Cyber security and data breaches
The BBC recently reported that 14 schools had been hacked with confidential information about pupils, staff and parents being leaked onto the dark web.
Files with names such as ‘contracts’ with staff pay scale and contract details, ‘passports’ with scans of pupil passports and ‘SEN information’ were among the first targeted by the cyber attackers.
Such a breach of security triggers notification to the Information Commissioner’s Office (ICO). Data controllers are required to notify the ICO without undue delay and within 72 hours of becoming aware of the data breach.
Controllers may also need to inform the data subjects (although there are some exemptions). In the reported cases, staff and pupils were informed and support was offered.
Implications for safeguarding
From a safeguarding perspective, para 144 of KCSIE 2022 states that schools are responsible for ensuring that the appropriate level of security protection procedures are in place to safeguard systems, staff and learners. The effectiveness of these procedures should be reviewed periodically.
These incidents come as a timely reminder to schools to update internal breach notification procedures, including incident identification systems and incident response plans.
Check your school’s insurance policy to ensure data breaches are covered and keep the internal breach register up to date.
Further information and support
Links to additional guidance on cyber security, including for governors and trustees, are also cited in KCSIE. (NEN and Cyber security training for school staff — NCSC.GOV.UK)
We offer a range of expert support, guidance and training for staff at all levels to mitigate and handle data breaches effectively and compliantly.
Find out more about data protection and information security for schools
Related expertise
You may be interested in...
Legal Update - Be Connected (schools)
Be Connected: Schools and academy trusts November 2024
On-Demand
Shaping a culture of respect and safety: Preventing sexual harassment in our schools
Legal Update
Funding withdrawn for trusts and academy conversions
Legal Update
Top five takeaways for schools on the Employment Rights Bill
Legal Update
Martyn's Law: A closer look at the UK's new proposed anti-terror measures
Legal Update
A new digital era: Coimisiún na Meán publishes Online Safety Code
Legal Update
New High Court case on exclusion reconsiderations
Legal Update
e-Evidence Package: Increased obligations on service providers to cooperate with data requests from law enforcement authorities
Legal Update
Building an inclusive workplace: strategies for attracting and retaining disabled talent
Legal Update
New practical guidance on challenging Ofsted inspections
Legal Update
What will the new RISE Scheme mean for schools and academy trusts?
On-Demand
How schools can grapple with new employment law to thrive in a new era
Legal Update
Five steps to turn the tide on Subject Access Requests
Guide
New guidance for intervention in schools
Legal Update
Silence persists on gender questioning guidance for schools
Online Event
EdCon 2025
Legal Update
After a pause, Buy Now Pay Later (BNPL) regulation becomes one step closer
Press Release
Browne Jacobson comments on the government's announcement of tuition fee rises
Podcast - #EdInfluence
#EdInfluence podcast (series 4): In conversation with inspiring leaders
Legal Update
The EU Cyber Resilience Act (CRA)
Published Article - DORA
Digital Operational Resilience Act: Key considerations ahead of the 17 January 2025 compliance deadline
Online Event
Upcoming Autumn events for schools and academy trusts
Legal Update
Updates to the UK’s Arbitration Bill
Legal Update
Ozempic: The rising costs and coverage issues of weight loss medication
Legal Update - Employment Rights Bill
What does the Employment Rights Bill mean for employment practices liability insurance?
Legal Update
ICAEW: Changes to PII requirements
Legal Update
Contractor insolvency: Peabody Trust v NHBC
Legal Update - Be Connected (higher education)
Be Connected: Higher education Autumn 2024
Legal Update
Insurability by design: Increased transparency for vehicle manufacturers and insurers
Legal Update
Supreme Court clarifies public authority liability: Police duty of care in negligence cases
Legal Update - Employment Rights Bill
Labour’s employment law reforms: Employment Rights Bill unveiled
Legal Update
Expanding the role of school attendance mentors
Legal Update
Working together to support student wellbeing
Legal Update
By a narrow 2 to 1 majority, the Court of Appeal finds in favour of insurers in the construction of an exclusion clause in a W&I policy
Online Event
Managing safeguarding allegations against staff
Legal Update - Procurement Act
Procurement Act delay: What’s the impact for higher education institutions?
Legal Update
Organisational approaches to ESG and sustainability matters
Legal Update
Romance fraud, online scams and cyber fraud: How banks are now protecting your money
Legal Update
Ten practical tips for universities handling judicial review cases
