The school year is nearly over! And what a year it has been! It is safe to say that when we all set out at the start of September, we were not expecting it to turn out the way that it has. We are currently working with a number of schools assisting with curriculum planning and timetabling for the new academic year so we know that this is not going to be a normal summer holiday and next year will not be a normal school year. It is a testament to the dedication of you and your teams that children have continued to be educated and you are continuing to improve their life chances, no matter the situation.
That being said, it is still the end of the school year so we want to remind you that data protection end of year routines need to be completed. Securing data around your site before the break is an important job, as is ensuring that all staff are reminded of their data protection responsibilities over the summer holidays. Breaches still need to be reported if they happen and we will be here during that time if you need us. Similarly, don’t forget to set the ‘out of office’ email…!
We have also started to see a potentially worrying trend around claims for data breaches – something we have mentioned in our staff training sessions in the past. One such example was regarding a large scale data breach for Currys PC World with a link to make a no win, no fee claim. Another came through in a spam email which you can see in the image to the right. It is more important than ever that you are up to date with your policies and procedures regarding data protection and that your staff are following these with their day to day practice to minimise the risk of data breaches.
This month’s newsletter focuses on the latest advice from the ICO about staying safe and compliant during the pandemic, and gives answers to some frequently asked questions we get from schools. There is also information about new and updated resources in Global Documents, and a brief update on the new website and online training courses.
If you have any further questions about the topics below, or if you would like to book your next visit from us, either online using video conferencing or onsite once schools are accepting visitors, please get in touch via GDPR@schoolpro.uk.
Stay safe and healthy!
Latest Advice from the ICO
The ICO has continued to publish updates to their guidance as the coronavirus pandemic continues and the situation evolves. Here is a summary of some of the key updates this month including links to the full advice on their website:
Contact Tracing: Protecting Customer and Visitor Details
The ICO sets out some key principles to follow when gathering details for contact tracing from your “customers” and visitors to your organisations. They are as follows:
- Ask for only what’s needed.
- Be transparent with customers.
- Carefully store the data.
- Don’t use it for other purposes.
- Erase it in line with government guidance.
Video Conferencing: What to Watch Out For
The ICO has also published a blog post looking at key questions organisations should be asking themselves with regards to video conferencing. They are:
- Have you checked the privacy and security settings?
- Are you aware of phishing risks?
- Have you checked your organisation’s policy?
- Have you ensured all software is up-to-date?
- Is this still the right tool for the job?
The full blog post can be found here.
Frequently Asked Questions
We are asked data protection questions by schools on a daily basis and there are some questions that come up regularly. We are looking at how we can create a FAQs section either on the website or in the portal for these. In the meantime, here are a couple of the questions we’ve been asked recently and the answers we have provided. We will publish another two in the next newsletter:
Are emails encrypted in Microsoft 365?
A number of schools have asked about this in order to ensure that their emails are secure when sending personal information. The guidance from Microsoft states the following:
Outlook for Microsoft 365 – When you need to protect the privacy of an email message, encrypt it. Encrypting an email message in Outlook means it’s converted from readable plain text into scrambled cipher text. Only the recipient who has the private key that matches the public key used to encrypt the message can decipher the message for reading. Any recipient without the corresponding private key, however, sees indecipherable text. Outlook supports two encryption options:
- S/MIME encryption – To use S/MIME encryption, the sender and recipient must have a mail application that supports the S/MIME standard. Outlook supports the S/MIME standard
- Microsoft 365 Message Encryption (Information Rights Management) – To use Microsoft 365 Message Encryption, the sender must have Microsoft 365 Message Encryption, which is included in the Office 365 Enterprise E3 license.
So unless you know the recipient uses Microsoft 365, we recommend that you still use a secure email tool like Egress. And speak to your organisation’s IT Support if you are unsure!
Is Zoom GDPR compliant?
Zoom certainly came under fire early in the pandemic as a lot of people were switching on to working from home and video conferencing (many for the first time). Zoom suddenly went from being quite niche to very popular and wasn’t really prepared for it. Some of the big security concerns that came up included:
- Facebook data sharing
- Incomplete (or lack of in some cases) end to end encryption on calls/conferences
- Zoom-bombings – people joining Zoom meetings without an invite by either finding or guessing the meeting ID and then posting inappropriate or explicit content (clearly a safeguarding concern!)
