It is hard to go for more than a few days or weeks without reports of a data security incident of some kind in the news. Unfortunately the breadth and sophistication of targeted cyber attacks mean that schools can often be in the crosshairs of malicious actors seeking vulnerabilities in systems – particularly given that schools inevitably hold large amounts of personal data, some of which will be sensitive (for example health or safeguarding information). The NCSC has recently reported that it is dealing with an increasing number of ransomware attacks on the education sector which have led, for example, to the loss of student coursework, school financial records, as well as data relating to COVID-19 testing.
Although schools will inevitably have a long compliance ‘to do’ list at the moment, not least with all things Covid-related, ongoing data security training remains a necessity and accordingly it is encouraging to see some recent free resources from the government’s National Cyber Security Centre (NCSC) aimed at equipping schools specifically to build their resilience against cyber attacks. As the NCSC notes: “A cyber security incident can affect the school’s ability to function, the security of its data and its reputation.”
These resources include a training package (available either for group delivery or via a self-learn video) to raise awareness and help school staff manage some of the key cyber threats facing schools. Although not directed at the independent school sector specifically, this training is aimed to be relevant to all schools – and indeed it includes the specific example of the school fees phishing scam that has affected so many in the independent sector.
It is always important to remember that data security is a responsibility of all staff. It is in that context that the NSCS rightly highlights the importance of the issue being regularly addressed at board level – and accordingly has provided some valuable resources for governors and school leaders, including key questions to ask in order to seek out information, raise awareness and improve preparedness in case of an incident. These questions include: Does the school have a proper backup and restoration plan in place? Has the school identified the most critical parts of the school’s digital estate and sought assurance about its security? And If the school temporarily lost access to its data and/or internet connection would the school still be able to operate?
As another of the key questions suggests, it is crucial for schools to have up to date records of the different organisations that provide its IT services. A data breach at an IT supplier (eg a cloud storage or other software provider) can directly impact on the school and its information security. We saw this in practice last summer when the Blackbaud data security incident affected many charities, schools among them. It is important that schools as data controllers ensure they have robust and up to date contracts with their data processors that include the provisions around, for example, data security and breach reporting by the processor to the controller, that are required under the UK GDPR. These contracts also need to be kept under review – for example, to ensure that data is properly returned and deleted at the end of the contractual term.
Making use of these kinds of training tools is no magic bullet to prevent an attack, but if it helps reduce the risk of staff inadvertently leaving a ‘back door’ open (eg clicking a link in a phishing email or opening a malicious attachment) then it is time well spent. Of course, even with the best training in the world risks can never be eliminated entirely. But if a school does fall victim to an attack which might necessitate a report to the Information Commissioner’s Office (ICO), it will be important to be able to point to the proactive measures taken to reduce the risk in the first place, and staff training is one of the key areas to be able to point to (the ICO expects regular training for all staff – ie at least every 2 years). It seems likely to us that, if the ICO is investigating a data security breach at a school in future where a root cause is human error, then the ICO will specifically ask if the school made use of this new training tool and will take this into account in relation to any enforcement action it might take.
Finally, understandably given its remit, it is worth noting that the NCSC’s training is focused on cyber incidents as opposed to the common breed of data security incidents in schools caused not by a cyber attack but more mundane human error, eg misdirected emails, poor redaction, or loss of hard copy documents. Schools might therefore consider reinforcing these points as part of (or in addition to) the NCSC training.
This publication is a general summary of the law. It should not replace legal advice tailored to your specific circumstances.
© Farrer & Co LLP, July 2021