availability are the three key elements of information security. If any of the three elements is compromised, then there can be serious consequences, both for you as a data controller, and for the individuals whose data you process.
The information security measures you implement should seek to guarantee all three both for the systems themselves and any data they process.
The CIA triad has existed for a number of years and its concepts are well-known to security professionals.
You are also required to have the ability to ensure the ‘resilience’ of your processing systems and services. Resilience refers to:
- whether your systems can continue operating under adverse conditions, such as those that may result from a physical or technical incident; and
- your ability to restore them to an effective state.
This refers to things like business continuity plans, disaster recovery, and cyber resilience.
Effective security measures
The UK GDPR specifically requires you to have a process for regularly testing, assessing and evaluating the effectiveness of any measures you put in place. What these tests look like, and how regularly you do them, will depend on your own circumstances. However, it’s important to note that the requirement in the UK GDPR concerns your measures in their entirety, therefore whatever ‘scope’ you choose for this testing should be appropriate to what you are doing, how you are doing it, and the data that you are processing.
You can undertake this through a number of techniques, such as vulnerability scanning and penetration testing. These are essentially ‘stress tests’ of your network and information systems, which are designed to reveal areas of potential risk and things that you can improve.
You can undertake testing internally or externally. In some cases it is recommended that both take place.
Whatever form of testing you undertake, you should document the results and make sure that you act upon any recommendations, or have a valid reason for not doing so, and implement appropriate safeguards. This is particularly important if your testing reveals potential critical flaws that could result in a personal data breach.
What about staff?
The UK GDPR requires you to ensure that anyone acting under your authority with access to personal data does not process that data unless you have instructed them to do so. It is therefore vital that your staff understand the importance of protecting personal data, are familiar with your security policy and put its procedures into practice.
You should provide appropriate initial and refresher training, including:
- your responsibilities as a data controller under the UK GDPR;
- staff responsibilities for protecting personal data - including the possibility that they may commit criminal offences if they deliberately try to access or disclose these data without authority;
- the proper procedures to identify callers;
- the dangers of people trying to obtain personal data by deception (e.g. by pretending to be the individual whom the data concerns, or enabling staff to recognise ‘phishing’ attacks), or by persuading your staff to alter information when they should not do so; and
- any restrictions you place on the personal use of your systems by staff (e.g. to avoid virus infection or spam).
For more information on security take a look at the ICO website
Importance of protecting personal data
It is vital that you understand the importance of protecting personal data. Start off by reading the information security for schools (PDF, 175.2 KB) document.
Reporting a personal data breach
If you experience a personal data breach you need to consider whether this poses a risk to people. You need to consider the likelihood and severity of any risk to people’s rights and freedoms, following the breach. When you’ve made this assessment, if it’s likely there will be a risk then you must notify the ICO; if it’s unlikely then you don’t have to report it.
You do not need to report every breach to the ICO.
A personal data breach means a breach of security leading to the accidental or unlawful destruction, loss, alteration, unauthorised disclosure of, or access to, personal data. This includes breaches that are the result of both accidental and deliberate causes. It also means that a breach is more than just about losing personal data.
When a personal data breach has occurred, you need to establish the likelihood and severity of the resulting risk to people’s rights and freedoms. If it’s likely that there will be a risk then you must notify the ICO; if it’s unlikely then you don’t have to report it. However, if you decide you don’t need to report the breach, you need to be able to justify this decision, so you should document it.
- The UK GDPR enforces a duty on all organisations to report certain types of personal data breach to the relevant supervisory authority. You must do this within 72 hours of becoming aware of the breach, where feasible.
- If the breach is likely to result in a high risk of adversely affecting individuals’ rights and freedoms, you must also inform those individuals without undue delay.
- You should ensure you have robust breach detection, investigation and internal reporting procedures in place. This will facilitate decision-making about whether or not you need to notify the relevant supervisory authority and the affected individuals.
- You must also keep a record of any personal data breaches, regardless of whether you are required to notify.
For more information about what a personal data breach is and when you need to report it to the ICO, please see the personal data breach pages on the ICO website.
Failure to notify a breach
Failing to notify a breach when required to do so can result in a significant fine of up to 10 million euros or 2% of your global turnover. The fine can be combined with the ICO’s other corrective powers under Article 58. So it’s important to make sure you have a robust breach-reporting process in place to ensure you detect and can notify a breach, on time; and to provide the necessary details.
