Best Practice Update

    You are here:  
  1. Home
  2. Best Practice Update
  3. Why Physical and Data Security Must Go Hand-In-Hand
A photograph of a school classroom that has been broken into, showing damage and signs of theft. In the foreground, a wooden laptop trolley is open and empty, with a single black laptop sitting on top. Glass from a shattered window on the left side of the room is scattered across the floor, catching the light. Desks and chairs are disarranged, and a projector screen is torn. A chalkboard with some graffiti is visible in the background, completing the scene of a ransacked classroom.
Best Practice Updates

Why Physical and Data Security Must Go Hand-In-Hand

The sight of a ransacked classroom is unsettling, especially for a junior school community. A break-in is not just about the cost of a new window or a replacement laptop; it is also about the potential loss of sensitive data.  Greenfields Junior School, in Green Lane, was broken into during the summer holidays.

There have been reports on North Harts Police social media channels about the break in and further information and photos have been reported by the Basingstoke Gazette: Greenfields Junior School broken into during summer holidays.

Physical damage was done to the building and contents, including damaging interactive whiteboards.  The burglars accessed lockers and took laptops and iPads.

While physical breaks-ins, with their visible damage and stolen goods, are almost always reported to the police.  The immediate aftermath - broken glass, overturned furniture, and missing items - makes the crime obvious and prompts an immediate call to the policy.  However, the data breach or cyber incident aspect that often stems from these physical thefts is sometimes overlooked.

The Disconnect in Reporting

A break-in is a tangible event. The crime scene is a clear prompt for action, to report the crime for investigation and for insurance purposes.  But when laptops and tablets are the stolen items, the subsequent data breach is less tangible and can easily be forgotten due to the rush to deal with the physical aftermath, and because of the school holidays when there are often less staff and resources available.

The loss of a device is not just about its monetary value; it's about the sensitive information it may contain.  This can include:
  • Student data: names, addresses, health information and academic records.
  • Staff data: personal details, payroll information and professional documents.
  • Parental data: contact information and financial details.

While the police investigate the theft, the organisation (in this case a school) has a separate, and equally urgent, responsibility to manage the data breach.  This means that you should inform your DPO, and then they can help you assess whether the breach reaches the threshold for reporting the ICO.

Support and Guidance:

Review DfE School and College Security.

Review the DFE Digital Standards:

Cyber Security Standards

This is the most critical section. A physical break-in that results in the theft of devices is a form of cyber incident, as it compromises the data on those devices. The standards mandate that schools:

  • Have a Cyber Response Plan: Schools must have a pre-defined plan for what to do in the event of a cyber incident, including who to contact and what steps to take to minimise the impact. This plan should be regularly tested.

  • Implement Secure Backups: The standards are very clear on this, requiring at least three backup copies of important data, stored on two separate devices, with at least one of these off-site. This ensures data can be recovered even if all on-site devices are stolen or destroyed.

  • Manage Data Protection: The standards require schools to comply with UK GDPR, which includes conducting Data Protection Impact Assessments (DPIAs) for personal data, controlling user access, and having a clear process for reporting data breaches.

Digital Leadership and Governance Standards

These standards place the responsibility for security at a strategic level. The break-in scenario highlights the need for:

  • Clear Roles and Responsibilities: A senior leader should be designated to be responsible for digital technology. This person would work with the Data Protection Officer (DPO) and IT support to create and implement a robust security strategy.

  • Disaster Recovery and Business Continuity Plans: The standards require schools to include digital technology and data within these plans. This ensures that the school can continue to operate and recover quickly after an event like a break-in.

  • Asset Registers: Schools must keep up-to-date registers of all hardware and systems. An accurate list of devices is essential for police reports and for knowing exactly what data might have been compromised.

Laptops, Desktops and Tablets Standards

This section deals with the devices themselves. The standards require that:

  • Devices are safe and secure, which implies they should be stored securely when not in use.

  • Device security features, such as passwords and encryption, are correctly configured to protect the data stored on them, making them useless to thieves.

Contact us for more information about our online DfE Digital Standards Tracker tools, which can help you track and report on your progress.  The DfE recently announced that all schools and colleges should work towards the main six standards for compliance before 2030.

Data Protection Education customers should review our Data Breach Best Practice Area for help and advice.
Review our document Physical Security Policy Template(179 KB)

Watch our free micro learning video about Physical Security.



Our thoughts are with Greenfields Junior School, at a time when school budgets and resources are limited for schools.
©2025 Data Protection Education Ltd.

Search