All you need to know about data breaches

by | Apr 23, 2025 | Uncategorized

All you need to know about data breaches

All you need to know about data breaches…

The ICO states that “a personal data breach means a breach of security leading to the accidental or unlawful destruction, loss, alteration, unauthorised disclosure of, or access to, personal data. This includes breaches that are the result of both accidental and deliberate causes. It also means that a breach is more than just about losing personal data.” 

In other words when an unauthorised person accesses someone’s personal data or when the data is not available.
 
The school must put in processes to protect data and, as a member of staff, you must follow policies.
So what constitutes a data breach?
 
An unauthorised person accessing the data: 
Would include a pupil or unauthorised member of staff accessing a staff laptop or data being lost or stolen. This includes mobile devices provided by the school.
Deliberate or accidental action (or inaction) by the school or one of the processors: 
Includes sending old PCs, laptops or even filing cabinets to be destroyed or throwing USBs or files into the rubbish without removing the data held within the.
Sending personal data to the wrong person:
Includes handing completed data collection sheets to the wrong pupils and emailing personal data to the wrong person. 
A data breach can also occur if you don’t use the Bcc field when emailing multiple people.
Alteration of personal data without permission 
Includes someone accessing the school’s payroll system and changing staff pay grades.
What should you do if the school suffers a data breach?
The school must keep a record of all the data breaches it experiences and, in some cases, report them to the ICO and the data subjects.
If a breach needs reporting to the ICO, the school must do this within 72 hours of discovering the breach. 
If you experience a personal data breach you need to consider whether this poses a risk to people. You need to consider the likelihood and severity of the risk to people’s rights and freedoms, following the breach. When you’ve made this assessment, if it’s likely there will be a risk then you must notify the ICO; if it’s unlikely then you don’t have to report. You do not need to report every breach to the ICO.
The decision as to whether to report is usually made by the DPO.
In some cases is good practise to inform data subjects of the breach.
It is critical that you understand and follow the school’s reporting process as soon as possible if you discover a breach so that the necessary steps can be taken to protect the data subjects and their data. 
If you are unsure of whether a breach has occurred don’t be afraid to inform the relevant person. It is always better to be safe than sorry!
Protecting yourself from data breaches:
A majority data breaches are caused by human error and not by a person in a hoodie trying to break into your network.
Here are some ways to stop the likelihood of a breach.
  • Understand what data you hold and where it is makes it easier to protect it and if it is breached. You should create a Record of Processing Activities (ROPA) to list the various processes
  • Do not email personal information from school to your home email address
  • Understand the school’s bring your own device (BYOD) policy and what you can access using your own phone or device
  • Logout of electronic devices when not in use. This includes anytime you leave the classroom or at break times
  • Delete emails that you no longer need and follow the school’s email retention policy 
  • Ensure that emails go to the right person. Only copy emails to people who really need to see them 
  • Avoid unnecessary duplication of personal data; this includes saving data into spreadsheets, printing data out or saving it onto USBs
  • Make sure all personal data is destroyed securely. This means shredding rather than just throwing in the bin
  • Only disclose personal information to people you are sure has the right to see it. This includes the police.
For any assistance or advice contact us info@dpoforeducation.co.uk or call 01702 660234
Be careful if you are using WhatsApp

Be careful if you are using WhatsApp

Things to consider when staff use WhatsApp From a data protection perspective, schools should be very wary of allowing staff to use WhatsApp for work related conversations.   Importantly, WhatsApp only allows its use for personal reasons and so any organisation using...

Age Appropriate Design Code / The Children’s Code and Schools

Age Appropriate Design Code / The Children’s Code and Schools

ED TECH - The Children's Code and Schools It has been an interesting year or so, watching the Children's Code (aka Age Appropriate Design Code or AADC) go through consultation, effectively missing out on what is needed for schools to be part of it, or how it could...

Mindfulness in Schools

Mindfulness in Schools

Mindfulness in schools / Mental Health Absafe have expanded their Health and Safety Education to include looking after the community's mental health. We give you the skills to look after your mental health. Students, like everyone else, face the modern challenge of...