Breach Management

This is a summary taken from Judicium’s GDPR ‘Sofa Session’ from the 14th of December, with our Data Protection Consultant Emily Grafikowski.

This session was centred around what is a breach; assessing risk and reporting breaches; how to avoid and mitigate breaches; and best practice advice.

What is a breach?

A breach is a breakdown of the security of personal information which can lead to:

• Loss of data - e.g., losing a memory stick containing personal data
• Destruction of data – e.g., accidentally or intentionally deleting records containing personal information
• Alteration of data – e.g., changing personal information without permission (whether intentionally or not)
• Unauthorised disclosure of data – e.g., accidentally sending personal information to the wrong recipient

But what exactly is personal data? Personal data is any form of data that could be used to identify a person. For example, an email address or identification number.

There is also special category data, which is any form of personal data that needs more protection due to its sensitivity such as health data.

Live Session Polls

         

 

Why Does a Breach Matter and Why Do Schools Need To Be Concerned? 

In short yes, data breaches really do matter! Schools process a huge amount of data that may belong to pupils, staff, parents/carers, governors, etc. therefore there is a high risk of breaches occurring.

Schools process a lot of sensitive data such as health and SEN data.

Ensuring that your school is complying with the law and handling data breaches appropriately is important for several reasons including:

1. Bad publicity
   • Have you heard of the NHS malware attack or the Cambridge Analytica/Facebook scandal
2. ICO enforcement and fines
3. Legal claims
   • Individuals can claim compensation if their information has been handled or used inappropriately
4. Loss of trust and reputation with stakeholders
   • Data breaches in particular cause concern amongst parents, carers, employees and staff

When a data breach occurs, as a school you have a legal obligation to:

1. Notify the Information Commissioner’s Office (ICO) when a breach is likely to result in a risk to the rights and freedoms of individuals
2. Notify affected individuals without undue delay where the breach is likely to result in a high risk

As a school, you are also required to have a data breach log in place.

This log should detail:

1. The date of the breach
2. Nature of the breach
3. Data and individuals affected
4. Effects of the breach
5. Action taken
6. Status.

Remember, you do not need to make decisions regarding data breaches alone. Your DPO can assist you to determine whether a data breach has occurred. If on has taken place, they’ll help you to consider what steps can be taken to mitigate the risk. Your DPO will also assess the risk of harm and decide whether the breach needs to be reported to the ICO.

How Do We Assess the Risk of a Data Breach?

What is constituted as a risk?

A risk is something, if unaddressed, is likely to have a significant negative impact on an individual.

When a breach happens, there can be a wide variety of effects on the individual(s) whose data has been compromised. Some data breaches do not pose a risk and are little more than an inconvenience to those whose data is affected.

Other breaches may cause negative consequences such as:

• discrimination
• financial loss
• loss of confidentiality
• identity theft
• damage to reputation

A data breach should always be assessed on a case-by-case basis. Whilst a breach such as disclosure of data to an incorrect person may at first appear minor and common, upon further investigation, there may be influences and factors that mean that the risk involved is more serious than first assumed.

Risk can be determined by two factors: likelihood and severity.

1. Likelihood – e.g., the likelihood that the risk will happen, and
2. Severity – e.g., should the risk happen, the seriousness of the consequences

Always look at the ‘full picture’ when making an assessment.

Some helpful questions to ask may be:

• How many data subjects have been affected?
• Who are the data subjects?
• Are they particularly vulnerable?
• What are the potential consequences of this breach?
• What is the likelihood of harm resulting from this breach?

What Involvement Does the ICO Have?

The ICO are the regulator for compliance. They make rulings and can issue enforcement notices and fines up to £17 million. As mentioned above, where a breach is likely to result in a risk to the rights and freedoms of individuals, it is a legal requirement to report it to the ICO.

However, not all data breaches need to be reported - it must meet the threshold.

Your DPO will be able to assist in completing the ICO data breach report.

NB: The report should be done within the 72-hour time frame from becoming aware that the breach occurred.

Following the report, the ICO may have questions for the school. For example, they may want to know what measures the school had in place to prevent the data breach. They also may require further details on the breach itself to reach their decision. Your DPO can liaise with the ICO on your behalf.

Generally, we see the ICO seeks to promote best practice and mediate matters.

They provide guidance and it is important for schools and MATs to take their advice on board.

Examples of fines made by the ICO include:

• The University of Greenwich - fined £120,000 following a security breach
• A former deputy head in a school in Greater London received a personal fine of £700 (plus £364.08 costs and a £35 victim surcharge) for obtaining and uploading personal data of pupils from two previous schools on to the new school server

What Can Be Done to Avoid or Mitigate Breaches?

• Training - Data protection training for all staff.
  • Official data protection training should be carried out annually with all members of staff.
  • This may be in the form of face-to-face training and/or online training.
  • Judicium offer eLearning packages for data protection training for all staff in school and Governor specific modules. For more information please visit: https://www.judiciumeducation.co.uk/elearning

• Annual data protection audits with your DPO – During an audit, your DPO will advise and provide guidance on best practice and ensure that you are complying with data protection legislation.
  • Working with your DPO will help to greatly reduce the likelihood of a data breach taking place.
    
    
• Staff reminders - Reminding staff of the basics
  • For example, locking your computer when stepping away from your desk and locking paper documents away as little things can make all the difference!
    
    
• Correct handling of data requests - We’re talking about subject access requests (SARs) and freedom of information requests (FOIs)
  • Ensuring that staff can handle data requests appropriately and in line with data legislation will help to prevent a data breach.
  • Redaction may be necessary to protect third party data.

Cyber-Attacks and Protecting Your School/Trust

Unfortunately, there has been a huge increase in cyber-attacks recently with a number of schools falling victim to an attack of some sort.

There are two primary types of attacks: malware, phishing. During an attack, personal data is often lost, accessed, or stolen.

This is where your DPO steps in as it often constitutes a data breach that requires reporting to the ICO.

In the event of a cyber-attack, the first step as with any breach, is to contact your DPO who will assist with minimising the risk to data subjects. Where necessary, your DPO can assist you in reporting the breach to the ICO.

At Judicium we are finding that the ICO is investigating these breaches in more detail. Therefore, it is important that you are able to present evidence of your compliance.

NB: Your DPO can liaise with the ICO on behalf of the school. This can be in relation to any data related matter, not just data breaches!

Best Practice Advice:

1. Keep a data breach log – ALL data breaches should be recorded on a data breach log.
2. Establish a clear point of contact within the school – We strongly recommend having a clear point of contact within the school to ensure that staff know who to refer to with any data matters including data breaches. Make it easy for staff to raise any concerns!
   
3. Create a positive culture within school where staff are not worried about raising any concerns or potential data breaches.
   
4. Data breach policy – Does your school have a data breach policy in place? Does it detail the school’s DPO and internal data protection point of contact?
   
5. Don’t sit on a concern – take action and speak to your DPO!

Helpful Information:  

Judicium also offer a range of GDPR e-learning  training designed for schools. You can see current course availability here.

If you’d like to review Judicium’s forthcoming Sofa Sessions please click here

Follow us on Twitter: @DPOforSchools and @JudiciumEDU

© This content is the exclusive property of Judicium Education. The works are intended to provide an overview of the sofa session you attend and/or to be a learning aid to assist you and your school. However, any redistribution or reproduction of part or all of the contents in any form is prohibited. You may not, except with our express written permission, distribute or exploit the content. Failure to follow this guidance may result in Judicium either preventing you with access to our sessions and/or follow up content.