What does the NCSC 2022 Annual Review, published this week, mean for schools? It’s been a busy year for education already with school budgets hit by unplanned teacher pay rises and doubling energy bills all before the end of the first term.  It is hard to fathom or think about how the conflict between Russia and Ukraine, being fought thousands of miles away, can be another influence.  The Rt Hon Oliver Dowden CBE MP says “that war extends to all fronts, including cyberspace. New data shows the UK is the third most targeted country for cyber attacks, behind only the USA and Ukraine”.  Sir Jeremy Fleming, Director GCHQ said in his foreword in the annual report that “We must be able to trust the systems that connect us, that enrich our lives economically and socially.  And that means that cyber security matters to everyone”.

We all know that schools are under funded in terms of staff and technology so how can they protect themselves and how can they afford to with current budget constraints?

A giant of the adtech industry in France has recently been fined for breaching the European Union data protection regulation. A multi year investigation has been conducted by France’s national privacy watchdog, and they have found that Criteo have breached their privacy laws, and have issued them a $65 million fine. Criteo is an advertising company established in 2005., and the fine concerns their use of ‘tracking ads’. Privacy International, a digital rights privacy advocate group, lodged a complaint in 2018 about Criteo. 

We’ve discussed in the past the use of biometric systems in UK schools, and how privacy advocates have expressed concern over the collection of the biometric data of students. They feel that not only is it excessive, but there are also easier alternatives, which will in each case do the same job that using the biometric systems would. Now, it’s becoming clear that the classroom of tomorrow could become a centre for excessive and intrusive data collection, above even that of Google itself.

Cybersecurity should be seen as a key element of normal working practices.

On the 10th October 2022 the DfE issued updated cybersecurity standards for schools.  Given most of the standards should already implemented or are required to be implemented as soon as possible, there is an implication that these should be part of normal working practices.

Facebook gets a small win in Europe

EU regulators are currently at odds on how to prevent Facebook’s parent company, Meta from transferring EU user data to the US. The draft decision, made in Ireland, aimed to stop certain data from being sent outside the EU, with Facebook claiming that this would severely impact the offerings they would be able to give to EU users, and potentially mean that they have to shut down Facebook and Instagram in Europe all together.

Google urges Android partners to apply latest security patches

Google releases a monthly security bulletin, and in their recent edition they have outlined their latest patches for Android systems, which you can find here37 vulnerabilities were highlighted in the bulletin, and one of them is a security flaw which could allow remote code access through the use of bluetooth, without needing any additional execution privileges. Google has urged users to update their devices to the latest version of Android, with the flaw being patched on Android 10, 11, 12 and 12L.

Recently we’ve been breaking down the Online Safety Bill, which had an updated and strengthened version published by the government recently, and it had gone through parliamentary scrutiny. So far we’ve looked at an introduction to the Bill and what changes have been made since its original draft. Today, we’ll be taking a look at the practical implications for users, so that we can better understand how it will impact our day to day lives- if at all.

The government have recently published an updated version of The Online Safety Bill, after it has gone through Parliamentary Scrutiny. The outcome of this is, according to the government, a stronger and more clarified version of the Bill. Below I'll detail the key differences between the original draft version and the updated version of the Bill. The information for this comes from the government website which breaks down the refined version of the Online Harms Bill, which can be visited by clicking here.

Officials in Denmark have recently carried out a risk assessment around the risks posed by Google when processing personal data for schools. As a result of this investigation, schools in Denmark have effectively banned the use of Google services. The decision, which was published last week by Datatilsynet (Denmark’s data protection agency), stated that Google’s cloud based software services which includes Gmail, Google Drive, and Google Docs, does not reach the requirements set out in the European Union’s GDPR data privacy regulations.

Our first cyber security story involves another new Whatsapp scam where cyber criminals are posing as Whatsapp user's friends and family and asking them to send them money. Scammers send the victim a message claiming to be someone they know, and providing a ‘reason’ why they are using a new number. They then go on to give a fake reason as to why they need the user to send them money. 

Children Aged 10 and Older 

Children aged 10 and older can be arrested, interviewed and charged with criminal offences and, if found guilty, they will receive a criminal record.  The UK has the youngest age of criminality in Europe and this has been condemned by the UN Committee on the Rights of The Child ( see UNCRC, 2002, 2008,2016) these criticisms have also been reiterated domestically by the National Association for Youth Justice, and the Standing Committee for Youth Justice.

Disney Sign New Automated Advertising Deal

Disney have recently signed a new deal with a global ad tech company called The Trade Desk which will allow brands to to use targeted automated advertising across Disney’s platforms. The agreement makes it one of the biggest deals that facilitate the use of new ad-targeting systems with third-party tracking becoming less popular, and could likely influence more agreements and partnerships between media companies in the future.

