Best Practice Update

grey computer keyboard with blue key with white text:'Data Migration'

Moving MIS is a daunting task and is no small undertaking for a school. Moving to the cloud from a legacy system means that there are cyber security benefits but may be something new to your organisation. There is often the assumption that the new MIS porvider will seamlessly migrate the data for you, however there is a considerable amount of work that the school must do beforehand in order to make this happen.  This article provides some practical guidance and considerations.

public sector in brown text on cream puzzle pieces held at each end by hands

Computing Magazine recently reported about the ICO reprimanding seven organisation for domestic abuse breaches in the last 14 months.  A collection of public bodies, charitable organisations, law enforcers and lawyers have made personal data slips when handling domestic abuse cases in the last year, showig abusers where to find their victim is hiding.

Be cyber aware in orange text on a blue background above a mobile phone and padlock. Also the Data Protection Education logo

The time following a cyber attack can be very stressful, and in the heat of the moment it can be difficult to know what the best thing to do between working out what went wrong, how to recover and what went missing, it can be hard to know where to start first.

We provide some help and guidance in our Information and Cyber Security Best Practice Area, which also includes the checklist:  document What to do immediately after a Cyber Attack(58 KB) .

Blue data breach text on blue cyber background,  and orange reprimand stamp

A reprimand has been issued by the ICO to Parkside Community Primary School in relation to the infringements of Article 5 (1)(f), Article 24 (1) and Article 32 of the UK GDPR. This article discusses the reprimand and looks and what schools can do to avoid this type of breach.

Some of the information in the reprimand document is redacted, but the main details are:

  • A safeguarding email was shared in the classroom via the electronic whiteboard.
  • The ICO has found that the school disclosed personal data inappropriately, including special category data, in a classroom environment.

The breach is in relation to the UK GDPRs security principle, meaning that the school failed to prevent unlawful disclosure of personal data.
The school also failed to implement appropriate technical and organisational measures to ensure personal data is kept secure under Article 32 of the UK GDPR.

The findings were that the school did not have:

  • Detail in the data protection policy of when it was appropriate to open emails containing personal data.
  • Policies relating to the use of the school's electronic safeguarding system.
  • Written guidance for staff on the classification of emails, i.e. there was no labelling or system to indication that an email contained sensitive information.
  • Procedures or guidance relating to when it is appropriate in the school day to open emails generated by the electronic safeguarding system.
  • Procedures or guidance in relation to the safe operating of electronic whiteboards,  especially when screen sharing.

There were several steps taken and further action recommended which all schools should take into consideration when using these kinds of systems and when handling special category data in a busy school environment:

  • The governor responsible for the strategic management of data protection reviewed current practices and made recommendations. Many schools we speak to do not have this type of governor in place.  Consider reviewing our Governance Best Practice Library.  This article discusses the governor responsibilities in more detail: Cyber responsibilities for Governors/Trustees in schools
  • Formal guidance was given to staff about how data breaches should be reported. This is something usually discussed with our customers during our consultations.  All staff should know how to recognise a data breach and the procedures for reporting one.  Consider reviewing our full How to avoid a data breach training course, or invite staff to view our 5-10 minute Data Breach Learning Nugget.
  • Staff have been instructed that all alerts sent by the electronic safeguarding system should be read at specific times of the day and never when children are present or in the vicinity of the classroom. 
  • All staff have been instructed to use data classification such as SENSITIVE/HIGHLY SENSITIVE in the subject line of an email. Such emails should only be read before and after the school day. Review our Information Classification Best Practice Library in line with your email policy.
  • Governors are to be alerted to an incident as soon as it is reported to the Head.  Our Knowledge Bank allows schools to add governors and trustees as users, so they can get an overview of data breaches: 
  • Cases of a complex and sensitive nature on the electronic safeguarding system can only be accessed by the Headteacher, Deputy Headteacher and Parental and Pastoral Officer and shared with relevant members of staff on a need-to-know basis at scheduled meetings. Consider access control procedures, review our Information and Cyber Security Best Practice Library.
  • All staff and governors are to receive data protection refresher training.  We provide a 20-minute GDPR Refresh Course which can be assigned to both staff and governors by an administrator: 
  • All staff are to be issued with the school's data protection policy and to be familiar with its content.
  • The data protection policy has been reviewed.  The updated policy instructs staff how to report a breach, what constitutes a breach, and who to report it to and what happens once this has been done. Review our template policies:  document Model Data Protection Policy(208 KB)  and  document Data Breach Procedure(5.18 MB) .
  • All staff to sign an electronic document to confirm they have read and understood the data protection policy.  The DPE Knowledge Bank has a Compliance Manager tool that allows documents to be uploaded and assigned to staff to be read and signed within a set time period: 


