In this month’s newsletter:
Happy Easter and welcome to this month’s newsletter. We hope that you enjoyed a well-earned Easter Break!
The main topic this month focuses on reducing the risk of cyber attacks in schools. Schools and education establishments are increasingly seen as ‘soft targets’ for cyber criminals and there has been a recent surge in cyber attacks on schools, colleges and Trusts. Make sure that you, your staff, and your school are as prepared as possible and able to reduce this risk. There is also:
- guidance for this summer’s exam series and the data protection issues you should consider before the summer is here;
- updated guidance on schools as Polling Stations, first published for the General Election in 2019;
- information on our latest strategy to improve the environmental impact of SchoolPro TLC;
- the lowdown on the new and updated features on our online training platform;
- a previously asked question about concerns that teacher information included in a SAR could be published online; and
- the latest on the new & updated resources in Global Documents this month.
If you have any further questions about the topics below, or if you would like to book your next visit from us, either online using video conferencing or onsite once schools are accepting visitors, please get in touch via GDPR@schoolpro.uk. And don’t forget, if there is anything else that you need support with at this time, please ask and we will do whatever we can within our capacity to assist.
Stay safe and healthy!
Increasing Cyber Security Risks for Schools
We sent an email out before the Easter weekend about this topic. Due to an admin error, it was sent from an email address you probably haven’t seen before – clearly we were testing you! A few people did get in touch with us to enquire about the authenticity of the message. It was real. It was from us. And well done for checking!
But the point still remains. There has been press coverage of a significant increase in ransomware attacks on schools and Trusts in the past few weeks. For example:
NCSC warns of increased ransomware attacks on education sector (edtechnology.co.uk)
Ransomware: Surge in cyber attacks cripples schools (schoolsweek.co.uk)
Hackers hit Harris in latest ‘highly sophisticated’ cyber attack (ampproject.org)
We have been made aware of some impact within our own school network, so we would strongly recommend that you ensure that your ICT support are aware, regularly create an up-to-date backup of all servers, and keep all protection software up to date. It would also be sensible to remind staff to be on the look-out for phishing emails and not to click on unknown links and attachments.
For more detailed guidance, we have included links to the National Cyber Security Centre (NCSC) guidance documents. If you do not want to click the links in the email, we have uploaded these documents to our portal, and they are available from the NCSC website directly.
https://www.ncsc.gov.uk/information/infographics-ncsc#section_3
https://www.ncsc.gov.uk/news/alert-targeted-ransomware-attacks-on-uk-education-sector
If you need any assistance with backups or wish to move any of your servers to the cloud for the added professional security, real time back up, mirroring of data and potentially significant cost savings, do speak to your DPO contact.
Please feel free to forward this message on to others that may benefit from the information.
Exam Results, CAGs, & Data Protection – Exams ’21
Know the differences in process from 2020.
As another extraordinary results season looms, schools and academy trusts need to be ready for the changes compared to the processes of 2020. Updated guidance was published by the DfE on 25th February 2021, explaining these changes.
We have written full guidance to cover the data protection aspects of these changes.
Schools as Polling Stations
Ahead of the last General Election, we issued advice to schools in case they were being used as Polling Stations. In the event that this is being planned for the upcoming local election, our advice can be found in our blog post from 2019 linked here.
The advice focused on three key areas:
- Data Visibility
- Access Control
- Mobile Devices
Check out the full blog post for the complete guidance.
We also created a checklist that can be used both before the day and on the day itself as a reminder of the data protection considerations for your school. You can also download the checklist from the button below:
SchoolPro TLC Goes Green
Prior to the Covid-19 pandemic, we had discussed, as a company, the idea of going online with some of our visits and meetings. We have all worked remotely since the company was started (or we joined the company) but we still travelled regularly to visit schools in person. Sometimes, we have travelled across the country for hour-long meetings in schools that could easily have been conducted online. Prior to the pandemic, we were already conducting internal meetings over Teams whilst working in our separate offices and were considering rolling this out to our schools as an option instead of physical site visits in some instances.
The pandemic has meant that we have all had to review our traditional ways of working. We miss not being in schools on a regular basis. We miss the relationships that you build up by seeing staff and pupils face to face. We miss conducting staff training face to face. But we are also conscious of our carbon footprint as a company and, as parents and former school leaders, we are aware of what state we want the planet to be in as we pass it to future generations. To that end, we are proposing the following as we, hopefully, move into a post-pandemic world over the coming months:
- Continue to offer online training either via our training platform or using platforms like Teams.
- Continue to offer remote/online audits using Teams as we have done over the past 13 months or so.
- Continue to offer remote/online meetings and other sessions as required.
What this doesn’t mean is that we don’t want to come and see you! If you would prefer a face to face training session, of course we will come and run that. If you would prefer a site visit for an audit, of course we will come and conduct that. But it might be that we agree that for your two visits in the year, one is onsite and the other is remote.
Ultimately, we want to work in a way that suits you. We also want to reduce our environmental impact as much as possible. If those two goals are complementary, that is even better!
Online Training – New Features
We moved our website over to a new server provider in March which has also given us the opportunity to upgrade the training platform on the site. This has done a couple of things for Group Leaders which are shown in the screenshot below:
- A new ‘Send password reset’ function.
Once one or more users are selected, the ‘Send password reset’ button appears. Click on the button and the user or users will receive a fresh password reset email with a link to the site. Ideal for those staff that can’t find their welcome email or are having login troubles. - Reporting tools for course progress are now fully operational and can be seen in the drop down menu on the right hand side.