- Vulnerabilities that allowed malicious actors to access users’ webcams (another safeguarding concern)
Clearly these were pretty serious concerns and we recommended that schools avoided running live lessons altogether (something which was also advised by the unions) and used pre-recorded videos instead. If schools did choose to run live lessons, we recommended using software like Microsoft Teams or Google Meets which suffer from fewer issues and are GDPR compliant.
It is our understanding is that Zoom has worked hard since March to fix a number of these security issues and make the platform safer and more compliant. Here is an example of a more recent article highlighting the progress that Zoom has made in many of these areas and with advice around how to make your meetings more secure. A number of sources will also highlight how Zoom fails to comply with GDPR such as this blog post.
That being said, Zoom claims to have done work in recent months to fix a number of these issues and claims it is GDPR compliant on its website and in its documentation. But then Zoom have claimed compliance since the GDPR was implemented in 2018.
There are schools out there using Zoom but our advice would be to avoid it. Are there alternative platforms that you can use? Or are there alternative methods that you can use to achieve the same result?
Updates in Global Documents
We have a number of new and updated resources for you in Global Documents on the portal this month. They are:
- Data Protection Impact Assessment (DPIA) for Confidential Waste
- Data Protection Impact Assessment (DPIA) for the Storage and Communication of Safeguarding Information using MyConcern
- Data Protection Impact Assessment (DPIA) for the Storage and Communication of Health and Medical Information (including Data Associated with Covid-19)
- Records Management Policy Template (updated)
- Keeping Data Safe in Your Workplace Checklist Poster (see below)
- Keeping Data Safe When Sending Emails Checklist Poster (see below)
- Privacy Notice – NHS Test and Trace Addendum
New Website and Online Training
As we announced last week, our new website is now live and includes lots of new features and information about all of our services as well as our Data Protection work. This includes:
- Leadership and Management
- School Improvement
Our online training courses have already expanded to four courses and now include role-specific training for the following:
- Data Protection for Education Staff
- Data Protection for Child Protection Leads
- Data Protection for Lunchtime, Cleaning and Site Staff
- Data Protection for Governors/Trustees
This will expand to further roles over the coming weeks and we will be contacting you individually to give you full and free access to the full suite of courses if you already pay for our full DPO service. We can’t wait for your staff to get training!
GDPR in the News
Coronavirus: Patient virus results sent to Orkney business by mistake – BBC
After a breach, users rarely change their passwords, study finds – ZDNet
Trowbridge Town Council has been told to improve its GDPR procedures – Wiltshire Times
Meadow Vale Primary School suffers cyber attack from hackers wiping personal data – Bracknell News
The biggest hacks, data breaches of 2020 (so far) – ZDNet
NHS Test and Trace Program Set for Legal Challenge Over Its Use of People’s Data – Gizmodo UK
Using this WhatsApp feature will land your phone number in Google search results – TechRadar
Babylon Health admits GP app suffered a data breach – BBC
Nintendo now says that the accounts of 300,000 Switch users have been hacked – Business Insider
Four in five motorists are giving away personal data when they sell their cars – This is Money
GDPR two years on: Why there’s still work to be done on data protection – ZDNet
Data breach fears raised over test and trace pubs register – City A.M.
Data protection app Jumbo now lets you secure LinkedIn and Instagram – Independent
Google reveals major privacy shake-up, will auto-delete user data – TechRadar
FBI warns K12 schools of ransomware attacks via RDP – ZDNet
350,000 Social Media Influencers and Users at Risk Following Data Breach – InfoSecurity Magazine
Why Trump’s administration is going after the GDPR – Politico
Police taking ‘excessive’ data from mobile phones – BBC
Government department fined over data breach – BBC
Coronavirus: How much does your boss need to know about you? – BBC
Please contact us if you do have further questions at GDPR@schoolpro.uk.
SchoolPro TLC Ltd (2020)
SchoolPro TLC is not responsible for the content of external websites.