ICO Fines and Enforcement Action
The Information Commissioner’s Office (ICO) has the ability to impose significant fines of up to £17.5 million on data controllers for serious contraventions of the UK GDPR. It can also serve an enforcement notice on data controllers if it considers positive steps are necessary to bring about compliance.
Former Headteacher prosecuted for unlawfully obtaining school children’s personal information
A former Headteacher has been fined in court for unlawfully obtaining school children’s personal data from previous schools where he worked.
A Twickenham Headteacher obtained the information from two Primary schools where they had worked, and uploaded it to their then current school’s server. As they had no lawful reason to process the personal data, they were in breach of data protection legislation.
Six months into their role as Deputy Head at Isleworth Town Primary School, the Head was suspended. A subsequent IT audit showed large volumes of sensitive personal data present on the Isleworth server from their previous schools, Spelthorne Primary and The Russell School in Richmond.
During the course of the investigation, they provided no valid explanation as to how the information had appeared on their system, which was via an upload from his USB stick, stating they had deleted the personal data from it.
In a subsequent interview with the Information Commissioner’s Office (ICO) the Head read from a prepared statement advising the information had been taken for professional purposes.
Appearing before Ealing Magistrates’ Court, the Headteacher admitted two offences of unlawfully obtaining personal data in breach of s55 of the Data Protection Act 1998.
They were fined £700, ordered to pay £364.08 costs and a victim surcharge of £35. For more information go to the ICO website
Primary school found in breach of GDPR for not informing parents of CCTV in toilets
Parents are seeking legal advice after a primary school in Neasden was found to have breached data protection legislation by not telling them there were CCTV cameras in the children's toilets. Cameras were spotted by unsuspecting parents taking part in a coffee morning tour of classrooms at Mitchell Brook Primary School in September. The school failed to notify parents they were installing CCTV cameras in the toilets, and failed to put up appropriate signage alerting the children. Parents launched a petition to have the cameras removed gaining more than 100 signatures, and are now seeking legal advice as they believe their children's privacy was breached.
ICO says don’t get caught out when it comes to pupil photos
The ICO has issued two reprimands, which are legal warnings, recently to schools for wrongly disclosing the personal data of children.
This is what Andrew Laing, ICO Head of Data Protection Complaints said:
"In the first case a class photograph, sent to a local newspaper by a Cheshire Primary school, included the images of two pupils whose adoptive parents had refused consent for their children’s images to be shared."
The second reprimand, issued to a Humberside Primary school, followed a class photograph being taken and sent home to parents. The photo included the image of a child whose adoptive parent had previously signed consent forms clearly stating that no photographs of her daughter were to be used outside of the school.
These sorts of incidents can lead to safeguarding concerns and distressing consequences not only for the families involved but also the staff responsible.
While data protection law does not prevent the taking and publication of photos, in cases where parents have made a specific request for their children not to be included, data protection law does apply.
We feel other schools can benefit from the lessons to be learned in these cases to avoid falling short of the standards required by the law when handling photographs of pupils:
- Photos taken for official school use, such as in the school prospectus or to be sent to the local paper, will be covered by data protection law and so the legislation should be followed
- Ensure your school has an appropriate procedure for the handling of pupils’ images. Don’t just rely on a single member of staff remembering to check a spreadsheet of parental permissions
- Make sure to report any breach to your data protection officer as soon as it happens and consider if the incident needs to be reported to the ICO.
- Know what personal data the school holds and where. Documentation and accountability is a key part of the UK GDPR and an information audit or data-mapping exercise will help with this.
- Staff should be educated about the school’s data protection policies and procedures. These should be reiterated to them on a regular basis, such as annually or as soon as changes are made. Keep accurate and up to date records of staff training, policy updates and the internal communications that bring these to the attention of staff. This will create an audit trail to evidence compliance with the UK GDPR.
It’s important to note that data protection law is unlikely to apply in many cases where photographs are taken in schools and other educational institutions. If photos are taken purely for personal use, such as by parents at a sports day for the family photo album, they will not be covered by data protection legislation. Fear of breaching the law should not be a reason to stop people taking photographs or videos. The issue here is about schools following good data protection practices, so their pupils remain protected.