Coronvirus has radically reshaped school operations. From split workforces to remote learning, the data protection implications have been significant. Craig Stilwell, Solicitor and Head of Data Services at Judicium Education, advises schools on what to do if there has been a data breach during the lockdown period.  

Schools and governments are working in uncharted waters, so, more than ever, the General Data Protection
Regulation (GDPR) principles of transparency, accountability and security apply. This is especially important when schools are dealing with pupil and parent information, including safeguarding, medical and other sensitive and confidential data.

In the rush to lockdown, many pressing needs took immediate priority. However, as schools reopen, it makes good sense – from a corporate governance perspective – to do some ‘housekeeping’. As in most regulatory arenas, in the event of a significant data breach/complaint, any investigator will look retrospectively.

In other words, during the history of lockdown to phased reopening to full opening, what did the school’s document trail and training records look like?

Home working 

The most common data breaches during lockdown involved human error, for example, sending emails to incorrect recipients, not blind copying individuals, and using personal email addresses (rather than work addresses). This problem may have been compounded when staff used their own phones and laptops when working from home.

Electronic records

Home working should be conducted via cloud-based systems such as OneDrive and Google Drive. Where staff have school laptops and iPads that they are taking home, those devices should have complex passwords to limit the risk should they become lost or accessible to unauthorised individuals. In addition, laptops should be encrypted, as should memory sticks because they are so easy to lose.

Other good practice measures include staff signing acceptable use agreements and implementing twofactor authentication to log on to emails or networks.

Paper records

If paper files are taken off the school site, there should be greater security because it is more difficult to keep that data secure as opposed to data stored on cloud-based systems. There is no set guidance on what paper files can or cannot be taken home, but you may want to ensure that staff only take the paper files that are necessary to complete the required work.

You may also want to limit sensitive data being taken home, such as medical and safeguarding information. Ideally, you should ask staff to sign out files so you have a record of what has gone off-site.

Staff must exercise caution when taking files home, for example, not leaving them in their cars and, where possible, securing them away (for example in a lockable drawer or filing cabinet).

Phishing emails

Unfortunately, we have seen a huge rise in schools (and Judicium) receiving phishing emails. These emails are designed to exploit the increase in home working and those responsible are finding clever ways to try and make an email seem genuine. The following are key things to look out for.

• Beware of emails containing links. We have seen emails claiming to be from individuals asking you to click a link to stop receiving further emails. This should be a red flag because this option would normally only appear from companies whose services/mailing lists you have subscribed to. Clicking links and attachments are the most common sources of malware.
• Check the email address. We have seen examples where the email sender looks genuine, but upon close attention, the address doesn’t match up or contains a small misspelling or letters out of place.
• If the contact is one that you recognise, but you feel uneasy, then it’s often better to phone the contactto double-check prior to clicking on any links.
• Keep antivirus and security software up to date. Don’t delay any updates.
• Never give out personal information. Sometimes the link may take you to a page to input further data, so before inputting details, make sure the link is genuine.

Video conferencing

During the pandemic, there was a significant increase in schools using video conferencing to conduct senior leadership team meetings and communicate with students. Schools must keep uppermost any safeguarding and confidentiality concerns.

A Data Protection Impact Assessment (DPIA) should be completed prior to implementing any new software/ e-technologies that change the way you process data. In these unprecedented times, it has been necessary for schools to rush out certain platforms, so all DPIAs should be completed as soon as possible. Alternatively, consider conducting a DPIA as a ‘review’ of how the video platform is working and if there are any security concerns.

Policies and training 

Policies and training should be in place and up to date. The school should have policies relevant to new circumstances, for example home working and using your own personal device. Staff should be aware of these policies and be regularly reminded to read them.

Now that schools are returning, this is also a good opportunity to refresh data protection training for all staff.
Any training conducted pre-virus needs to be updated.

You should review privacy notices. Ideally, these should be split amongst different categories, i.e. learners, parents and visitors. You should also add any updatessince reopening, for example if you record medical data.

Policies and training Subject access requests, complaints and the Information Commissioner's Office

The Information Commissioner’s Office (ICO) has acknowledged that closing/partially opening schools may lead to obstacles when completing subject access requests on time. However, this isn’t a blanket dispensation, and each time extension should be considered on a ‘case-by-case’ basis. That said, the ICO is continuing to respond to, and investigate, any parental or employee complaints in the usual way and within normal time frames.

"Schools and governments are working in uncharted waters, so, more than ever, the General Data Protection Regulation (GDPR) principles of transparency, accountability and security apply."

Read more about Judicium education - www.judiciumeducation.co.uk.

Visit the ISBL website - https://isbl.org.uk