A data breach can lead to your school being sanctioned, or worse, fined by the Information Commissioner's Office (ICO) for not complying with the General Data Protection Regulation's (GDPR) new data-protection requirements.
You should already have policies in place for how to deal with a breach of data protection. These policies will need to be revised to meet the criteria for GDPR.
Watch: How to react to a data breach
What is a data breach?
The ICO defines a data breach as being when "someone other than the data controller gets unauthorised access to personal data".
The organisation adds: "In short, there will be a personal data breach whenever any personal data is lost, destroyed, corrupted or disclosed; if someone accesses the data or passes it on without proper authorisation; or if the data is made unavailable and this unavailability has a significant negative effect on individuals."
This includes sending an email that contains personal data to the wrong person, losing a laptop with personal data on it or leaving a work email account open on a computer that others can access.
For a full list of breaches, see the ICO website.
Identifying and reacting to a breach
A clear data-protection policy should set out what needs to take place in the event of a breach, such as to whom it should be reported and who will pass the information on to the ICO.
But staff also need to be clued up about the issue, as they can be the cause of an accidental data breach themselves. By the end of the staff training process, everyone should be able to identify if there has been a breach. Pleading ignorance is unlikely to cut it with the ICO in the GDPR era.
The new data protection changes should be viewed in the same way that staff approach safeguarding, says Helena Wootton, data protection expert and partner at Browne Jacobson.
“It's crucial to enable staff to identify when there’s been a breach and to not be scared to notify, as I’m sure they’re not with safeguarding, where everyone knows and understands their obligation," Wootton explains.
"If someone’s sent an email with the wrong attachment to the wrong people, you want them to not cover it up, but be honest about it. That will require a no-blame culture."
It is essential that staff don’t think that if the recipient deletes the offending email, the problem is solved.
Likewise, if they are not sure it contains personal data, then they must still ensure that within five minutes “the DPO (data protection officer) knows about it, the DPO has a copy of that email and the DPO is sitting down and looking through it," says Dai Durbridge, education specialist and partner at law firm Browne Jacobson.
“If you equate it to safeguarding, it’s very similar in terms of speed of response and the seriousness with which schools and academies need to take it,” he adds.
When to report a breach
Under GDPR, you have 72 hours in which to notify the ICO once you have discovered a breach; if the breach is considered “high risk”, you will have to notify the affected individuals, too.
A high-risk breach, information commissioner Elizabeth Denham explains, includes "the potential of people suffering significant detrimental effect – for example, discrimination, damage to reputation, financial loss, or any other significant economic or social disadvantage".
Denham has written a blog on data breaches and examples of when to report them.
Wootton explains that you need to decide on the risk of each incident, individually taking into consideration the context: “For example, if we have a phone that is lost on the train, would that constitute a risk to individuals? That depends on your security features, how quickly the phone screen locks down, which measures you need to open the screen, whether it's biometrics and whether your IT team could wipe the phone remotely.”
The ICO says: "You must also keep a record of any personal data breaches, regardless of whether you are required to notify."
This is important because if you, or most specifically your DPO, do not believe that a breach should be reported, you still need to make a record of that breach and be able to justify why you did not report it.
How to report a breach
When reporting a breach to the ICO, you will not only need to explain what has taken place, but also how you will resolve the issue.
“So you state there’s been a breach, explain what happened and what you’re going to do about it, and state you will come back to the ICO in X amount of time," Durbridge explains.
“That’s one of the things where schools need a strong procedure on data breaches, and at the senior leadership team level they need to understand that if there’s been a breach, much like a serious safeguarding incident, they must drop everything and focus on it, because that 72 hours is not a long timeframe at all."
Will my school get fined?
There has been a lot of debate about how the ICO will respond to schools in the event of a breach after 25 May. The ICO enforcement team has added extra staff to get ready for GDPR and there is the potential for up to a €20 million fine.
GDPR has definitely given the ICO sharper teeth, but whether the information commissioner has schools in her sights seems unlikely. It's worth remembering that a school has never been fined under the Data Protection Act, and there are much more likely targets for a big fine than a school.
Denham outlined how the ICO would respond to breaches in practice in a blog last year. In the piece, the information commissioner says fines will be "a last resort" and "we have always preferred the carrot to the stick".
It is likely that if you are working to ensure you comply with GDPR and can show that you are doing so, in the event of a breach, the ICO would recognise this. However, a lot remains to be seen and it is essential that your DPO keeps up to date with the ICO's latest information and shares this with staff if relevant.