A recent study conducted by Check Point Research which can be found at the bottom of this article has found that there has been a 29% increase in cyberattacks on organisations in the education sector since 2020, the highest increase of any sector. 

With such a worrying statistic, we thought it was worth highlighting the study’s findings to illustrate how cyberattacks are becoming an increasingly dangerous threat to schools and the personal data they are responsible for, and what can be done to best protect against these threats. Due to the pandemic, organisations particularly in the education sector were forced to change to a mostly remote workforce. Schools worldwide were then needed to adapt their infrastructure so that employees could work from home effectively. 

Unfortunately, this means that educational providers such as Universities and Schools are at the highest risk they’ve ever been of cyber attacks in 2021, and explains why the education sector is seeing the highest increase in weekly cyber attacks worldwide, over and above any other sector’s increase. A frightening case study that is noted in the article is that the Department for Education in Australia’s New South Wales have recently experienced a cyber attack which resulted in their entire online platforms being shut down just days before remote learning was due to start at the beginning of their new school term.

The Check Point points out some other worrying statistics that their study has found regarding the risk cyber attacks pose to the education sector in particular. As of July 2021, the education sector has not only experienced the highest percentage increase of attacks in the last year, but also now has the highest volume of weekly attacks, with an average weekly number totalling 1,739. Whilst the study shows that the most target countries are India, Italy and Israel, it’s worth noting that the UK has seen a 93% increase in weekly attacks in July 2021 compared to the first half of 2021, with the education sector in particular in the UK seeing a 142% increase in that same time.

The study conducted by Check Points highlights the increasing threat posed by cyberattacks and the risk it poses to personal data. With the education sector in particular being targeted at such a high rate, we all must take the necessary steps to mitigate that risk as much as we can. 

Data Protection Education provides various tools to help manage your risk from cyber attacks, that can be used as part of your mitigation strategy. These focuson the management and human elements and should be I place alongside the recommended resilience and security from your IT provider. These include our phishing simulation tool, information security policies, business continuity plans, off-the-shelf risk assessment, software/systems ad supplier due diligence and of course, our info-sec e-learning. 

The full article along with some graphs that can help visualise just how much the cyber attack threat has increased in the education sector, and in the UK in particular can be found here.

The Flow of Data Post Brexit


At Data Protection Education, we are currently working on contacting all school suppliers with the aim of receiving all of their privacy policies and data agreements to ensure they are being GDPR compliant.

With that being said, an article from The Business Desk regarding the potential changes to data flow between the UK and EU as a result of Brexit stood out to me, as many of you will have suppliers outside of the UK, and therefore may be impacted by any changes to data flow regulations. After Brexit, there was a real concern that there would be changes to how data is allowed to flow between the UK and EU, which would create a difficult process for those involved. The decision on whether there would be any changes would be based on whether the EU deemed the UK’s current flow of data processes adequate or not. 

It has thankfully now been decided though that the UK is an adequate country for data flow, and therefore data can flow freely between the UK and EU as it has been so far. This means that any processes currently in place with suppliers outside of the UK and in the EU can remain how they are. Despite this decision, there have been challenges to it being adopted. For example MEP’s have expressed their concern for how the UK would use data in the future and. Have urged for regulations to be imposed to restrict future use of data for certain uses. There is also a general mistrust of how each party’s residents’ data will be used by the other. The recent case of Schrems II in 2020 is a good illustration of how different countries are wary of data storage in non EU countries. If you wish to read more about Schrems II and its possible impacts, particularly in cloud data storage and any potential future impacts the decision may have, you can visit https://dis-blog.thalesgroup.com/security/2021/04/29/what-is-schrems-ii-and-how-does-it-affect-your-data-protection-in-2021/ for a good summary of the case.

After the United Kingdom left the European Union, EU laws relating to Data Protection (GDPR) were no longer applicable to UK law. However, with the large push of GDPR compliance in 2018 with the Data Protection Act, the Act has incorporated GDPR, meaning it still applies post Brexit. As a result of the agreement the UK has made with Brussels, there will be no major changes in how data flows between the two, meaning that you shouldn’t notice any changes when continuing to send data to suppliers who operate in the EU under existing partnerships, or when contracting with new ones. 

