Staying Safe with Email

In this month’s newsletter:

Reduce your risk of data breaches from email use that could result in a legal challenge

Get ready for the Children’s Code deadline with pupil-friendly communication

Guidance for engaging with your DPO before implementing new systems

Updated compliance templates from our online platform

Welcome to this month’s newsletter. We know that you will be phenomenally busy at the moment with schools now fully reopening. We realise that this is both an exciting and daunting time for most schools, school staff and pupils, so we wish you the best of luck. We hope that it goes really well! We appreciate that your focus will be on reopening right now but we will continue to prepare resources, guidance and training for you, and are here if you need us at this time. Just ask!

The main topic this month focuses on reducing the risk of causing data breaches by using email. Email is currently used in ever increasing amounts by organisations and is one of the highest causes of data breaches. It is the top cause of data breaches on our own data breach log! We have put together some top tips to reduce that risk! There is also:

guidance on the ICO’s Children’s Code (or Age Appropriate Design Code);
an update on staying compliant with new suppliers;
a previously asked question about concerns that teacher information included in a SAR could be published online;
a reminder of our confidential waste disposal service; and
the latest on the updated resources in Global Documents this month.

If you have any further questions about the topics below, or if you would like to book your next visit from us, either online using video conferencing or onsite once schools are accepting visitors, please get in touch via GDPR@schoolpro.uk. And don’t forget, if there is anything else that you need support with at this time, please ask and we will do whatever we can within our capacity to assist.

Stay safe and healthy!

Data is most at risk on email, with 83% of organizations experiencing email data breaches – Help Net Security

A recent report by Egress has shown that 95% of IT leaders state that their client and company data is at risk due to email and that 83% of organisations have experienced data breaches via email in the last 12 months. Statistics also show that 85% of employees are sending more emails due to working remotely during the pandemic.

Our own figures back this up too. Since the start of 2021, we have had 86 breaches logged on our portal and around 60% of those breaches have been caused by email in one way or another. Common breaches include emailing a group external to the school (e.g. parents) and not using Bcc for the email addresses or sending the wrong file to the wrong person.

Whilst it is nearly impossible to reduce the risk of breaches to zero, we can certainly look to minimise it as much as possible. Here are some actions that you can take to do just that:

Train staff on the common mistakes that they could make and how to avoid them.
Encourage staff to check emails before they are sent so that they are less likely to make a simple error like using the wrong email address.
Password protect files that contain personal information.
Avoid emailing files internally. Save files in a shared area on either your internal server or in the cloud (depending on your organisation) and update the shared document. Communication needs to only reference the document or can contain a link to it which can only be accessed by those with authorisation.
Avoid email for external communication where possible. Use alternative parental communication tools for example. These tend to be designed to make it much harder to accidentally send the wrong information to the wrong person.
Use Bcc when emailing an external group of contacts if you have to use email.
Remove the auto-fill function in the address field so that the wrong email address isn’t populated by mistake. This can also be mitigated by checking the email before sending.
Add a short send delay so that the email stays in the Outbox briefly before sending and allowing staff time to check and stop the email sending if they spot an error.

The ICO’s Children’s Code

The Children’s Code (or Age Appropriate Design Code to give its formal title) is a data protection code of practice for online services, such as apps, online games, and web and social media sites, likely to be accessed by children. It came into force on 2 September 2020 with a 12 month transition period to give organisations time to prepare. The ICO is committed to supporting all organisations with advice and resources to help them achieve compliance by 2 September 2021. (Children’s Code hub | ICO)

Whilst the code is aimed at the companies that provide the online services to children, it is clear that the new code will put some additional responsibilities on schools as data controllers, not least to try and ascertain that the suppliers they use for online services are compliant with the code.

The code covers a wide range of standards (15 in total – Standards of age appropriate design | ICO) from looking after the best interests of the child to data sharing, from parental controls to transparency. The code will expect suppliers to:

create an open, transparent and protected place for children when they are online;
follow a series of standards when designing, developing or providing online services where they are likely to be accessed by children;
consider the best interests of the child when processing their personal data. The code applies to apps, connected toys and devices, search engines, social media sites and online games; and
implement high privacy settings by default and use language that is clear and easy for children at different development stages to understand. The code includes key safeguards around the automated profiling of children, the use of geolocation data, and the transparency of marketing techniques. (FAQs – the basics | ICO)

As a school, and as your DPO, we will want to work in parallel with the code to support and protect young people so this will include, among other things, ensuring that:

suppliers are compliant with the new code;
Data Protection Impact Assessments are completed and implemented where relevant; and
age appropriate privacy notices are provided to young people so that they fully understand their data.