Parents and guardians with parental responsibility often use SAR’s as way to obtain the educational record of their children.  There appears to be two reasons why this may be the case. Firstly, no charge can be made for a SAR, which makes it more cost effective than making an application under The Education (Pupil Information) (England) Regulations 2005.

Earlier this year, in response to the conflict between Russia and Ukraine, NCSC urged organisations to focus on heightening their cyber security programme. Since the beginning of the conflict, there has been an increase in cyber activity in Ukraine. Therefore it's more important than ever that you have the necessary protocols in place to protect your organisation against a cyber attack. The National Cyber Security Centre has recently published their guidance on ‘Maintaining a sustainable strengthened cyber security posture’,

In the future, there could be less fines being handed out to Public sector organisations, according to the ICO’s new data protection regulator. The thought behind this comes from the idea that using fines as a punishment for sufficient data breaches only harm the public services that receive them, and therefore fewer financial penalties will be handed out, and the ones that are will be generally speaking of a lower amount.

There are fresh data privacy concerns surrounding Tiktok, after a report by BuzzFeed has brought into question the validity of TikTok’s claim that they had started routing US users’ data to US-based servers, in partnership with Oracle. The report conducted by BuzzFeed alleges that TikTok employees in China continue to access US users’ data, and have done so over a span of several months from September 2021 to January 2022.

Potential Changes to ‘Cookies’ 

As part of the Government’s proposed changes to data protection laws, one of the areas that would see changes is the practices around cookie consent. Currently, when you visit a website, a cookie pop up ‘pops up’ on your screen asking you to consent to the different types of cookies that the website wants to use.

A new article by The Washington Post discusses how App companies are using loopholes in privacy law to harvest the personal data of children. Geoffrey Fowler, a technology columnist, provides a worrying figure to detail the extent to which these companies are collecting data from the children who use their apps. According to Fowler, by the time a child is 13, online advertising firms have collected on average 72 million data points about that child.

The Human Rights Watch have recently published a report on the relation between virtual schooling and data tracking. The report finds that there is a potentially worrying gap between how kids use online platforms, and how current data privacy policies protect them. As a result of the pandemic, there was an unprecedented transition to online learning, and platforms that were already established, as well as new ones that began scaling up, were used to fill the void.

The first story we’ll be discussing is one involving Facebook, and Mark Zuckerberg. Recently, a new lawsuit has been filed against Zuckerberg by Attorney Karl A. Racine. Zuckerberg is being sued for directly taking part in decision-making that allowed the Cambridge Analytica data breach. The lawsuit also states that Facebook lied to users with regards to promises made around data protection and privacy. It is alleged that Zuckerberg facilitated the poor privacy agreements and lack of protection given to user data.

With the ICO’s Children’s Code being  brought into effect last year, it is now a legal requirement that organisations that deal with children’s data uphold their rights as a priority, according to Article 1 of the Code. As a part of this, the ICO have published their ‘Best Interests of the Child Self Assessment’ tool, which provides guidance and information on how to ensure that if you are collecting children’s data, or plan to do so, that you are acting in the best interests of the children whose data you are collecting, as well as in accordance with the United Nations Convention on the Rights of the Child (UNCRC).

In this edition of cyber news roundup, we’ll be looking at the continuing cyber threat to health and education sectors, the risks that app stores pose to users, and 2021’s most exploited vulnerabilities.

Amazon’s latest entry into the smart home device technology is their Astro bot, which they describe as:

“The household robot for home monitoring, with Alexa. When you're away, use the Astro app to see a live view of your home, check in on specific rooms and viewpoints, and get activity alerts. When you're home, Astro can follow you from room to room playing your favorite music, podcasts or shows, and find you to deliver calls, reminders, alarms, and timers set with Alexa.”

The Record of Processing can often seem like a daunting process to undertake- but it’s important to view it as exactly that- a process. Documenting the processes your organisation carries out is an ongoing project that you continue to evolve and develop as those processes change. The value you can get out of spending some time and care by completing various ones shouldn’t be underestimated. We’ve spoken to some of the people who have used the RoP tool on the Knowledge Bank, and asked them what they found challenging, and what they found the most useful parts of the tool, in the hope that it will help some of you who may feel that carrying out the Record of Processing is a daunting task.

2022 Security Breach Report Published

The Cyber Security Breaches Survey for 2022 has recently been published by The Department for Digital, Culture, Media and Sport- the full version of which you can find by clicking here.

VPN’s have become commonplace over the past couple of years, with every content creator out there having at some point been sponsored by Nord VPN (other VPN providers are available). VPN's are mostly used so that we can watch content on streaming platforms that would otherwise be blocked in the UK. However, as well as allowing you to watch Pulp Fiction on Canadian Netflix, VPN’s have excellent security benefits that can help prevent data breaches and cyber attacks. 

