It is approaching the end of the longest school term in human history… again! We wrote that last year and it is still as apt again in 2021. And as we said last year, you are continuing to do phenomenal work keeping your communities going and improving the life chances of young people. The capacity of schools in adversity never stops amazing us. It is very nearly time for a well deserved break! Please remind staff to secure all personal data (hard copy or electronic) before leaving at the end of term and to enjoy the holiday!
Over the next couple of weeks, we will also be enjoying a well-earned break but we will be available in an emergency of course. Please contact us on DPO@schoolpro.uk for anything urgent. We will be around our offices for some of the time as well but will resume full, normal office hours from the 4th January.
The main topic this month focuses on personal data breaches. We’ve created a new decision-making process map to help you decide whether you should inform data subjects of a data breach and, if so, what you information and advice you should give them. You can download the process maps below. There is also:
- notification of the DfE email and text system that allows you to send secure, encrypted files for free as well as parent communication;
- a lesson in spurious compensation claims for data breaches and why you don’t always need to settle or pay up;
- guidance on whether you may have been processing biometric data without realising it;
- the latest guidance for leaders and network managers on phishing attacks from the National Cyber Security Centre (NCSC;
- a previously asked question about managing emails in the context of Subject Access Requests; and
- the latest on the new & updated resources in Global Documents since the last newsletter.
You can download our new ‘All Staff’ update based on the content of this newsletter by clicking on the image to the side. And, as always, if you have any further questions about the topics below, or if you would like to book your next visit from us, either online using video conferencing or onsite now many schools are accepting visitors, please get in touch via our new email address DPO@schoolpro.uk. And don’t forget, if there is anything else that you need support with at this time, please ask and we will do whatever we can within our capacity to assist.
Stay safe and healthy! And Merry Christmas!
Notifying Data Subjects of a Breach
Data breaches can be a worrying time for an organisation and we are here to support you should the worst happen. Part of the process of dealing with a breach is deciding whether to inform the data subjects who were affected.
It is important to understand that it is not compulsory to notify data subjects of a breach. It may be that notifying a data subject could create undue worry or a risk to them that would not have happened had they not been informed. The ICO’s guidance is clear that you only need to inform data subjects “if a breach is likely to result in a high risk to the rights and freedoms of individuals”. If this is the case “you must inform those concerned directly and without undue delay.” Personal data breaches | ICO
So how do we decide if we need to notify data subjects and, if we decide we should, what do we need to tell them? We have created this infographic (available in two different versions) to explain the decision-making process and identify what information needs to be given to the data subjects. You can download them by clicking on the images.
Ultimately, we are here to support you. You can involve us in the decision-making process and we can help you come to a decision that you are happy with and that is in the best interests of the data subjects.
GOV.UK Notify is a system for public authorities, including state-funded schools, to send emails, texts and letters to users. In other words, you can use the system for parent communication. This video introduces the system:
The system allows you to send unlimited free emails and up to 150,000 free texts per year. There are then costs associated with additional texts above that limit, or if you want to use the service to send letters.
One of the key benefits of the service that we’ve identified as Data Protection Officers is that when sending emails, files are sent as encrypted links instead of as attachments. As the system states, this is because:
- they’re more secure; and
- email attachments are often marked as spam.
Another benefit of the system is that there’s no monthly charge, no setup fee and no procurement process. For more information, visit the site:
Compensation Claims for Data Breaches
Experiencing a data breach can be worrying for a school, even without the thought of a compensation claim being brought against you. We do discuss the possibility of no-win, no-fee solicitors bringing claims against schools in our data protection training and are aware of 2 or 3 such claims occurring over the past 18 months within our network. However, there is cause for optimism regarding the need to pay out claims from a couple of recent cases.
We will just point out that we are data protection officers and not lawyers/solicitors so this is not legal advice. If you do receive a compensation claim as a result of a data breach, you should still seek professional legal help.
Google vs Lloyd (2021) – in this class action, Lloyd was up against Google on behalf of 4 million iPhone users. Whilst we are not defending Google and their practices, in this case, the actual damage caused to the 4 million claimants could not be proven or evidenced for each individual claimant and therefore the judgement was that the case could not proceed.
Rolfe & Ors v Veale Wasbrough Vizards LLP (2021) – this case was on a far smaller scale compared to Google vs Lloyd but is possibly even more relevant to schools. In this case, the school was chasing fees from the Rolfes and an email was sent to them from school’s Trust. The letter included the following details of the Rolfes – “names, their address, the amount of school fees (together with interest and surcharges) owed…, a statement of account of school fees for the past five years, and reference to proposed legal action which would be taken if the debt was not paid”. Unfortunately, due to a clerical error, the email was sent to an email address with a single character different to the correct address and, hence, the breach occurred.
The Trust followed their breach procedure. As soon as they were made aware of the breach by the incorrect recipient, they asked them to delete the email from their inbox and deleted items and this was confirmed by the next day. The email itself was encrypted so it wasn’t able to be read by anyone other than the recipient and anyone else with access to their inbox.
As a result of the breach, the Rolfes put in a claim for “damages for misuse of confidential information, breach of confidence, negligence, damages under s82 of the GDPR and s169 Data Protection Act 2013 (sic)”. However, they lost the case and the judge seemed particularly unimpressed by their claim. The judge acknowledged that ‘distress’ can be a valid reason for awarding damages and that “loss of control of personal damage can constitute damage”, but stated that there does still need to actually be damage and not be trivial.
