Cyber Security and Data Reform - Newsletter 25

In this month’s newsletter:

The RPA has approved use of our version of the NCSC cyber training

Read our initial thoughts on the proposed Data Reforms

Take a deep dive in to Subject Access Requests with our new guidance

Throw a spotlight on a partner we recommend working with

Ensure that you are aware of some of the latest cyber threats

Discover what Data Protection question we have answered this month

New and updated compliance templates from our online platform

A round up of data protection in the news

It has been a busy few months for us as we launched our brand new online Data Protection Portal. We hope you have had a chance to login and use the new and improved tool including its new data mapping and audit tools. This new portal has enabled us to make a step-change in the way that we support schools. If we haven’t visited you since we launched the portal, please get in touch and we will book in a date (either in-person or remote) to come and see you.

The main topic this month focuses on the free Cyber Security for School Staff training course (written by the NCSC) on our learning platform that has now been approved by the RPA as valid for RPA member schools in the event they need to make a cyber claim. There is also:

our first thoughts on the consultation response for the new Data Reform Bill;
guidance on handling subject access requests;
our partner spotlight highlighting a company we work with and recommend;
the latest information on recent and current cyber threats;
a previously asked question about international transfers of data if working abroad; and
the latest on the new & updated resources in Global Documents since the last newsletter.

You can still download our ‘All Staff’ update based on the content of this newsletter by clicking on the image to the side.

And, as always, if you have any further questions about the topics below, or if you would like to book your next visit from us, either online using video conferencing or onsite now many schools are accepting visitors, please get in touch via our new email address DPO@schoolpro.uk.

Don’t forget, if there is anything else that you need support with at this time, please ask and we will do whatever we can within our capacity to assist.

Stay safe and healthy!

DfE RPA Approval for Cyber Security Training

We have recently had confirmation from the RPA that our version of the NCSC “Cyber Security for School Staff” training course fulfils their requirements for schools / academies. They stated that they “can confirm that RPA member schools are able to use your learning platform to evidence completion of the NCSC training in the event of a cyber claim.”

If you are not already aware, we have taken the NCSC course and adapted it to our learning platform which means you can enrol staff and track their progress, and that staff will receive appropriately named/dated certificates at the end of the course. It is the same content as the NCSC course and is free on our platform.

You can visit the course here and speak to us to add it to your school’s training courses for FREE!

Data Reform Bill

Last week saw the release of the Government’s response to their consultation on the proposed Data Reform Bill.

Data: a new direction – government response to consultation | GOV.UK

It is very much still early days for this proposed legislation but below you can read some of our initial reaction and thoughts and how it might impact how we work with you in the future. There is a lot to go through from this response. It is unclear at this stage what the timeline is for the new legislation and exactly what it will look like based on this response. However, we have picked out a few points that we think could have an impact on schools:

Privacy Management Programs to be a compliance requirement
This is one that we have been expecting and built the online audit/accountability tool in the new portal with this possibility in mind. Essentially, the proposal is to reduce down the accountability requirement to 6 key areas (from the current 10). These are:

leadership and oversight
risk assessment
policies and processes
transparency
training and awareness of staff
monitoring, evaluation and improvement

This potentially simplifies the process and our audit tool has been developed to be fully configurable so, if this change does go ahead as suggested, the existing tool can be adapted to the new Privacy Management Program and relevant information, actions etc already in the tool, can be ported across as required. The Government have been keen to highlight that this is not to reduce the rigour of accountability and lower standards, but to create a more flexible tool that can scale depending on the risk level of the organisations. This may well ease some of the burden on smaller schools, for example.

Data Protection Officers to no longer be mandatory and to be replaced with a ‘senior responsible individual’
This proposal removes the need for an independent DPO with no conflicts of interest and allows the role to be taken on by a senior individual within the organisation. That person will still fulfil many of the existing roles of a DPO so it is likely that many organisations will simply continue with their existing arrangement. The ‘senior responsible individual’ will be responsible for:

representing or delegating a representative to the ICO and data subjects

ensuring appropriate oversight and support is in place for the programme and appointing appropriate personnel

providing tailored training to ensure staff understand the organisation’s policies

regularly auditing the efficacy of the programme.

At present, it isn’t fully clear if this will apply to all organisations or whether it will be only small organisations and those that don’t process high levels of sensitive data that are able to drop the requirement for a “DPO”. We are going to obviously be keeping a keen eye on this one!

Removal of Data Protection Impact Assessments (DPIAs)
The thought here is to provide a more flexible and tailored approach to organisations. Again, the Government are keen to emphasise that this isn’t to reduce rigour and lower standards. And they state that organisations will still have to identify, assess and manage risk. This may allow for a more risk-based approach where lower risk processing has a simpler risk management approach and higher risk processing still follows a similar DPIA process to what is currently in place. However this is implemented, thankfully, this shouldn’t involve new risk management for legacy systems as the Government has stated that “existing DPIAs would remain valid as a way of achieving the new requirement.”

Removal of the Record of Processing Activities (RoPA) requirement
As with DPIAs, this is to provide a more flexible approach that can be tailored to different organisation depending on size and the nature of their processing activities. This will link to the Privacy Management Programs and will require organisations to have “personal data inventories” which “describe what and where personal data is held, why it has been collected and how sensitive it is”. From what we’ve read so far, we believe that our existing data mapping tool will allow for these inventories to be created still with very little need to be adapted from their current format.