Organisations in Ukraine are the target of Destructive Malware


Agencies in the US and Australia have published alerts in response to a recent increase in cyber threats to organisations in Ukraine, stating that organisations should take steps to mitigate the threat that currently exists from destructive malware.

Data Protection Education are leading specialists in Data Protection for Schools and Trusts, with the key service that we offer being a Data Protection Officer (DPO) service. Under UK GDPR, Public Authorities or Bodies, as well as businesses carrying out certain processes are required to appoint a Data Protection Officer (DPO). But what does a DPO do? What value do they bring to an organisation, and how do we help you stay data protection compliant?


Recently there has been an annual study published by Ponemon Institute (sponsored by Experian) entitled “Is Your Company Ready for a Big Data Breach?”. The study looks at the state of breach preparedness across organisations over a period of a year,

Microsoft Azure Breach Leads to Student Data Exposure 

Researchers and Clario published a report which outlined how an open Microsoft Azure repository indexed by a public search engine which needed no authentication had been found.

It’s been far too long since we’ve checked in with Facebook (now Meta), and their ongoing mission to make as much money as possible from our data, so we thought we would discuss the Metaverse, with Mark Zuckerberg’s company being at the forefront

The 1st of January, the 25th of December, and the 28th of January- the three biggest dates in the calendar each year for being New Years Day, Christmas Day and of course, Data Privacy Day.

With cyber threats increasing every month, we’ll be looking to provide weekly updates on the different cyber security threats that have taken place recently to highlight all the different ways in which our data can be accessed by those wishing to do harm.

For most organisations, a lot of thought and care goes into ensuring that when you’re collecting data, you are complying with the relevant data protection legislation- that it’s being collected with consent where required, that you have a lawful basis etc. However,

Cyber attacks are on the up, and with the education sector seeing the highest number of cyber attacks of any sector since the start of the pandemic, as well as the highest increase in attacks in that same period

This year, and in particular since the start of this academic year, we’ve been adding new areas to the already extensive functionalities that the Knowledge Bank offers your organisation.

On the 10th of November 2021, The Supreme Court announced their long awaited decision regarding a lawsuit between Mr Lloyd and Google. The court found unanimously in favour of Google, and dismissed the Court of Appeal’s previous decision.

You may be aware that the UK government is currently holding a consultation "Data: A new direction" on the future of data protection law and regulation in the UK.

Here are some thoughts on our opinion.

Another week, another Facebook story. Don’t worry, we're not slowly becoming a Facebook news outlet, they just keep making headlines in the world of data protection, and this time seemingly for a positive reason.

How to share this year’s Nativity play online safety

Schools will have good intentions in wanting to share this year’s Nativity play online. But how do you ensure you do this safely and adhere to the latest data protection regulations? Below is some guidance which will support you in this task.

Judge rules that Amazon Ring doorbells breach GDPR:

A judge in Oxford County Court has ruled that audio recordings from an Amazon Ring doorbell have breached data protection laws. The case involved an individual taking their neighbour to court, stating that the numerous recordings they had from their various cameras they had set up outside their house amounted to harassment and a breach of the Data Protection Act 2018.

The ICO has published a new code of practice entitled the ‘Data Sharing Code’. The code came into force on October 5th 2021, after being published on September 14th 2021. DLA Piper provides a good overview of the new code of practice, a summary of which can be found below, however if you wish to read their article on the code, you can find it here.

Under UK GDPR, organisations that hold personal information/data about people have a responsibility to ensure that that data is being dealt with in line with the relevant legislation.

At Data Protection Education, we are currently working on contacting all school suppliers with the aim of receiving all of their privacy policies and data agreements to ensure they are being GDPR compliant.

The Children’s Code

The first update from the ICO is that the transition year for the introduction of The Children’s Code (also known as The Age Appropriate Design Code) has passed, with the code having come into effect on September 2nd.

The National Cyber Security Centre has today upgraded it's advice to schools relating to the prevalence of cybers attacks in the sector:

We've looked at the importance of an adequacy decision to allow the free-flow of data between the United Kingdom and Europe in our earlier articles on Brexit. Finally, although in reality quite quickly, we have a decision - with draft adequacy decisions from the European Commission.

Purely from a data protection perspective!

There are various provisions around data in the UK-EU Trade and Cooperation Agreement.

As we all know, on 31 December 2020, the Transition Period (sometimes also referred to as the “Implementation Period”) under the EU-UK Withdrawal Agreement will come to an end. And one of the areas still in the mix is data protection, so what is the status now and what changes?

We know the jargon can be confusing. As can the timelines for responding to the various requests that you receive.

Is it a month? Or 30 days? Are those working days?

So here's a little chart to simplify everything:

Some of you may have seen in the press the long-running legal dispute of Various Claimants vs Morrisons,  which after starting in the High Court in 2017 has finally seen a ruling issued by the Supreme Court.

Subscribe to our newsletter

Please enable the javascript to submit this form