Data Breaches - A guide for schools and Multi-Academy Trusts

What is a data breach? 

A data breach is any breach/compromise of security leading to the accidental or unlawful destruction, loss, alteration unauthorised disclosure of, or access to, personal data.   

The breach may be deliberate or accidental and may occur whenever any personal data is lost, destroyed, corrupted, disclosed or accessed without authorisation.  

 What is a near miss? 

Any incident that had the potential to cause a data breach but was caught in time to prevent that breach from occurring.

An example of a near miss could be sending an email to the wrong recipient but realising immediately and clicking ‘undo’ before the email has sent.  

A near miss should not be ignored or overlooked, it should be used as a learning tool to put measures in place to avoid such incidents happening again.  

What are the most common data breaches experienced by schools and MATs? 

There have been 663 data breaches reported to the ICO from the Education and Childcare sector in Q2 of 2022, 115 were cyber related and 548 non-cyber related.  

The most common type of breach encountered by schools is data being emailed to the incorrect recipient in error. The second most common type of breach is unauthorised access to data and the third is phishing emails.  

What is a cyber security breach? 

A cyber security breach is unwanted/unauthorised access to systems, data, apps or networks that occurs when the system’s security protocols are bypassed.  

Your school should have appropriate measures in place to detect threats to your security system and block such unauthorised access from occurring but occasionally these are breached.  

One of the most common ways a cyber security breach occurs in schools/MATs is from phishing emails. 

A phishing email is an email which appears to be sent from a reputable company or organisation asking the recipient to click a link or attachment. By clicking that link or attachment the sender can access all or part of the recipient’s network.  

Another form of cyber security breach can occur from a ransomware attack. A ransomware attack is a type of malware that threatens to publish the victim’s personal data or permanently block access to the network unless a ransom is paid.  

What can schools/MATs do to prevent data breaches? 

The most common type of data breach encountered results from human error. It is impossible to completely eradicate this but there are steps that can be taken to reduce the risks.  

The first thing is to ensure that you have sufficient time to prepare the email that you are sending and check who you are sending this to.  

You can turn off the auto-complete settings on your email so when you start to type the name of the recipient, your email doesn’t complete this field for you.   

You can change your email settings so that a message appears whenever you are sending an email outside your organisation asking you to check and confirm that you are happy to send the email.  

You could also set up a delay which would allow you time to recall the email before it reaches the recipient if you notice your error within the specified delay period.  
All these things can be done in the settings of your email account and will help to reduce the risk of a breach occurring.  

Other measures that will help to prevent other common breaches are: 

  • ensuring passwords are kept secure and not shared with anyone, 
  • having up-to-date anti-virus software, and 
  • ensuring all staff have received data protection training covering how to avoid a cyber security attack.  
How to avoid a cyber security breach? 

Having up-to-date IT security measures in place with anti-virus, malware software and firewalls to reduce the risk of an attack.  

Staff training will help everyone to understand what a phishing email is, how to spot one and what to do (or not do) if one is received.  

What do schools/MATs have to do if they experience a data breach? 

You must notify your DPO as soon as the breach is discovered so that they can assess whether the breach is reportable.  

Your DPO will also be able to advise on what other steps you will need to take.  
You should take appropriate action to contain the breach and minimise the damage caused. The type of action that will need to be taken depends on the type of breach that has occurred.  

When does a breach need to be reported to the Information Commissioners Office? 

A breach is reportable if it is established that there is a likely risk to the rights and freedoms of an individual. 

If the breach is reportable, you should submit the reporting form to the ICO within 72 hours from the time of discovery. If you report the breach outside of this timeframe, you will need to explain why.  

Your DPO will be able to provide advice and assistance with any data breach; you are advised to contact them as soon as you discover or suspect a breach.