Best Practice Update

Blue data breach text on blue cyber background, and orange reprimand stamp

The ICO Reprimands a school

A reprimand has been issued by the ICO to Parkside Community Primary School in relation to the infringements of Article 5 (1)(f), Article 24 (1) and Article 32 of the UK GDPR. This article discusses the reprimand and looks and what schools can do to avoid this type of breach.

Some of the information in the reprimand document is redacted, but the main details are:
  • A safeguarding email was shared in the classroom via the electronic whiteboard.
  • The ICO has found that the school disclosed personal data inappropriately, including special category data, in a classroom environment.
The breach is in relation to the UK GDPRs security principle, meaning that the school failed to prevent unlawful disclosure of personal data.
The school also failed to implement appropriate technical and organisational measures to ensure personal data is kept secure under Article 32 of the UK GDPR.

The findings were that the school did not have:
  • Detail in the data protection policy of when it was appropriate to open emails containing personal data.
  • Policies relating to the use of the school's electronic safeguarding system.
  • Written guidance for staff on the classification of emails, i.e. there was no labelling or system to indication that an email contained sensitive information.
  • Procedures or guidance relating to when it is appropriate in the school day to open emails generated by the electronic safeguarding system.
  • Procedures or guidance in relation to the safe operating of electronic whiteboards,  especially when screen sharing.
There were several steps taken and further action recommended which all schools should take into consideration when using these kinds of systems and when handling special category data in a busy school environment:
  • The governor responsible for the strategic management of data protection reviewed current practices and made recommendations. Many schools we speak to do not have this type of governor in place.  Consider reviewing our Governance Best Practice Library.  This article discusses the governor responsibilities in more detail: Cyber responsibilities for Governors/Trustees in schools
  • Formal guidance was given to staff about how data breaches should be reported. This is something usually discussed with our customers during our consultations.  All staff should know how to recognise a data breach and the procedures for reporting one.  Consider reviewing our full How to avoid a data breach training course, or invite staff to view our 5-10 minute Data Breach Learning Nugget.
  • Staff have been instructed that all alerts sent by the electronic safeguarding system should be read at specific times of the day and never when children are present or in the vicinity of the classroom. 
  • All staff have been instructed to use data classification such as SENSITIVE/HIGHLY SENSITIVE in the subject line of an email. Such emails should only be read before and after the school day. Review our Information Classification Best Practice Library in line with your email policy.
  • Governors are to be alerted to an incident as soon as it is reported to the Head.  Our Knowledge Bank allows schools to add governors and trustees as users, so they can get an overview of data breaches: 
  • Cases of a complex and sensitive nature on the electronic safeguarding system can only be accessed by the Headteacher, Deputy Headteacher and Parental and Pastoral Officer and shared with relevant members of staff on a need-to-know basis at scheduled meetings. Consider access control procedures, review our Information and Cyber Security Best Practice Library.
  • All staff and governors are to receive data protection refresher training.  We provide a 20-minute GDPR Refresh Course which can be assigned to both staff and governors by an administrator: 
  • All staff are to be issued with the school's data protection policy and to be familiar with its content.
  • The data protection policy has been reviewed.  The updated policy instructs staff how to report a breach, what constitutes a breach, and who to report it to and what happens once this has been done. Review our template policies:  document Model Data Protection Policy (206 KB)  and  document Data Breach Procedure (210 KB) .
  • All staff to sign an electronic document to confirm they have read and understood the data protection policy.  The DPE Knowledge Bank has a Compliance Manager tool that allows documents to be uploaded and assigned to staff to be read and signed within a set time period: 

The further actions recommended were:
  • Refresher training on the operation of electronic whiteboards for relevant employees with the emphasis on security and the relevant steps for employees to take to avoid a personal data breach when operating an electronic whiteboard.  Often the reseller or the manufacturer will offer free training or training videos about how to operating the equipment.
  • Ensure there is sufficient written guidance on the use of the electronic safeguarding system.
  • Consideration of refresher data protection training for all members of staff.  Both members of staff had failed to report the breach. Staff should understand the consequences of failing to report a breach, as mitigating action can lessen the effects of a personal data breach. Review our Data Breach Learning Nugget and Recognise a personal data breach drip feed poster.
  • Adequate technical and organisational measures should be in place to ensure the security and confidentiality of emails sent internally which include personal data, particularly when these contain sensitive and special category. Review Information and Cyber Security Best Practice Library.
  • The policies and procedures should have prominent, sufficient and adequate practical guidance for employees, including regular reviews and work to increase staff awareness.
  • All new processes should be tested.

The key points to take from the recommendations are that you should always be aware of where you are and who might see what you're working on.  Data classification and access controls are vital.  Special category requires extra security.

Consider all the advice above with what other safeguarding and special category data that you may have displayed around your school?  Consider using our Making the Rounds tool to do your own data walk or get in touch with your Data Protection Education School Consultant to do the walk with your or have a follow-up feedback meeting.

Use our  pdf DPE Quick Reference Guide (1.64 MB)  for practical advice on what can be displayed around schools.

The full reprimand can be read here: