Happy New Year!

We are two weeks into the New Year and can see that the pace of work in schools continues unabated. To that end, we will get straight to it!

The main topic this month focuses on the new FREE cyber security training course that we are hosting on our training platform. The course has been written by the National Cyber Security Centre based at GCHQ and we’ve been able to make it available to you. More detail can be found below. There is also:

  • information about our new accountability tracker tool which we’ve developed to aid and improve audits and audit reporting;
  • an update on our climate commitment and race to net zero;
  • guidance on whether you may need to appoint a European representative;
  • the latest information on recent and current cyber threats;
  • a previously asked question about legitimately extending the deadline for Subject Access Requests; and
  • the latest on the new & updated resources in Global Documents since the last newsletter.


You can download our ‘All Staff’ update based on the content of this newsletter by clicking on the image to the side.

And, as always, if you have any further questions about the topics below, or if you would like to book your next visit from us, either online using video conferencing or onsite now many schools are accepting visitors, please get in touch via our new email address DPO@schoolpro.uk

Don’t forget, if there is anything else that you need support with at this time, please ask and we will do whatever we can within our capacity to assist.

Stay safe and healthy!



FREE Cyber Security Training

We have recently added a Cyber Security for School Staff training course to our online platform. It is a FREE course and was written by the National Cyber Security Council based at GCHQ so we can’t take any of the credit for it. They are happy for us to host it on our platform though and you can sign up for free to get a group licence on there and get your staff doing the course.

The course is also available on the NCSC website as either a video or a downloadable PowerPoint but the advantage of doing it through our platform is that staff can do it in their own time, they can save progress as they go and come back later if they need to, and it will give them a certificate to download at the end which they and/or HR can keep. We are also looking at adding a short quiz at the end just to double check people have been paying attention…!

The course is on one of our new course pages where individuals can sign up for the training – Free Online Cyber Security Training for Schools – SchoolPro TLC

If you are an existing DPO service customer, please speak to us directly about getting your staff setup on this training course and we will help get that done for you at no additional cost to your service.

If you know schools that are not existing DPO service customers but who you think would be interested in this training, the group licence for the course is also live and available in our online shop. They can purchase the number of seats they need for the cost of £0 per seat! They can get their free licence here – Cyber Security Training for School Staff (Group Licence) – SCHOOLPRO TLC


Accountability Trackers
Since the start of October, we’ve been introducing a new audit tool for our school visits in the form of our Accountability Tracker:

Adapted from the ICO’s own tool to better fit schools and Trusts, the tracker identifies how your organisation meets the ICO’s expectations in line with the accountability framework. This is identified as a RAG rating across the 10 areas of the framework and then allows you to develop an action plan to work towards meeting expectations in those areas identified as amber or red. The 10 areas of the accountability framework are:

  1. Leadership & Oversight
  2. Policies & Procedures
  3. Training & Awareness
  4. Individuals’ Rights
  5. Transparency
  6. ROPA & Lawful Basis
  7. Contracts & Data Sharing
  8. Risks & DPIAs
  9. Records Management & Security
  10. Breach Response and Monitoring

The tracker has been used on our visits for the past term and will continue to be rolled out to all schools during visits over the coming months. We believe that it will bring further clarity to the audit process and provide a clear roadmap to ongoing compliance for you.


Our Climate Commitment

SchoolPro TLC has made a climate commitment through the SME Climate Hub. We have created a new page for our website where we explain who the SME Climate Hub are, what the commitment means and, over time, show you how we are monitoring our environmental impact and tracking our race to net-zero emissions.

You can access the page here – Climate Commitment – SCHOOLPRO TLC

We also have some exciting news connected to this which we hope to be able to reveal in the next week or two. This will allow schools to get involved with our Race to Net Zero and support us and each other in making a positive change to the climate.


EU Representatives for Data Controllers

It has now been a little over a year since Brexit and there are still a few changes to data protection legislation as a result that are being fully understood.

If you are an organisation (in your case, a school, college or other education establishment) in the UK that processes personal data of individuals within the EEA to offer them goods or services, or to monitor their behaviour, you will need to comply with the EU data protection regime alongside the UK regime. It is likely that you will need to appoint a representative in the EEA.

If your education establishment is a public authority, you don’t need to appoint a European representative and you can skip onto the next article in this newsletter.

But if your education establishment is a private organisation such as an independent school (a private school), you may well need to appoint a European representative.  Unfortunately, you aren’t exempt from this because you are performing the task of a public authority. If that applies to you, read on.

So, when might you be processing the personal data of individuals within the EEA to offer them goods or services, or to monitor their behaviour?

If you have students that come from the EU (i.e. are normally resident in an EU/EEA country) then you would be considered to be offering goods and services to them and so you would need to appoint an EU representative. This is especially true if you are targeting families in the EU/EEA by marketing the school to them, for example.

As the DPO for you, we couldn’t be your EU representative even if a part of our establishment was in the EU. Your DPO and EU representative shouldn’t be the same person or organisation. If you have an establishment within the EU (for example, you have staff working remotely who are based in the EU), you wouldn’t need an EU representative as they can do that on your behalf. If you don’t, your representative may be an individual, or a company or organisation established in the EEA, and must be able to represent you regarding your obligations under the EU GDPR (e.g. a law firm, consultancy or private company). In practice the easiest way to appoint a representative may be under a simple service contract.

Please see the ICO guidance on European representatives: European representatives | ICO and speak to us directly if you feel this might apply to you and you need further support.