Something to look out for over the coming months however is the outcome of The International Commissioner’s Office’s decision to come up with its own bespoke UK standard contractual clauses for international data transfers, which it announced in May 2021. A quote from the ICO’s deputy commissioner Steve Wood outlines the ICO’s planned creation of UK standard clauses:

“I think we recognise that standard contractual clauses are one of the most heavily used transfer tools in UK GDPR. We’ve always sought to help organisations use them effectively with our guidance. The ICO is working on bespoke UK standard clauses for international transfers, and we intend to go out for consultation on those in the summer.”


So to summarise what this means for your school now, as well as going forward in terms of sending data to the EU (no matter what form that may take); you should notice little to no changes in how you send data to suppliers due to the UK’s agreement with the EU, and Brussels’ ruling that the UK is an adequate country for data sharing. However it would still be beneficial to look out for the ICO’s progression relating to the creation of UK standard clauses for international data transfers over the coming months on their website, as this could impact the way you share data with suppliers, as well as the potential changes to future contractual agreements with them. 

The Children’s Code

The first update from the ICO is that the transition year for the introduction of The Children’s Code (also known as The Age Appropriate Design Code) has passed, with the code having come into effect on September 2nd. For those unfamiliar with The Children’s Code, it imposes restrictions on how online services that are accessed by children under 18 (despite whether children are their target audience or not) are allowed to use their personal data.

Action Fraud is reporting that fake NHS emails are circulating offering users a "digital passport" that “proves you have been vaccinated against COVID-19”. These emails are fake, and the links within them lead to genuine-looking websites that steal your personal and financial information.

Recording staff vaccination data

Firstly, a couple of links as reference...though they don't really tell you the answer - especially the second one which doesn't seem to have been updated post-August 16th:

Many schools in Brighton may have received a Freedom of Information Request relating to the ‘Racial Literacy training 101’ as part of the Brighton & Hove Educators of Colour Collective (BHECC) and the
councils Community Advisory Group (CAG).

We've put together some generic guidance on responding here:

The Request

(My Freedom of Information request to your school):

1. The BHCC ‘Anti-Racist Strategy for Schools’ (see https://present.brighton-hove.gov.uk/documents/s156944/Anti-racist%20schools.pdf) includes a timetable for ‘Initial Racial Literacy Training for Head teachers, governors, key staff (curriculum leads, policy leads)’ which, it seems, took place/will take place this summer term 2021.

Please could you send me any explanation, documentation or evidence for this training(including how it was described to the school)?

2. The timetable also lists ‘Training for BAME pupils support groups’.

Please could you send me any explanation, documentation or evidence for this training (including how it was described to the school)?

3.  The Strategy states that it sent a ‘Bulletin and emails to schools outlining plans for the strategy and advice/resources for Black History Month’. Could you send me these outline plans please.)



Suggested initial response (acknowledgement and holding email) in line with requirements of the Act 

Dear [requester’s name],

Thank you for the request you made on [date of request], seeking the following information under the Freedom of Information Act 2000: 

1. The BHCC ‘Anti-Racist Strategy for Schools’ (see https://present.brighton-hove.gov.uk/documents/s156944/Anti-racist%20schools.pdf) includes a timetable for ‘Initial Racial Literacy Training for Headteachers, governors, key staff (curriculum leads, policy leads)’ which, it seems, took place/will take place this summer term 2021.

Please could you send me any explanation, documentation or evidence for this training (including how it was described to the school)?

Add your response here 


2. The timetable also lists ‘Training for BAME pupils support groups’.

Please could you send me any explanation, documentation or evidence for this training (including how it was described to the school)?

Add your response here


3. The Strategy states that it sent a ‘Bulletin and emails to schools outlining plans for the strategy and advice/resources for Black History Month’. Could you send me these outline plans, please?


This is to confirm that we have received your request. You should receive a response from us by [insert date that’s 20 school days away from when they submitted the request, or 60 working days if that’s sooner].