The further actions recommended were:

  • Refresher training on the operation of electronic whiteboards for relevant employees with the emphasis on security and the relevant steps for employees to take to avoid a personal data breach when operating an electronic whiteboard.  Often the reseller or the manufacturer will offer free training or training videos about how to operating the equipment.
  • Ensure there is sufficient written guidance on the use of the electronic safeguarding system.
  • Consideration of refresher data protection training for all members of staff.  Both members of staff had failed to report the breach. Staff should understand the consequences of failing to report a breach, as mitigating action can lessen the effects of a personal data breach. Review our Data Breach Learning Nugget and Recognise a personal data breach drip feed poster.
  • Adequate technical and organisational measures should be in place to ensure the security and confidentiality of emails sent internally which include personal data, particularly when these contain sensitive and special category. Review Information and Cyber Security Best Practice Library.
  • The policies and procedures should have prominent, sufficient and adequate practical guidance for employees, including regular reviews and work to increase staff awareness.
  • All new processes should be tested.


The key points to take from the recommendations are that you should always be aware of where you are and who might see what you're working on.  Data classification and access controls are vital.  Special category requires extra security.

Consider all the advice above with what other safeguarding and special category data that you may have displayed around your school?  Consider using our Making the Rounds tool to do your own data walk or get in touch with your Data Protection Education School Consultant to do the walk with your or have a follow-up feedback meeting.

Use our  pdf DPE Quick Reference Guide(1.64 MB)  for practical advice on what can be displayed around schools.

The full reprimand can be read here: https://ico.org.uk/action-weve-taken/enforcement/parkside-community-primary-school/


Using WhatsApp in Schools

This article is about the use of WhatsApp as a communication tool in schools and recent vulnerabilities. It discusses school staff using WhatsApp as a communication method for school business.

We are sometimes asked by staff whether it is OK for staff to be in a WhatsApp group for important school messages. Staff often wish to use it because it is an easy way to communicate and a platform that a lot of people are familiar with.  It is also free. There are issues around this:

  • Non staff members can easily be added
  • All personal mobile numbers can be seen by everyone in the group
  • Someone needs to take responsibility for removing staff from the group that have left school
  • There is no user access control
  • Use of personal devices for school business

The ICO called for a review into the use of private email and messaging apps within government as there is a lack of controls: https://ico.org.uk/about-the-ico/media-centre/news-and-blogs/2022/07/behind-the-screens-ico-calls-for-review-into-use-of-private-email-and-messaging-apps-within-government/

WhatsApp says is should not be used for business; it is against their terms and conditions. Although WhatsApp have a business app, this is for businesses to link with their customers (ie the public), not designed for private chat within an organisation: https://support.safeguardinginschools.co.uk/article/36-why-schools-shouldnt-use-whatsapp

This article highlights the lack of user management that can create security issues: https://www.beekeeper.io/blog/why-you-shouldnt-use-whatsapp-for-business-communication/

WhatsApp has previously been fined for data breaches: https://www.fieldfisher.com/en/insights/privacy-notices-post-whatsapp

More recently there has been a warning from Action Fraud about a takeover scam of Whatsapp accounts : https://www.actionfraud.police.uk/alert/warning-issued-to-whatsapp-users-over-account-takeover-scam

Our advice would be to always try to minimise any risk, so consider the following:

  • Systems owned by an organisation would have the relevant security measures in place to protect against hackers and cyber attacks. See our best practice area: Information & Cyber Security.
  • An organisation would have the appropriate user controls measures in place for accessing the data appropriate to a person's role in the organisation. See our Info/Cyber Security Checklist.
  • An organisation would have a backup of any data.
  • An organisation is required to have access to all data in the event of a Subject Access Request. This is much simpler when all business communication is either in the organisation's cloud or devices.  See our best practice area: Subject Access Requests.
  • Organisational systems are monitored and so any inappropriate use can be checked and controlled.
  • WhatsApp may not be the best tool for more formal communication of for conveying official school policies or announcements and could lead to confusion or miscommunication.
  • There is a risk of an individual's private information or confidential data being on everyone's personal device that are in the group - an organisation has control over it's own devices.

Internet Matters offers a WhatsApp social media guide.

Information about whether WhatsApp is safe for children is covered by the NSPCC: Is WhatsApp safe for my child?

If you have been a victim of fraud or cyber crime, report it to Action Fraud or 0300 123 2040, and possibly your DPO, depending on the cyber crime.

 

 

Search