- A new configuration for the add User functions buttons as can be seen in the drop down menu on the left hand side.
Previously Asked Question
We are asked data protection questions by schools on a daily basis and there are some questions that come up regularly. We now have an FAQ section on the website for these and all of our answers are published there. You can find this on the Data Protection page of the website or in the blog. Here is one of the questions we’ve been asked recently and the answer we have provided. We will publish more in future newsletters:
How should I respond to a Right to Erasure request from a parent if a pupil has moved on to another establishment?
There will be a number of different contexts to this but the template below can be adapted to fit them. In this example, the pupil has moved to EHE from an Academy so the Pupil File is to be transferred to the LA and the retention schedule is for an Academy. This can be adapted for different transfers and retention schedules depending on context:
“Thank you for sending through your right to erasure (right to be forgotten) request regarding your child’s personal data. We are consulting with our Data Protection Officer (DPO) with regards to the processing of this request and are conducting it as appropriate. Under the UK GDPR, we must comply with your request without undue delay and at the latest within one month of receipt of the request. We will therefore endeavour to have completed processing this request by the xxxxxx, one month from receipt of the request on the xxxxxx. This requirement is laid out by the ICO here: Right to erasure | ICO
It is important to note that in the same guidance, it identifies that the right to erasure is not absolute. Data that we process under the legal bases of Article 6(1)(c) “legal obligation” and Article 6(1)(e) “public task” are not subject to the right to erasure. Most data that we process as a school uses these legal bases and therefore we cannot erase that data until such time as those legal bases no longer apply. This is laid out in our retention schedule which follows the Information & Records Management Society (IRMS) Toolkit for Academies which can be found here: IRMS Academies Toolkit – Information and Records Management Society.
As stated in this document, data that forms part of the pupil’s Educational Record or ‘Pupil File’ will be passed on to the Local Authority who will retain it for the statutory period or until the child transfers to another school at which point the file will be transferred to that establishment. Other data that does not form part of the pupil file such as attendance registers and records relating to school trips that contain your child’s data, will be retained until the end of the statutory period at which point they will be securely disposed of.
Any data that the school no longer has a duty to retain (it is no longer necessary for the purpose for which it was originally collected/processed) or was processed under the legal basis of Article 6(1)(a) “consent” (if you are confirming that consent has been withdrawn) will be erased securely and appropriately by the deadline of the xxxxxx.
If you have any concerns or questions about how your data is being processed with regards to this request, you may contact our DPO at GDPR@schoolpro.uk or the ICO directly at Home | ICO, using their chat service Live chat | ICO, on 0303 123 1113, or by post at Information Commissioner’s Office, Wycliffe House, Water Lane, Wilmslow, Cheshire, SK9 5AF.”
Next month – we are going to look at what you need to consider when publishing historical photos in a closed social media group or on a website.
New & Updated Resources on the Portal
Since our last newsletter, we have added seven new documents and two updated documents:
New Documents
- DPIA – Canvas (LMS Software Service) – Instructure Inc.
- DPIA – Change of MIS to Arbor
- DPIA – Change of MIS to Arbor – Appendix (Arbor’s Compliance with GDPR)
- DPIA – OpenApply (School Admissions & CRM) – Faria Education Ltd
- DPIA – Payroll Software – FS4S (Juniper Education Group)
- DPIA – Wonde – DfE Attendance Data Collection
- Privacy Notice – Guest WiFi Users
Updated Documents
- DPIA – ParentPay
- Addition of new sub-processor.
- DPIA – Wonde
- Updated risks and DPO guidance.
Data Protection in the News
UK GDPR faces changes under planned reforms | computerweekly.com
Installing CCTV? Things you need to do first | ICO
You can ‘go your own way’ over GDPR, says UK’s new Information Commissioner | The Register
De-identify, re-identify: Anonymised data’s dirty little secret | The Register
It’s time to delete that hunter2 password from your Microsoft account, says IT giant | The Register
Popular Android apps are leaking user data online | TechRadar
Google to auto-enable 2FA for 150 million users | The Register
Telegraph newspaper exposes 10TB of server, user data online | The Register
Schools email marketing firm fixes database login leak | The Register
Twitch blames data breach on server configuration error | CNET
UK schools are using facial recognition to take pupils’ lunch money | The Verge
NHS Digital sends infosec breakfast chat mails, CC: All | The Register
Centre for Computing History apologises for data breach | The Register
Tech Tip – How To Turn On WhatsApp Encrypted Backups | Reform IT
HIV Scotland reveals patient-advocates’ names in email fail | The Register
British data watchdog has £5m outstanding in unpaid fines | The Register
Facebook Drops Facial Recognition to Tag People in Photos | WIRED
UK Supreme Court blocks £3bn data privacy claim against Google | cityam.com
Brittany Ferries admits to security breach | The Register
The FBI’s email system was hacked to send out fake cybersecurity warnings | The Verge
ICO issues ‘reprimands’ in private to large data lawbreakers | The Register
Huge fines and a ban on default passwords in new UK law | BBC News
Confusion about the meaning of ‘Schrems II’ impedes global data flows | iapp.org
Cyber attack disrupts Gloucestershire Council’s website | BBC News
Gloucester Council cyber attack linked to Russian hackers | BBC News
Winter Olympics: Athletes advised to use burner phones in Beijing | BBC News
UK warned to bolster defences against cyber attacks as Russia threatens Ukraine | BBC News
SchoolPro TLC Ltd (2022)
SchoolPro TLC is not responsible for the content of external websites.