We are halfway through another academic year already and, as always, the pace shows no sign of letting up. At this time of year, schools are heading off on ski trips and there is romance in the air. This year, there have been some serious storms in the air as well and we’ve driven through a few floods over the past week or two in order to visit some of you. We hope that you are staying safe and dry as much as possible.
This month’s newsletter features guidance on handling Freedom of Information Requests and advice for you regarding the recent DfE data breach. As well as this, we have some tips on reducing your breach risk with your IT systems and information regarding an update to our templates. We also have news of a price freeze for the next year for your DPO service! There is a lot to cover!
If you have any further questions about the topics below, or if you would like to book your next visit from us, please get in touch via GDPR@schoolpro.uk.
Guidance on Freedom of Information Requests
A number of schools have spoken to us regarding Freedom of Information Requests that they have received. Some are clearly coming from the same people and are targeting a lot of schools. We are happy to give advice with regards to these requests and, because this has happened a lot recently, we thought it wise to put together some advice for all of you in the event that you receive a request. Ideally, you should have a Freedom of Information Policy for your school – there is a template for this on the portal – and this contains a lot of information about how you will respond to requests, what exemptions may apply and when you may charge a fee, among other things.
As public bodies, state schools are obliged, under the Freedom of Information (FOI) Act 2000, to publish certain information about their activities and produce information requested by members of the public. The principles of the FOI Act are:
- that everybody has a right to access official information;
- disclosure of information should be the default;
- requesters do not have to give a reason for wanting the information;
- all requests should be treated equally;
- information should only be disclosed if it is information that would be given to anyone (or the world at large).
The FOI Act covers recorded information that is held by the school including printed documents, computer files, letters, emails, photographs, and sound or video recordings. This means that schools do not need to provide information they do not collect and hold as part of their regular routines. So, if the information is just in someone’s head and is not recorded, this is not subject to a Freedom of Information Request. As the guidance on the ICO website states, “You do not have to create new information or find the answer to a question from staff who may happen to know it.”
This is just the first part of our guidance – the rest can be found in a previous blog post here or can be downloaded as a pdf from the button below.
If you have any questions about this, please contact us and we can help!
Common Breaches – Use of IT Systems
We deal with a large number of data breaches and many of them involve mis-use of IT systems including emailing sensitive data to an incorrect recipient. Many of these breaches can be avoided by following a few simple tips:
- Send email via secure or encrypted systems – if you have to send personal data electronically, wherever possible, don’t use unencrypted or unsecure email. Tools like Egress are designed for sending information securely. Similarly, uploading a document to a secure shared area and notifying the recipient that it is there is a better solution than sending it by email.
- Password protect email attachments – if you have no other alternatives to sending a document by email, ensure that it is password protected before it is sent. Then, send the password by a different medium – for example, by phone. If the email ends up with an incorrect recipient by mistake, they won’t be able to open the attachment. You will also identify quickly if your intended recipient hasn’t received the email when you contact them with the password.
- Use Word Templates – if you have a blank form that you send out to people, save it as a Word Template. This means that the recipient MUST save it as a separate file before the send it back. This reduces the risk of you sending out a ‘blank’ form later on which accidentally has a previous person’s information still completed.
- Remove Metadata – this is referred to in our FOI Request guidance as well. Metadata on a file can reveal personal information such as the original author of the document. This can be done by following the steps found here.
Advice Regarding the DfE’s Data Breach
You may have seen the DfE’s data breach in the news in January – the details of 28 million children allegedly accessed by betting companies:
ESFA launches investigation after betting companies access data on 28 million children – FEWeek
We have been asked for guidance on this situation and we have been keeping an eye on this since it first came to light. Our understanding of it is that the DFE is a controller in their own right. Schools hand data over as part of a legal duty and not as a chosen processor. Therefore, the school is not responsible or at risk, the DFE is. The DfE has referred this to the ICO and, from what we can see, contained the breach. We are not aware of them issuing any guidance to schools about this and there is nothing apparent on the DfE website.
‘No individual data’ compromised during massive DfE breach, minister claims – Public Technology
This article indicates that personal data was not actually accessed as part of the breach – that is the line from universities minister Chris Skidmore in the article:
““The recent use of the Learning Records Service by a data broker was unauthorised and not sanctioned by the department,” he said. “There was no data released about individual learners, only a confirmation or denial that a record existed.””
The article also references a quote regarding both internal DfE investigations and the ICO’s investigation. At this stage, it is difficult to provide too much guidance to parents until more concrete information is released by the DfE or ICO – presumably once these investigations have been concluded. The MP’s response does suggest, however, that minimal personal data was actually accessed as part of this breach.
We will be monitoring this situation as it develops and will provide further updates as and when it is possible and necessary. That being said, this is clearly not the only data breach that the DfE is dealing with at the moment:
DfE in ‘serious data breach’ after naming whistleblowers – SchoolsWeek
The key takeaway with this second breach is to make sure that when you are releasing information for a Subject Access or Freedom of Information Request, redact, redact, redact!
Updates to Policy Templates & Statutory Guidance
We have recently updated our Data Protection Policy template to take into account updates to DfE statutory guidance. The previous version of our template contained information from the DfE’s template which indicated a 2-year review cycle for the policy. However, the DfE’s statutory guidance is now stating a recommended annual review cycle so we have amended the policy template to reflect that (see below). The new template is available for download on the portal.
GDPR in the News
Cookies crumbling as Google phases them out – BBC
University of East Anglia pays data breach students £140k compensation – BBC
Cookie consent tools are undermining GDPR – TechRadar
GDPR: 160,000 data breaches reported already, so expect the big fines to follow – ZDNet
Big Microsoft data breach – 250 million records exposed – Naked Security by Sophos
Trello exposed! Search turns up huge trove of private data – Naked Security by Sophos
London pharmacy fined after “careless” storage of patient data – ICO
National retailer fined half a million pounds for failing to secure information of at least 14 million people – ICO
Please contact us if you do have further questions at GDPR@schoolpro.uk.
SchoolPro TLC Ltd (2020)
SchoolPro TLC is not responsible for the content of external websites.