Kindest regards,

[Your name]



Comments on responding

  • The standard timeline for response is 20 school days, or 60 working days if that's sooner. Check our pdf drip-feed poster (249 KB) if you are unsure of response timelines for different requirements
  • The FOIA only covers the recorded information you hold. This means you don't have to make up an answer or find out information elsewhere if you don't already have the relevant information in recorded form.
  • If the information is published on your website, then direct them to where it can be found.
  • If the information requested is intended for future publication, you will be covered by an exemption and will not have to provide it. Inform them when and where it will be published
  • If you hold the information you must disclose it, ensuring that it does not disclose any third-party data. FOI requests are about organisational data, not personal data.
  • If you don't hold the information, but you know this information is held with another organisation, then signpost them to where that information can be found.

Please ensure that you log the request using the FOI Log on the Knowledge Bank. Do not hesitate to contact us if you have any concerns or questions regarding your specific response.





The National Cyber Security Centre has today upgraded it's advice to schools relating to the prevalence of cybers attacks in the sector:


"The NCSC continues to respond to an increased number of ransomware attacks affecting education establishments in the UK, including schools, colleges, and universities.

This report details recent trends observed in ransomware attacks on the UK education sector. This encompasses trends observed during August and September 2020, as well as the more recent attacks since February 2021. It also provides mitigation advice to help protect this sector from attack.

This alert is designed to be read by those responsible for IT and Data Protection at education establishments within the UK. Where these services are outsourced, you should discuss this Alert with your IT providers.

It is also important that senior leaders understand the nature of the threat and the potential for ransomware to cause considerable damage to their institutions in terms of lost data and access to critical services

Due to the prevalence of these attacks, you should be sure to follow NCSC’s mitigating malware and ransomware guidance. This will help you put in place a strategy to defend against ransomware attacks, as well as planning and rehearsing ransomware scenarios, in the event that your defences are breached."


DPE has a range of resources to help you with cyber attack prevention. Whilst, your IT department is key to success in this area in relation to technical security measures in place, we focus on the more human factors involved in cyber risk.

Firstly, we recommend that all users complete the NCSC's "Stay Safe Online" course, available on the Knowledge Bank. Additionally, we have a range of information security e-learning nuggets for increasing awareness.

Secondly, we recommend that schools review and consider working towards a Cyber Essentials Plus certification. The questionnaire is available on the Knowledge Bank. This covers the technical and human elements of cyber prevention. 

Thirdly, we are preparing a Cyber Security best practice area, with resources and links to other guidance. This will also incorporate our main tool for cybersecurity preparation - our Phishing Simulation tool. This will be available to school immediately after Easter and will allow you to test your organisational resilience to phishing attacks.

If you have any questions, concerns, or if you have been subject to a cyber-attack please contact us immediately.



We've looked at the importance of an adequacy decision to allow the free-flow of data between the United Kingdom and Europe in our earlier articles on Brexit. Finally, although in reality quite quickly, we have a decision - with draft adequacy decisions from the European Commission. If approved, this would mean that data can continue to flow uninterrupted following the ending of the bridging period which ends on June 30 2020.

Here's the important bit from the GDPR decision:

"The Commission has carefully analysed the law and practice of the United Kingdom. Based on the findings developed in recitals (7) to (264), the Commission concludes that the United Kingdom ensures an adequate level of protection for personal data transferred within the scope of Regulation (EU) 2016/679 from the European Union to the United Kingdom."

Interestingly, there was another decision relating to data transfers under the Law Enforcement Directive regarding data for law enforcement. Of interest in both draft decisions, are that they will have looked at the UK's Investigatory Powers Act 2016 (which allows data collection for national security purposes). This was always going to be a hurdle, but it looks like it has passed - though the European Data Protection Board may look again.

It is likely that there is a balance in the operation and enforcement of the Information Commissioner's Office...which also likely means that as long as we seek to have adequacy, there will be a data protection regulator and similar standards to what we have now. In fact, the EU can monitor the progress of any divergence from EU data protection law and reverse the decision if any divergence is problematic.

Assuming at this stage the adequacy decision is upheld (the rapidness mentioned earlier suggests as much a political decision as anything), then we may see challenges in court, just as the data transfer mechanisms with the USA have been challenged in court and found to be unlawful. It may be a bumpy ride... The other issue is that with the fallout of Schrems II (the collapse of Privacy Shield) we are unlikely to see any unilateral mechanism for data transfers from the United Kingdom to the USA. So for the time being, we rely on the standard model classes that are being widely adopted.