The judge even states “what harm has been done, arguably?” and that “we have a plainly exaggerated claim for time spent… dealing with the case and a frankly inherently implausible suggestion that the minimal breach caused significant distress and worry or even made them ‘feel ill'”.
Our hope is that this sets a precedent that spurious compensation claims like this will not be seriously considered by the courts. Clearly it is important that due compensation is awarded in serious cases but, as the judge concludes, “in the modern world it is not appropriate for a party to claim, …for breaches of this sort which are, frankly, trivial.”
Are You Processing Biometric Data?
We were recently asked by one of our schools whether staff using Face ID on iPads meant that the school was processing biometric data. If schools are processing biometric data then they should state this in their Data Protection Policy and it is also a statutory requirement set by the DfE to have a Biometric Data Policy if you are processing the biometric data of children. So could you be processing biometric data without realising it?
We spoke to the ICO about this and formulated three scenarios:
Scenario 1 – a staff member is using their own iPad and securing it with Face ID or a fingerprint. In this case, the school is not controller for this data so is not processing biometric data. This would also apply if pupils are using their own devices and using Face ID/fingerprints.
Scenario 2 – the school owns iPads and issues them to staff. Staff use Face ID or fingerprints to secure these devices. The ICO would consider the school to be the controller for this biometric data. This is despite the fact that the school does not have access to the biometric data stored in the vault on the iPad (and neither does Apple). A DPIA would be required and the biometric data section of the Data Protection Policy would need to be amended to consider that the school IS processing biometric data. A biometric policy would not be required as that is only for children’s biometric data but would be required if pupils were securing school devices with Face ID or fingerprints.
Scenario 3 – The school outsources their IT Support to another company and that company owns the devices. The school then issues them to the staff to use. As far as the ICO is concerned, there is a bit of a grey area as to who is the controller here (school or IT company) but they recommend that is contractually agreed before implementing the devices. Based on the outcome of that agreement, the school may then be considered to be processing biometric data and require the relevant paperwork.
So… are you processing biometric data?
Phishing Attacks – Guidance from the NCSC
The National Cyber Security Centre has recently released updated guidance aimed at leaders and network managers in organisations regarding phishing attacks:
“Our phishing guidance has all the details, but in essence, your defensive layers should be arranged to:
- Make it difficult for attackers to reach your end users
- Help users respond appropriately if they receive phishing emails
- Provide additional measures to prevent consequences of opening phishing emails
- Allow you to respond appropriately and quickly, if the first three fail”
Previously Asked Question
If a SAR request asks for emails, do we have to provide every email that an individual's name appears in?
This is a common misconception and the answer, in short, is ‘no’! A subject access request is about data subjects exercising their right of access. The right of access does involve producing a copy of the individual’s personal data but that doesn’t mean giving them copies of their name every time it appears in your data systems for example. To explain:
You don’t have to necessarily print out or electronically provide every single email that an individual’s name has appeared in. It is only emails that are ABOUT them which isn’t necessarily the same thing. Here is the ICO’s guidance about emails – How do we find and retrieve the relevant information? | ICO
A couple of key points –
- It can sometimes be difficult to determine whether an email contains an individual’s personal data. This depends on the contents of the email, the context of the information it contains, and what it is being used for. Ultimately it is for you as the data controller to determine whether any of the information in the email is the individual’s personal data.
- The right of access only applies to the individual’s personal data contained in the email. This means you may need to disclose some or all of the email to comply with the SAR
- Just because the individual receives the email, does not mean that the whole content of the email is their personal data. Again, the context of the information and what it is being used for is key to deciding this. However, their name and e-mail address is their personal data and you should disclose this information to them.
The ICO includes this example in their guidance:
So, if you search your email system and find thousands of emails with the individual’s name/email address in, you could separate out into different categories:
- Emails that they have sent – in theory, they could simply have these as they are as they would have written them in the first place. You may decide to redact however if the information they sent in those emails is now information you don’t think they should have access to for whatever reason. Or you could just say that you have x number of emails written by them in your system and can provide if requested. They may not really be interested in these but more the emails ABOUT them.
- Emails in which they are a recipient – if they are a recipient of 1000s of emails but aren’t actually the content of the email (i.e. the emails are sent out to all staff/pupils or to groups of staff/pupils), you wouldn’t have to hand these all over. Much like in the example above, you could simply identify the number of them and say, we hold x thousand emails with your name as the recipient but which aren’t about you. You then don’t have to go through all of those.
- Final option are emails in which they actually are the subject of the email. These are the emails which are actually ABOUT them and should be a much smaller subset of the emails. They should be provided with copies of these with any redactions applied as appropriate.
Doing it this way should speed up the process and reduce the need to go through every email as well as the need to provide copies of every single email.
Remember, if in doubt, come and speak to us as your DPO and we can advise.
Next month – we are going to look at the conditions for legitimately extending your response time to a Subject Access Request.
New & Updated Resources on the Portal
Since our last newsletter, we have added two new documents and one updated document:
- DPIA – Sign-In App (electronic visitor & staff sign-in software)
- Infographic – Notifying Data Subjects of a Data Breach
- Policy – Data Protection
- Updated DPO contact details from GDPR@schoolpro.uk to our new email address, DPO@schoolpro.uk
Data Protection in the News
SchoolPro TLC is not responsible for the content of external websites.