Those are a few of the points we think will have an immediate impact on schools. There are more detailed analyses available online of all of the proposals, of course, such as this useful one from the IAPP – UK data protection reform: What is in the government’s proposals? (iapp.org)

It is also clear that not everyone is happy with the proposals. Reading through the response, the prevailing theme appears to be “we asked about this, most of you weren’t happy with proposed changes… so we’re going to make some anyway” which is an interesting approach to a consultation. In our SLT days, we often did student consultations and produced “you said, we did” responses to the students. This has been more of a “you said, we did something else”. And there are likely to be legal challenges as a result:

Data Reform Bill consultation ‘rigged’ and potentially unlawful | Tech Monitor

All we can say is, watch this space…

Subject Access Request Guidance

We deal with a huge number of Subject Access Requests and recently launched a guidance page for schools based on the common questions and issues that we come across during the process. Read more here and bookmark the page for the future in case a SAR ever lands on your desk…

Partner Spotlight

This month it is Derventio Education, specialists in software development for education, delivering products that make a real difference, positively impact teaching and learning and empowering staff. Their in-house development team work with teachers, lectures and educationalists to develop software solutions and services that pro-actively support improvement within education and ultimately better outcomes for students.

Recent and Current Cyber Threats

Increased Ransomware Threat

We are going to publish this again because we think it is important and we are still seeing a lot of phishing emails and similar threats circulating in schools.

UK, US, and Australian cyber experts are warning of a “growing wave of increasingly sophisticated ransomware attacks”. Lindy Cameron, the chief executive of the UK National Cyber Security Centre (NCSC), has warned that ransomware is “a rising global threat with potentially devastating consequences”. Organisations can get advice about how to prevent and protect against ransomware at the NCSC ransomware hub here:

A guide to ransomware – NCSC.GOV.UK

Warnings have also gone out in the past fortnight with regards to an increased cyber threat as a possible consequence of the on going situation in Ukraine. More information on what actions you can take can be found here:

Actions to take when the cyber threat is heightened – NCSC.GOV.UK

New Email Security Tool

The NCSC has launched a new email security tool to assist organisations in checking their defences. The security service check helps organisations to identify vulnerabilities. More information can be found here:

New email security tool launched to help organisations… – NCSC.GOV.UK

NCSC Expands Services to Protect Against Online Scams

A record number of scams were removed online in 2021. This was due to the Active Cyber Defence programme and the National Cyber Security Centre has significantly expanded its services in order to protect the UK against this new level of threat. Read on for more:

NCSC significantly expands services to protect UK from… – NCSC.GOV.UK

Other Threats Identified…

Snake Keylogger Malware Being Spread in PDF Files – Online security experts are warning people to take extra care when downloading PDF files after PDFs were recently used in campaigns to deliver Snake Keylogger malware. Snake Keylogger, which is eighth place in Check Point’s Global Threat Index, records a user’s keystrokes and transmits the collected data to cybercriminals. The advice is to use a robust email security solution that quarantines and inspects attachments. (Cheltenham IT Support | Reform IT)
Microsoft Office Users Warned About Word Malware Scam – Cybersecurity expert, Kevin Beaumont, has warned Microsoft Office users about a scam that uses a hole in a Microsoft Word. The scam, dubbed “Follina”, involves cybercriminals leveraging a Windows utility called msdt.exe to cause victims to download a malware-loaded Word file. The malware could allow attackers to run arbitrary code, install programs, change or delete data, or create new accounts. Microsoft has issued workaround guidance. (Cheltenham IT Support | Reform IT)
QuickBooks Customers Targeted by Phishing Attacks – Tax software vendor Intuit has warned that QuickBooks customers are being targeted with phishing attacks that are impersonating the company and are designed to lure targets with fake account suspension warnings. The phishing emails ask targets to click on a “Complete Verification” button which re-directs them to a phishing site designed to harvest personal information or infect their system with malware. The advice to QuickBooks customers is not to click any embedded links or open attachments, and to delete the messages from the inbox. (Cheltenham IT Support | Reform IT)

Previously Asked Question

We are asked data protection questions by schools on a daily basis and there are some questions that come up regularly. We now have an FAQ section on the website for these and all of our answers are published there. You can find this on the Data Protection page of the website or in the blog. Here is one of the questions we’ve been asked recently and the answer we have provided. We will publish more in future newsletters:

Do staff working remotely abroad require international transfers of data and relevant safeguards being implemented?

The full question asked here was as follows – If we have a member of staff who is having to quarantine for a couple of weeks in another country (one outside the EU/EEA and that doesn’t have an adequacy decision), what are the GDPR implications if they are going to work remotely from that country during their quarantine? Does this constitute an international transfer?

In this case, the member of staff was having to stay overseas due to Covid restrictions and therefore work remotely until they could return to the UK. This could also apply if you had staff working remotely from countries outside the UK and that don’t have adequacy agreements in place. The ICO provided the following advice:

This wouldn’t class as an international transfer, because the receiver of the personal data wouldn’t be legally distinct from the sender, i.e. the person accessing the data is a member of staff rather than a separate entity. Accessing data in a third country would class as a transfer if the scenario did involve two separate legal persons. [However, in this instance,] you don’t need to consider it as an international transfer (implement an appropriate safeguard etc.) but you do need to apply appropriate security measures.

So appropriate technical/organisational security measures would need to be applied when accessing the data from abroad, such as not using public WiFi where possible, but there isn’t the need to identify appropriate safeguards for international transfers.

New & Updated Resources on the Portal

Since our last newsletter, Global Documents has moved across to the new portal and is now sorted into folders. This should make it easier to find the documents you need, when you need them. We have also added three new documents and one updated document:

New Documents