Recent and Current Cyber Threats

Log4j Vulnerability

Log4shell is a critical vulnerability in the widely-used logging tool Log4j, which is used by millions of computers worldwide running online services. A wide range of people, including organisations, governments and individuals are likely to be affected by it. Although fixes have been issued, they will still need to be implemented. More information can be found here at the NCSC website –

What the Log4j vulnerability is, who is affected – NCSC.GOV.UK


Phishing and Malware Threat through Google Flaw

Email security specialists Avanan have reported that hackers have been leveraging the comment feature in Google Docs to target primarily Outlook users. The attack works by hackers adding a comment to a Google Doc mentioning the target with an @. This automatically sends an email from Google to that target person’s inbox which contains bad links to malware or phishing sites. To protect themselves, users should cross-reference the email address in the comment to ensure it’s legitimate, scrutinize links and inspect grammar, and deploy protection that secures the entire suite.


Reporting Suspicious Emails to the NCSC

How to report emails to the NCSC’s Suspicious Email Reporting Service (SERS) using Office 365’s ‘Report Phishing’ add-in for Outlook –

Configure O365’s Phishing report add-in for SERS – NCSC.GOV.UK

Previously Asked Question

We are asked data protection questions by schools on a daily basis and there are some questions that come up regularly. We now have an FAQ section on the website for these and all of our answers are published there. You can find this on the Data Protection page of the website or in the blog. Here is one of the questions we’ve been asked recently and the answer we have provided. We will publish more in future newsletters:
Are there any conditions under which we can legitimately extend the deadline for a Subject Access Request?

The short answer is that yes, you can. You can extend the time to respond by a further two months giving you a total of 3 months to respond to the request. There are a number of conditions for this but the one that is most likely to be relevant for you is if the request is “complex”.

You should calculate the extension as three months from the original start date, ie the day you receive the request, fee or other requested information.

If you decide that it is necessary to extend the time limit by two months, you must let the individual know within one month of receiving their request and explain why. It is important to note that you don’t have to ask them if you can extend it, the decision is yours to make as the data controller. However, an open dialogue with the data subject about this will help the process go smoothly and hopefully keep the situation from ending in animosity or a formal complaint. It also may be appropriate to provide some of the data by the initial deadline with the more complex data to come later.

Here is further information about complex requests taken from the ICO guidance –

When can we refuse to comply with a request? | ICO


When is a request complex?

Whether a request is complex depends upon the specific circumstances of each case. What may be complex for one controller may not be for another – the size and resources of an organisation are likely to be relevant factors. Therefore, you need to take into account your specific circumstances and the particular request when determining whether the request is complex.

The following are examples of factors that may, in some circumstances, add to the complexity of a request. However, you need to be able to demonstrate why the request is complex in the particular circumstances.

  • Applying an exemption that involves large volumes of particularly sensitive information.
  • Clarifying potential confidentiality issues around the disclosure of sensitive medical information to an authorised third party.
  • Searching large volumes of unstructured manual records (only applicable to public authorities).

It is important to be realistic in your judgement of the request as ‘complex’. Just because a request involves a large quantity of data, that doesn’t mean it is necessarily ‘complex’ and justifies an extension. Remember, if in doubt, come and speak to us as your DPO and we can advise.

Next month – we are going to look at the exemptions that may apply to data in a Subject Access Request.

New & Updated Resources on the Portal

Since our last newsletter, we have added no new or updated documents.


Data Protection in the News

MAT falls victim to data leak after $8m ransom demand | Tes Magazine

ICO survey on data flouters: 50% say they receive more unwanted calls than before pandemic | The Register

Charities warned about fraud risk after data breach at National Lottery Community Fund (civilsociety.co.uk)

The wheels come off Formula 1’s notification service as fans plied with attacker’s messages | The Register

Google begins showing what its new Play Store safety listings will look like | Engadget

Restoring your privacy costs money, which makes it a marker of class | The Register

Hole blasted in Guntrader: UK firearms sales website’s CRM database breached, 111,000 users’ info spilled online | The Register

EU hits Amazon with record-breaking $887M GDPR fine over data misuse | TechCrunch

Tech biz must tell us about more security breaches, says UK.gov as it ponders lowering report thresholds | The Register

Amazon slapped with €746m fine marking largest GDPR penalty in history | Charged

UK data watchdog sees its approach to government health tech during COVID-19 outbreak as ‘pragmatic’ | The Register

Sainsbury’s failed to warn cat owners of toxic food recall due to email issues | The Guardian

We can’t believe people use browsers to manage their passwords, says maker of password management tools | The Register

T-Mobile US probes claims of 100m stolen customer records up for sale on dark web | The Register

Dallas cops lost 8TB of criminal case data during bungled migration, says the DA… four months later | The Register

Zoom incompatible with GDPR, claims data protection watchdog for the German city of Hamburg | The Register

Privacy watchdog warns pubgoers about handing over data to venues | The Independent

Google and YouTube roll out new protections for teens | Axios

T-Mobile Data Breach Included Personal Information of Almost 50 Million Customers | MacRumors

WhatsApp fined 225 million euro by Irish data protection commissioner | Evening Standard

ProtonMail deletes ‘we don’t log your IP’ boast from website after French climate activist reportedly arrested | The Register

Glasgow firm fined £150k after half a million nuisance calls, spoofing phone number, using false trading names | The Register

The Future of Weaponized App Data | CYBER on Acast


​Please contact us if you do have further questions at DPO@schoolpro.uk.

SchoolPro TLC Ltd (2022)

SchoolPro TLC is not responsible for the content of external websites.