Over the coming months, and in the run up to this September, we will be looking at resources and processes to support your compliance with the code including child-friendly privacy notices. We will have more on this in future newsletters.

We have mentioned this topic in a recent newsletter but it is important to reiterate the role your DPO (that’s us!) should play when bringing in new suppliers.

If a supplier is going to be processing personal data for your organisation, it is important that you follow the flow chart below. This doesn’t have to be an onerous task or add huge amounts of time and bureaucracy to your procurement process. The key things to remember are:

Have you notified the DPO of your intention to use a new supplier BEFORE entering into an agreement with them so that the DPO can ensure they are compliant?
Have you, with the help of the DPO, risk assessed the processing the supplier will be conducting to identify if a Data Protection Impact Assessment (DPIA) needs to be completed BEFORE processing has started?
Has the new supplier been added to privacy notices and data maps as appropriate?

New Supplier Process Detailed Flowchart - Updated

Previously Asked Question

We are asked data protection questions by schools on a daily basis and there are some questions that come up regularly. We now have an FAQ section on the website for these and all of our answers are published there. You can find this on the Data Protection page of the website or in the blog. Here is one of the questions we’ve been asked recently and the answer we have provided. We will publish more in future newsletters:

We are concerned that data released in a SAR, and containing teacher names, could be published online. What can we do? Can we instruct the data subject not to publish online?

We have discussed this particular issue with the ICO. They have stated:

“Data protection law gives a right to individuals to access their own data, so the school cannot put additional conditions on releasing the person’s own data. If the school is concerned about harm to third parties due to that being released then that may be grounds to withhold it.”

As a school then, you cannot tell the data subject what they can or can’t do with the data. If you are concerned about harm then you should redact teacher names. The ICO go on to say:

“The school needs to assess if it is reasonable to supply third party [i.e. teacher] data, taking into account that there is a presumption of reasonableness for teachers. They can ask the individual about their intentions with the data in order to make that assessment, and in some cases it is relevant to ask the third party for consent.”

Your options then are to speak to the data subject about their intentions and, if you feel there is a risk, redact the names further. It might be that this redaction isn’t needed on all emails as there are only some you would be concerned about being published.

Will certain emails be detrimental to the teacher if they are posted with their name included? If so, redact those specifically.

If you are at a point in the SAR process where the deadline is approaching and the limited time available is not enough, speak to the data subject, explain the need to delay for a short period, and then issue when ready. This would be preferable to issuing incorrectly.

Next month – we are going to look at how you should respond to a Right to Erasure request from a parent if a pupil has moved on to another establishment.

Confidential Waste Disposal Service

We would like to take the chance to remind you of our discounted secure confidential waste disposal service that we recently launched. This will have the added bonus of being fully documented and compliance checked by us as your Data Protection Officer.

Click on the button below and complete our short 30-second survey to register your interest and request a quote:

New & Updated Resources on the Portal

This month we have no new documents but a plethora of updated documents due to the change in legislation from the GDPR to the UK GDPR. Unless otherwise stated, all of these updates are to do with the legislation update:

Updated Documents

Biometric Data Policy
CCTV Policy
Data Protection Policy
- Legislative update included. Also updated to include:
  - additional detail regarding penalties for breaching an organisation’s statutory responsibilities regarding the rights of individuals and data breaches; and
  - clearer guidance on undertaking Data Protection Impact Assessments (DPIAs) and their importance.
Data Protection Policy for hospital education and alternative schools
- Legislative update included. Also updated to include:
  - additional detail regarding penalties for breaching an organisation’s statutory responsibilities regarding the rights of individuals and data breaches; and
  - clearer guidance on undertaking Data Protection Impact Assessments (DPIAs) and their importance.
Privacy Notice – NHS Test & Trace Addendum
Privacy Notice – Primary Academy Pupils & Parents
- Legislative update included. Also updated to include:
  - additional purposes for why academies collect and use pupil information; and
  - additional organisations academies typically share pupil data with.
Privacy Notice – Primary School Pupils & Parents
- Legislative update included. Also updated to include:
  - additional purposes for why schools collect and use pupil information; and
  - additional organisations schools typically share pupil data with.
Privacy Notice – School and Trust Governance Roles
Privacy Notice – Secondary Pupils & Parents
Privacy Notice – Workforce Academy
Privacy Notice – Workforce School
Template Consent Form