This article is a reminder that Microsoft will stop support for both Windows Server 2012 and Windows Server 2012 R2 after October 10th 2023.  Keeping software up to date on devices is best practice to help prevent cyber attacks and data breaches.

This article lists the ways that Data Protection Education can be contacted for general data protection queries, data breaches, subject access requests and freedom of information requests.

While all our customers have a dedicated consultant who can be contact directly, if there is an urgent issue we would always advise emailing This email address is being protected from spambots. You need JavaScript enabled to view it..

When you email This email address is being protected from

The first child protection complain ever made against Big Tech under UK Law.

The following article talks about how a school thwarted a cyber attack, more through luck than judgement.  Our advice is for the whole organisation to be cyber aware and review how your organisation might respond when attacked.    The article gives ideas on how to begin making a cyber ready plan.

In October 2020 Kellett School was subject to a ransomware denial-of-service (DoS) attack orchestrated by a Russian criminal hacker group.  After the attack, a post m

This article is linked to a series of articles about different types of Cyber Attacks. They can be viewed in the Information/Cyber Security News section of the Data Protection Education website or as part of the Information & Cyber Security Best Practice Area. Each article discusses a different type of cyber attack, steps to try to minimise the risk and guidance

With the increase in Cyber crime against schools in the UK we are focusing in on what can be done to help prevent cyber crime in a way mangeable for school budgets.

To assign courses to your staff, we should use the to-do functionality via the Course Assignment and Progress Report.

When we assign a to-do via this report, and the user completes the course, the to-do will be automatically marked as complete in the to-do list. 

The Record of Processing can often seem like a daunting process to undertake- but it’s important to view it as exactly that- a process. Documenting the processes your organisation carries out is an ongoing project that you continue to evolve and develop as those processes change. The value you can get out of spending some time and care by completing various ones shouldn’t be underestimated. We’ve spoken to some of the people who have used the RoP tool on the Knowledge Bank, and asked th

VPN’s have become commonplace over the past couple of years, with every content creator out there having at some point been sponsored by Nord VPN (other VPN providers are available). VPN's are mostly used so that we can watch content on streaming platforms that would otherwise be blocked in the UK. However, as well as allowing you to watch Pulp Fiction on Canadian Netflix, VPN’s have excellent security benefits that can help prevent data breaches and cyber attacks. 

Under UK GDPR, Public Authorities or Bodies, as well as businesses carrying out certain processes are required to appoint a Data Protection Officer (DPO). This article will explain why you need a DPO and what a DPO does for your organisation.

Recently there has been an annual study published by Ponemon Institute (sponsored by Experian) entitled “Is Your Company Ready for a Big Data Breach?”. The study looks at the state of breach preparedness across organisations over a period of a year,

At Data Protection Education, we are carrying out an ongoing project on assessing potential organisations that our schools are either currently contracted with to supply a product or service, or may in the future be in contract with.

For most organisations, a lot of thought and care goes into ensuring that when you’re collecting data, you are complying with the relevant data protection legislation- that it’s being collected with consent where required, that you have a lawful basis etc. However,

A recent study conducted by Check Point Research which can be found at the bottom of this article has found that there has been a 29% increase in cyberattacks on organisations in the education sector since 2020, the highest increase of any sector. 

Cyber attacks are on the up, and with the education sector seeing the highest number of cyber attacks of any sector since the start of the pandemic, as well as the highest increase in attacks in that same period

With biometric technology becoming more and more prevalent in society, the governance of the personal data that organisations collect from using this technology has recently been a topic of discussion.

The Children’s Code

The first update from the ICO is that the transition year for the introduction of The Children’s Code (also known as The Age Appropriate Design Code) has passed, with the code having come into effect on September 2nd.

Schools in Brighton and Hove have received the following Freedom of Information request:

1. Please send me copies/scans/digital files that record individual racist/religious incidents/bullying incidents in terms of numbers of incidents and their

The National Cyber Security Centre has today upgraded it's advice to schools relating to the prevalence of cybers attacks in the sector:

These protocols aim to ensure that online lessons with pupils when working from home, are safe, secure and continue to provide high-quality education using a virtual platform. 

This is guidance for setting up and managing online lessons using the school’s chosen platform ie  Zoom; Google or Microsoft teams.

Users of Class Dojo will recently have noticed that a requirement to provide consent for international data transfers was included to the login screen.

It is a requirement under the Freedom of Information Act and ICO to set out your commitment to making certain classes of information routinely available, such as policies and procedures, minutes of meetings, annual reports and financial information.

Updated 22 March 2021

The ICO gives the following advice when communicating privacy matters to children:

What information should we give to children?

Transparency is about being clear, open and honest with your users about what they can expect from you.

We've had a few questions recently about parents and students recording conversations with members of staff, both covertly or overtly without seeking permission. This article only covers recordings made by external individuals, not organisations or individuals acting on behalf of an organisation.

We know the jargon can be confusing. As can the timelines for responding to the various requests that you receive.

Is it a month? Or 30 days? Are those working days?

So here's a little chart to simplify everything:

We've recently had more than one breach reported where physical files have got lost in the post.

In such cases, the sender remains the data controller and is responsible for ensuring that the optimum data security measures are in place during transfer. Where possible, consider whether a physical drop-off (and get a receipt) is a more secure option.

Do I need consent for emergency contacts?

Actually no, and here's why.

We know that we must have a lawful basis for processing any data, and consent is one of the six lawful bases that can be used.

Adapted from: The Irish Data Protection Commissioner

The UK GDPR does not prescribe the exact process for carrying out a DPIA beyond the minimum features outlined above, allowing for flexibility and scalability in line with your organisation’s needs. Although there is no one prescribed approach to take, the following steps can guide you through the process:

We have added publication scheme model templates in the FOI Best Practice area for academies as well as maintained schools.

Difference between the High Level and Detailed Publication Scheme