Date updated: Tuesday 25th February 2020

As the use of technology evolves, the risk of a cyber-incident occurring increases. Under the General Data Protection Regulation (“GDPR”), personal data must be processed securely, and the school, as data controller, is responsible for ensuring that this requirement is met.

It is therefore important that schools are alive to the threats and how to protect against them. In this article, we will explore the steps a school should take in response to a cyber-incident.

Consider the following scenario:

It is the Spring half term and the Head of IT at Orange and Lemon School notices that they can no longer access the school’s systems. It transpires all data has been lost and the Chair of Governors at the school receives an email demanding payment for release of access to all the systems. The school is a registered charity.

What steps should the school take in response?

  1. Follow relevant policies and procedures. Cyber-incidents can be prevented through the implementation of written policies and data breach management procedures. The school should ensure procedures are in place identifying a dedicated team with specific roles to play in responding to any crisis and outlining what should be prioritised and actions to take when an incident occurs.
  2. Investigate. It is essential to investigate and document what has happened, how the incident occurred, what data has been compromised and how/if it can be recovered. This is a very important early step to take and clearly documenting any personal data breach is a GDPR requirement.
  3. Put in place appropriate technical measures. This may include access permissions to ensure that personal information about individuals (such as pupils) can only be accessed by a limited number of staff. The more sensitive the personal data, the stronger the measures required to keep it secure.
  4. Test, assess and evaluate. Schools should put in place processes to test, assess and evaluate the security measures in place to ensure they are effective and robust. ‘Stress tests’ will reveal areas of potential risk and areas for improvement.
  5. Train staff. All staff should receive data protection training that is practical and relevant to their roles. For example, staff should know how to recognise 'phishing' emails and how to share documents securely so they are prepared for possible attacks and how to respond. Training should be regularly refreshed.

​What are the school’s reporting obligations?

  1. If the cyber incident results in a personal data breach which poses a risk to individuals then this should be reported to the ICO within 72 hours of becoming aware of the breach. If a breach is reported, the ICO will take into account the measures taken to address the breach. Taking the steps outlined above is important as not only will it help to mitigate the consequences of a breach and the harm caused, but it may also reduce the risk of enforcement action being taken by the ICO.
  2. If the breach is likely to result in a high risk of adversely affecting individuals’ rights and freedoms, you must also inform those individuals affected without undue delay. This will need to be considered on a case by case basis.
  3. If your school is a registered charity you should consider whether to make a serious incident report to the Charity Commission. If the school considers the breach will cause significant harm to those involved in the charity or to charity representation, then full, frank and prompt disclosure should be made. The Charity Commission will also want to know how you are dealing with the breach; taking the above steps and preventative action will be important.
  4. Consider whether any other external agencies should be informed. For example, the police or the relevant fraud office/authority if there is evidence of fraud.