We've had some questions now that the privacy notice in the COVID-19 National Testing Programme: Schools & Colleges handbook has been published.

The link to the Handbook seems to be broken, but we have a copy here:
pdf Schools Colleges Testing Handbook revised 04012021 (1010 KB)

With associated resources (including the Privacy Notice template) available here:

We are happy with the language and content of the Privacy Notice but wanted to emphasise that there is some editing required and that as with all privacy notices, this should be made available prior to the data being collected.

The legal obligation for processing

For explanatory purposes in Paragraph 2 of the Privacy Notice related to the legal obligation for processing data relating to tests for pupils:

For Maintained schools: Section 175 of the Education Act 2002

For Academies: paragraph 7 of the Schedule to the Education (Independent School Standards) Regulations 2014 

Non-Maintained Special Schools: paragraphs 3 and 14 of the Schedule to the Non-Maintained Special Schools (England) Regulations 2015

These paragraphs specifically emphasise the responsibilities around the welfare of pupils and that guidance needs to be followed when issued by the Secretary of State.

Consent is not the lawful basis of processing data. The consent form is about participation in the test. That's why the age of consent referenced is different from the age of consent for data processing. 

If consent is not provided for participation, that data can and will be recorded and processed lawfully.

Lastly, record keeping. This is special category data relating to health. Just because this is a large project with high throughput and recording of data does not mean that data should not be kept unsecured. Make sure your processes include data and forms kept out of view and secured.

This includes the spreadsheets that you are asked to use to record test results. When using computers, do not leave them unattended and unlocked. And keep the files secure on the network or cloud storage access controlled and only available to the users who need access. 

Review the Records Management Best Practice Area for further guidance




Purely from a data protection perspective!

There are various provisions around data in the UK-EU Trade and Cooperation Agreement.

The most important for data protection and GDPR relates to adequacy, as discussed in our earlier Brexit blog. In short, the agreement does not make a determination on adequacy, but what it does say is that for the "Specified Period" (a sort of transition period after the transition period) that transfers of personal data from the EU to the UK will not be considered transfers of personal data to a third country during this period and therefore will not be prohibited by the GDPR.  This period lasts four months and can be extended by another two months.

The hope (though not guaranteed) is that the UK will be granted adequacy during this period.

As for other adequate countries (which allow transfers of data from the EU), the UK is adopting that list and data transfers will be allowed.

The ICO issued the following statement:

“This is the best possible outcome for UK organisations processing personal data from the EU.

This means that organisations can be confident in the free flow of personal data from 1 January, without having to make any changes to their data protection practices.”

The ‘Five Eyes’ is an alliance between Australia, Canada, New Zealand, the United Kingdom and the United States of America. Its purpose is to provide a multilateral agreement for military and security focussed intelligence.

There have been some worrying developments in October 2020 as the Five Eyes nations have released a statement backed by all parties that, while they believe in the importance of strong encryption for the security of personal data, intellectual property and the protection of journalists and human rights in repressive states, they believe it is counter-productive and dangerous to limit the abilities of intelligence and national security.

They have called changes to the design of public IT systems to allow for:

• Public Safety by Design – to allow companies to act more freely against illegal and dangerous content

• Law enforcement agencies to be provided with lawful backdoor access to data held on these IT systems

• Requirement of IT companies to work with law enforcement when designing IT platforms

While it can be argued that there are public safety benefits to law enforcement’s free access to social media platforms it presents a worry precedent where governments insist on accessing private and personal data by design with no formal process of request or justification before accessing that data.

In addition to this, the UK are still in the process of completing their Brexit negotiations at this time. After the 31st December 2020, the UK will no longer be part of the EU and must therefore be assessed for adequacy of its data protection laws and security of personal data. Any move towards the “backdoors” by design to encrypted IT systems, such as that held by Australia since they passed new Data Encryption Laws in 2018, will likely be seen by the EU as a negative step.

We will keep a close eye on these developments and the continuing Brexit negotiations and update you once those resolutions are made public. If you wish to read more on this subject, we can direct you both to the original article by IT Pro and the statement from the Five Eyes nations issued by the United States Department of Justice:



Subscribe to our newsletter

Please enable the javascript to submit this form

©2021 Data Protection Education Ltd.