- Tammy Buchanan
- Best Practice Updates
The time following a cyber attack can be very stressful, and in the heat of the moment it can be difficult to know what the best thing to do between working out what went wrong, how to recover and what went missing, it can be hard to know where to start first.
We provide some help and guidance in our Information and Cyber Security Best Practice Area, which also includes the checklist:
document
What to do immediately after a Cyber Attack(58 KB)
.
The DfE recently published an update to the Keeping Children Safe in Education Document 2025. The document has a strong emphasis on making sure everyone is aware of the online dangers of using the internet and makes recommendations about how schools and colleges should put processes in place to keep children safe online.
A reprimand has been issued by the ICO to Parkside Community Primary School in relation to the infringements of Article 5 (1)(f), Article 24 (1) and Article 32 of the UK GDPR. This article discusses the reprimand and looks and what schools can do to avoid this type of breach.
Some of the information in the reprimand document is redacted, but the main details are:
The breach is in relation to the UK GDPRs security principle, meaning that the school failed to prevent unlawful disclosure of personal data.
The school also failed to implement appropriate technical and organisational measures to ensure personal data is kept secure under Article 32 of the UK GDPR.
The findings were that the school did not have:
There were several steps taken and further action recommended which all schools should take into consideration when using these kinds of systems and when handling special category data in a busy school environment:
The further actions recommended were:
The key points to take from the recommendations are that you should always be aware of where you are and who might see what you're working on. Data classification and access controls are vital. Special category requires extra security.
Consider all the advice above with what other safeguarding and special category data that you may have displayed around your school? Consider using our Making the Rounds tool to do your own data walk or get in touch with your Data Protection Education School Consultant to do the walk with your or have a follow-up feedback meeting.
Use our
pdf
DPE Quick Reference Guide(1.64 MB)
for practical advice on what can be displayed around schools.
The full reprimand can be read here: https://ico.org.uk/action-weve-taken/enforcement/parkside-community-primary-school/
We've updated our document redaction guidelines to include more information on the techniques available as well as exemptions.
https://dataprotection.education/best-practice-library/best-practice/redaction
This article is about the use of WhatsApp as a communication tool in schools and recent vulnerabilities. It discusses school staff using WhatsApp as a communication method for school business.
We are sometimes asked by staff whether it is OK for staff to be in a WhatsApp group for important school messages. Staff often wish to use it because it is an easy way to communicate and a platform that a lot of people are familiar with. It is also free. There are issues around this:
The ICO called for a review into the use of private email and messaging apps within government as there is a lack of controls: https://ico.org.uk/about-the-ico/media-centre/news-and-blogs/2022/07/behind-the-screens-ico-calls-for-review-into-use-of-private-email-and-messaging-apps-within-government/
WhatsApp says is should not be used for business; it is against their terms and conditions. Although WhatsApp have a business app, this is for businesses to link with their customers (ie the public), not designed for private chat within an organisation: https://support.safeguardinginschools.co.uk/article/36-why-schools-shouldnt-use-whatsapp
This article highlights the lack of user management that can create security issues: https://www.beekeeper.io/blog/why-you-shouldnt-use-whatsapp-for-business-communication/
WhatsApp has previously been fined for data breaches: https://www.fieldfisher.com/en/insights/privacy-notices-post-whatsapp
More recently there has been a warning from Action Fraud about a takeover scam of Whatsapp accounts : https://www.actionfraud.police.uk/alert/warning-issued-to-whatsapp-users-over-account-takeover-scam
Our advice would be to always try to minimise any risk, so consider the following:
Internet Matters offers a WhatsApp social media guide.
Information about whether WhatsApp is safe for children is covered by the NSPCC: Is WhatsApp safe for my child?
If you have been a victim of fraud or cyber crime, report it to Action Fraud or 0300 123 2040, and possibly your DPO, depending on the cyber crime.
©2026 Data Protection Education Ltd.