All you need to know about data breaches

by | Apr 23, 2025 | Uncategorized

All you need to know about data breaches

All you need to know about data breaches…

The ICO states that “a personal data breach means a breach of security leading to the accidental or unlawful destruction, loss, alteration, unauthorised disclosure of, or access to, personal data. This includes breaches that are the result of both accidental and deliberate causes. It also means that a breach is more than just about losing personal data.” 

In other words when an unauthorised person accesses someone’s personal data or when the data is not available.
 
The school must put in processes to protect data and, as a member of staff, you must follow policies.
So what constitutes a data breach?
 
An unauthorised person accessing the data: 
Would include a pupil or unauthorised member of staff accessing a staff laptop or data being lost or stolen. This includes mobile devices provided by the school.
Deliberate or accidental action (or inaction) by the school or one of the processors: 
Includes sending old PCs, laptops or even filing cabinets to be destroyed or throwing USBs or files into the rubbish without removing the data held within the.
Sending personal data to the wrong person:
Includes handing completed data collection sheets to the wrong pupils and emailing personal data to the wrong person. 
A data breach can also occur if you don’t use the Bcc field when emailing multiple people.
Alteration of personal data without permission 
Includes someone accessing the school’s payroll system and changing staff pay grades.
What should you do if the school suffers a data breach?
The school must keep a record of all the data breaches it experiences and, in some cases, report them to the ICO and the data subjects.
If a breach needs reporting to the ICO, the school must do this within 72 hours of discovering the breach. 
If you experience a personal data breach you need to consider whether this poses a risk to people. You need to consider the likelihood and severity of the risk to people’s rights and freedoms, following the breach. When you’ve made this assessment, if it’s likely there will be a risk then you must notify the ICO; if it’s unlikely then you don’t have to report. You do not need to report every breach to the ICO.
The decision as to whether to report is usually made by the DPO.
In some cases is good practise to inform data subjects of the breach.
It is critical that you understand and follow the school’s reporting process as soon as possible if you discover a breach so that the necessary steps can be taken to protect the data subjects and their data. 
If you are unsure of whether a breach has occurred don’t be afraid to inform the relevant person. It is always better to be safe than sorry!
Protecting yourself from data breaches:
A majority data breaches are caused by human error and not by a person in a hoodie trying to break into your network.
Here are some ways to stop the likelihood of a breach.
  • Understand what data you hold and where it is makes it easier to protect it and if it is breached. You should create a Record of Processing Activities (ROPA) to list the various processes
  • Do not email personal information from school to your home email address
  • Understand the school’s bring your own device (BYOD) policy and what you can access using your own phone or device
  • Logout of electronic devices when not in use. This includes anytime you leave the classroom or at break times
  • Delete emails that you no longer need and follow the school’s email retention policy 
  • Ensure that emails go to the right person. Only copy emails to people who really need to see them 
  • Avoid unnecessary duplication of personal data; this includes saving data into spreadsheets, printing data out or saving it onto USBs
  • Make sure all personal data is destroyed securely. This means shredding rather than just throwing in the bin
  • Only disclose personal information to people you are sure has the right to see it. This includes the police.
For any assistance or advice contact us info@dpoforeducation.co.uk or call 01702 660234
Key HR issues and how to solve them

Key HR issues and how to solve them

5 Key HR Issues Underperformance but signed off sick: It’s not unusual to start a process of managing underperformance with someone only for them to go off sick. At this point you cannot continue to manage their performance, there simply isn’t performance to manage....

Cyber Security Training for Schools

Cyber Security Training for Schools

SWGfl published a report 15th June 2022 on the lack of Cyber Security training in schools. Cyber Security: Key Findings Data gathered from the survey has shown many interesting findings around how well schools have implemented cyber security through policy and...

Is Your Teen Feeling Anxious About Feeling Anxious

Is Your Teen Feeling Anxious About Feeling Anxious

Anxiety - Is your Teen Feeling Anxious About Feeling Anxious There is a lot of talk about anxiety at the moment. You only have to turn on the TV to hear the worrying statistics in relation to the rise in anxiety amongst young people in the last decade and the general...