All you need to know about data breaches

by | Apr 23, 2025 | Uncategorized

All you need to know about data breaches

All you need to know about data breaches…

The ICO states that “a personal data breach means a breach of security leading to the accidental or unlawful destruction, loss, alteration, unauthorised disclosure of, or access to, personal data. This includes breaches that are the result of both accidental and deliberate causes. It also means that a breach is more than just about losing personal data.” 

In other words when an unauthorised person accesses someone’s personal data or when the data is not available.
 
The school must put in processes to protect data and, as a member of staff, you must follow policies.
So what constitutes a data breach?
 
An unauthorised person accessing the data: 
Would include a pupil or unauthorised member of staff accessing a staff laptop or data being lost or stolen. This includes mobile devices provided by the school.
Deliberate or accidental action (or inaction) by the school or one of the processors: 
Includes sending old PCs, laptops or even filing cabinets to be destroyed or throwing USBs or files into the rubbish without removing the data held within the.
Sending personal data to the wrong person:
Includes handing completed data collection sheets to the wrong pupils and emailing personal data to the wrong person. 
A data breach can also occur if you don’t use the Bcc field when emailing multiple people.
Alteration of personal data without permission 
Includes someone accessing the school’s payroll system and changing staff pay grades.
What should you do if the school suffers a data breach?
The school must keep a record of all the data breaches it experiences and, in some cases, report them to the ICO and the data subjects.
If a breach needs reporting to the ICO, the school must do this within 72 hours of discovering the breach. 
If you experience a personal data breach you need to consider whether this poses a risk to people. You need to consider the likelihood and severity of the risk to people’s rights and freedoms, following the breach. When you’ve made this assessment, if it’s likely there will be a risk then you must notify the ICO; if it’s unlikely then you don’t have to report. You do not need to report every breach to the ICO.
The decision as to whether to report is usually made by the DPO.
In some cases is good practise to inform data subjects of the breach.
It is critical that you understand and follow the school’s reporting process as soon as possible if you discover a breach so that the necessary steps can be taken to protect the data subjects and their data. 
If you are unsure of whether a breach has occurred don’t be afraid to inform the relevant person. It is always better to be safe than sorry!
Protecting yourself from data breaches:
A majority data breaches are caused by human error and not by a person in a hoodie trying to break into your network.
Here are some ways to stop the likelihood of a breach.
  • Understand what data you hold and where it is makes it easier to protect it and if it is breached. You should create a Record of Processing Activities (ROPA) to list the various processes
  • Do not email personal information from school to your home email address
  • Understand the school’s bring your own device (BYOD) policy and what you can access using your own phone or device
  • Logout of electronic devices when not in use. This includes anytime you leave the classroom or at break times
  • Delete emails that you no longer need and follow the school’s email retention policy 
  • Ensure that emails go to the right person. Only copy emails to people who really need to see them 
  • Avoid unnecessary duplication of personal data; this includes saving data into spreadsheets, printing data out or saving it onto USBs
  • Make sure all personal data is destroyed securely. This means shredding rather than just throwing in the bin
  • Only disclose personal information to people you are sure has the right to see it. This includes the police.
For any assistance or advice contact us info@dpoforeducation.co.uk or call 01702 660234
Sharing Personal Data with the Police

Sharing Personal Data with the Police

One of the most common questions we get asked concerns sharing data with law enforcement offices. The UK GDPR does not prevent you sharing personal data with such bodies such as the police (known under data protection law as “competent authorities”) who are...

Core Principles of Data Protection

Core Principles of Data Protection

And the rights of individuals  Core Principles of Data Protection  Data must be processed lawfully, fairly and in a transparent manner Data must be collected for specified, explicit and legitimate purposesThe data collected must be adequate, relevant and limited to...

New Data Retention Guidance

New Data Retention Guidance

This is a subtitle for your new post The UK government recently issued updated guidance on record keeping for academies and trusts to assist them with their record keeping obligations.  Click here to be taken to the Government site....