All you need to know about data breaches

by | Apr 23, 2025 | Uncategorized

All you need to know about data breaches

All you need to know about data breaches…

The ICO states that “a personal data breach means a breach of security leading to the accidental or unlawful destruction, loss, alteration, unauthorised disclosure of, or access to, personal data. This includes breaches that are the result of both accidental and deliberate causes. It also means that a breach is more than just about losing personal data.” 

In other words when an unauthorised person accesses someone’s personal data or when the data is not available.
 
The school must put in processes to protect data and, as a member of staff, you must follow policies.
So what constitutes a data breach?
 
An unauthorised person accessing the data: 
Would include a pupil or unauthorised member of staff accessing a staff laptop or data being lost or stolen. This includes mobile devices provided by the school.
Deliberate or accidental action (or inaction) by the school or one of the processors: 
Includes sending old PCs, laptops or even filing cabinets to be destroyed or throwing USBs or files into the rubbish without removing the data held within the.
Sending personal data to the wrong person:
Includes handing completed data collection sheets to the wrong pupils and emailing personal data to the wrong person. 
A data breach can also occur if you don’t use the Bcc field when emailing multiple people.
Alteration of personal data without permission 
Includes someone accessing the school’s payroll system and changing staff pay grades.
What should you do if the school suffers a data breach?
The school must keep a record of all the data breaches it experiences and, in some cases, report them to the ICO and the data subjects.
If a breach needs reporting to the ICO, the school must do this within 72 hours of discovering the breach. 
If you experience a personal data breach you need to consider whether this poses a risk to people. You need to consider the likelihood and severity of the risk to people’s rights and freedoms, following the breach. When you’ve made this assessment, if it’s likely there will be a risk then you must notify the ICO; if it’s unlikely then you don’t have to report. You do not need to report every breach to the ICO.
The decision as to whether to report is usually made by the DPO.
In some cases is good practise to inform data subjects of the breach.
It is critical that you understand and follow the school’s reporting process as soon as possible if you discover a breach so that the necessary steps can be taken to protect the data subjects and their data. 
If you are unsure of whether a breach has occurred don’t be afraid to inform the relevant person. It is always better to be safe than sorry!
Protecting yourself from data breaches:
A majority data breaches are caused by human error and not by a person in a hoodie trying to break into your network.
Here are some ways to stop the likelihood of a breach.
  • Understand what data you hold and where it is makes it easier to protect it and if it is breached. You should create a Record of Processing Activities (ROPA) to list the various processes
  • Do not email personal information from school to your home email address
  • Understand the school’s bring your own device (BYOD) policy and what you can access using your own phone or device
  • Logout of electronic devices when not in use. This includes anytime you leave the classroom or at break times
  • Delete emails that you no longer need and follow the school’s email retention policy 
  • Ensure that emails go to the right person. Only copy emails to people who really need to see them 
  • Avoid unnecessary duplication of personal data; this includes saving data into spreadsheets, printing data out or saving it onto USBs
  • Make sure all personal data is destroyed securely. This means shredding rather than just throwing in the bin
  • Only disclose personal information to people you are sure has the right to see it. This includes the police.
For any assistance or advice contact us info@dpoforeducation.co.uk or call 01702 660234
Electronic vs. Paper copies

Electronic vs. Paper copies

Should you keep both electronic and paper records of some important data? In light of the ever increasing number of cyber attacks on the education sector, and the advice given by the NCSC,  we at DPO For Education continue to advise our clients to keep both electronic...

Appointing a Data Protection Officer

Appointing a Data Protection Officer

A simple guide to understand the role of a DPO in schools and who is and who is not suitable for the role. Whatever the size and setting of your school, the GDPR (General Data Protection Regulation) places high expectations on you to protect the personal data in your...

GDPR DOs & DONT’S Infographic

GDPR DOs & DONT’S Infographic

Training and Awareness is a way to inform your staff that data protection is everyone’s responsibility and that small steps to protect data can make a big difference. Print this poster to display in the staff room and offices. Poster: GDPR - Data Protection Dos and...