
Why Physical and Data Security Must Go Hand-In-Hand
There have been reports on North Harts Police social media channels about the break in and further information and photos have been reported by the Basingstoke Gazette: Greenfields Junior School broken into during summer holidays.
Physical damage was done to the building and contents, including damaging interactive whiteboards. The burglars accessed lockers and took laptops and iPads.
While physical breaks-ins, with their visible damage and stolen goods, are almost always reported to the police. The immediate aftermath - broken glass, overturned furniture, and missing items - makes the crime obvious and prompts an immediate call to the policy. However, the data breach or cyber incident aspect that often stems from these physical thefts is sometimes overlooked.
The Disconnect in Reporting
A break-in is a tangible event. The crime scene is a clear prompt for action, to report the crime for investigation and for insurance purposes. But when laptops and tablets are the stolen items, the subsequent data breach is less tangible and can easily be forgotten due to the rush to deal with the physical aftermath, and because of the school holidays when there are often less staff and resources available.The loss of a device is not just about its monetary value; it's about the sensitive information it may contain. This can include:
- Student data: names, addresses, health information and academic records.
- Staff data: personal details, payroll information and professional documents.
- Parental data: contact information and financial details.
While the police investigate the theft, the organisation (in this case a school) has a separate, and equally urgent, responsibility to manage the data breach. This means that you should inform your DPO, and then they can help you assess whether the breach reaches the threshold for reporting the ICO.
Support and Guidance:
Review DfE School and College Security.Review the DFE Digital Standards:
Cyber Security Standards
This is the most critical section. A physical break-in that results in the theft of devices is a form of cyber incident, as it compromises the data on those devices. The standards mandate that schools:
-
Have a Cyber Response Plan: Schools must have a pre-defined plan for what to do in the event of a cyber incident, including who to contact and what steps to take to minimise the impact.
This plan should be regularly tested. -
Implement Secure Backups: The standards are very clear on this, requiring at least three backup copies of important data, stored on two separate devices, with at least one of these off-site.
This ensures data can be recovered even if all on-site devices are stolen or destroyed. -
Manage Data Protection: The standards require schools to comply with UK GDPR, which includes conducting Data Protection Impact Assessments (DPIAs) for personal data, controlling user access, and having a clear process for reporting data breaches.
These standards place the responsibility for security at a strategic level. The break-in scenario highlights the need for:
-
Clear Roles and Responsibilities: A senior leader should be designated to be responsible for digital technology.
This person would work with the Data Protection Officer (DPO) and IT support to create and implement a robust security strategy. -
Disaster Recovery and Business Continuity Plans: The standards require schools to include digital technology and data within these plans.
This ensures that the school can continue to operate and recover quickly after an event like a break-in. -
Asset Registers: Schools must keep up-to-date registers of all hardware and systems.
An accurate list of devices is essential for police reports and for knowing exactly what data might have been compromised.
This section deals with the devices themselves. The standards require that:
-
Devices are safe and secure, which implies they should be stored securely when not in use.
-
Device security features, such as passwords and encryption, are correctly configured to protect the data stored on them, making them useless to thieves.
Data Protection Education customers should review our Data Breach Best Practice Area for help and advice.
Review our document Physical Security Policy Template(179 KB)
Watch our free micro learning video about Physical Security.
Our thoughts are with Greenfields Junior School, at a time when school budgets and resources are limited for schools.