This article is one of a series written by Data Protection Education in collaboration with Litus Digital, a social media management company.  The articles came about from questions asked by Data Protection Education's customers, our own experience of working in education,  as school governors, parents and data protection professionals.  The articles raise questions about how social media can be used as safely as possible in a school environment,  security consideratio

This article is one of a series written by Data Protection Education in collaboration with Litus Digital, a social media management company.  The articles came about from questions asked by Data Protection Education's customers, our own experience of working in education,  as school governors, parents and data protection professionals.  The articles raise questions about how social media can be used as safely as possible in a school environment,  security consideratio

This article is one of a series written by Data Protection Education in collaboration with Litus Digital, a social media management company.  The articles came about from questions asked by Data Protection Education's customers, our own experience of working in education,  as school governors, parents and data protection professionals.  The articles raise questions about how social media can be used as safely as possible in a school environment,  security consideratio

This article is one of a series written by Data Protection Education in collaboration with Litus Digital, a social media management company.  The articles came about from questions asked by Data Protection Education's customers, our own experience of working in education,  as school governors, parents and data protection professionals.  The articles raise questions about how social media can be used as safely as possible in a school environment,  security consideratio

REPRIMAND

To: Mr. S. Claus, Chief Executive Officer, North Pole Enterprises

Of: North Pole The Information Commissioner (the Commissioner) issues a reprimand to North Pole Enterprises (‘Santa Claus’) in accordance with Article 58(2)(b) of the UK General Data Protection Regulation in respect of certain alleged infringements of the UK GDPR. 
The reprimand
The Commissioner has decided to issue a reprimand to North Pole Enterprises i

The City of London Police is warning schools across the UK to be vigilant against phishing attacks targeting school networks. Multiple schools have reported receiving suspicious emails containing malicious attachments that have infected their networks with malware.

Once infected, the school's email systems are used to send malicious attachments to other schools.

You don't have a pdf plugin, but you can download the pdf file.


Help and Advice against Phi

The ICO has recently published a reprimand for a multi academy trust.  The reprimand was issued in respect of Articles 5 (1) (f) and 32 (1) (b).  An unauthorised third party utilised compromised credentials to access and encrypt their systems.

The recent update to the Keeping Children Safe in Education Document obliges schools and colleges in England to “ensure appropriate filters and appropriate monitoring systems are in place and regularly review their effectiveness”.

We have released a new document: Guidance for the use of school email and applying email retention in schools.

The US Cybersecurity and Infrastructure Security Agency (CISA) and the UK National Cyber Security Centre (NCSC) have announced the release of the Guidelines for Secure AI System Development.

The ICO has recently published some guidelines/tips for early years settings.  They have created five practical data protection top tips for nurseries, pre-schools, child minders and other early years settings.

The IAPP recently wrote an article about how organisations and lawmakers are striving to protect the online safety of children and teens in today's advance digital environment.  They find themselves working to solve a 'puzzle' that tries to balance varying legal jurisdictions and cultural considerations.

The Trust Initial Plan Checklist has been updated to include a notes area for each section. This will allow you to record any ongoing tasks or actions for each section.

We have previously reported how the Rhysida Ransomware has focused on attacking the education sector.  Recently the CISA, FBI and MS-ISAC have released a new joint Cyber Security Advisory to disseminate known Rhysida ransomware indicators of compromise, detection methods, tactics, techniques and procedures identified through recent investigations.

An updated version of the Data Retention Workshop Powerpoint slides has been uploaded to the Records Management Best Practice Area:

The Governors and Data Best Practice area has been updated with some new content from the Norfolk and Suffolk Constabularies.  There is a training video: 'Protecting Yourself and Your School from Cybercrime' and a pdf of the slides from the video. There is input for school governors to highlight the risks presented by cyber crime and the resources and support available to help you improve your organisation's cyber security.

As a data protection officer we are seeing a rise in the number of cyber attacks on organisations.  We often find that the fact an actual crime has been committed is sometimes overlooked in the panic and need to recover data and get operations back up and running.  According to the National Crime Agency (NCA) cyber crime continues to rise in scale and complexity, affecting essential services, businesses and private individuals.  Cyber crime costs the UK billions of pounds, causes

We are often asked to help and advise when it comes to redaction as part of a subject access request.

The National Cyber Security Centre looks back at it's key developments and highlights over the last year in it's 2023 annual review. The National Cyber Security Centre (NCSC), a part of GCHQ, is the UK’s technical authority for cyber security.

The British Computer Society (BCS) has recently published the biggest data leaks of 2023.  The leaks cover worldwide cyber attacks, but the lessons learned apply to organisations of all types all around the world.  The data breaches include The Guardian Newspaper, LastPass password manager, Royal Mail, MOVEit, Microsoft, The UK Electoral Commission.

An article by Computing magazine has reported that controls that Microsoft rolled out to protect Windows 11 from hackers seeking to exploit security vulnerabilities in hardware and device drivers are inadequate, security researchesrs at VMware claimed last week.

We launched our Schools Best Practice area at the beginning of this term which includes specific guides and support for schools.  There is also a specific area for Trusts and the Central Team.  The Trusts Central Team section is a specific area for additional requirements and guidance for the central team of a trust and should be used in conjunction with the other tabs in the best practice area.  

Several countries have pledged never to pay cyber criminal ransoms and to collectively work toward disrupting their financial systems.  The members affirmed their joint commitment to building their collective resilience to ransomware.  They will share data on ransomware perpetrators and techniques and establish a blacklist of information about digital wallets used to facilitate ransomware payments.

Google have recently published some guidance to help IT admins meet the DfE digital and technology standards in schools and colleges.  The guidance takes all of the standards in the Meeting digital and technlogy standards in schools and colleges document and offers advice around the use of Google products in applying the standards.

The NCSC has recently published an article about creating resistant cloud backups as a way to be more resistant to the effects of destructive ransomware.

We all know that backups are an essential part of an organisation's cyber strategy and making regular backups is the most effective way to recover from a destructive ransomware attack, where an attacker's aim is to destroy or erase a victim's data. 

The NSA and CISA Red and Blue teams recently shared the top ten cyber security misconfigurations.  The schools we have worked with that have suffered a cyber attack often find that there are configurations, upgrades or user access controls that were missed.  This advisory highlights all of those and more - these are not in-depth configurations, but often ones that are set up incorrectly and then not checked or updated as time goes by. Although the advisory is aimed at larger organisati

During our data walks we are looking at data breach risks, in terms of 'Who has access to what data?'.  As part of our walk we may ask who has access to the school other than the employees and children attending, for example, Lettings.  As Lettings usually occur outside of the school working day, physical security can be overlooked or not thought about and so raises the risk of a data breach.  This article is launching our Lettings Checklist for schools which is shown at the end o

Recently the ICO reprimanded a company that suffered a ransomware attack.  The attack resulted in a data breach - learning lessons from real-life incidents is a valuable way to promote knowledge sharing and improve.

The UK Online Safety Bill became law on Thursday 26th October.  The UK Government says the Online Safety Act will protect people, particularly children, on the internet.  The Act should make social media companies keep the internet safe for children and give adults more choice over what they see online.  Ofcom will immediately begin work on tackling illegal content and protecting children's safety.

Moving MIS is a daunting task and is no small undertaking for a school. Moving to the cloud from a legacy system means that there are cyber security benefits but may be something new to your organisation. There is often the assumption that the new MIS porvider will seamlessly migrate the data for you, however there is a considerable amount of work that the school must do beforehand in order to make this happen.  This article provides some practical guidance and considerations.