2/7/2024 0 Comments Data Breach | Implications and Guidance for School and MAT Leaders with SchoolPro TLCOur sponsor SchoolPro TLC shares here their GDPR and Data Protection expertise in understanding the Birmingham Children’s Services Data Breach and the implications and guidance for school and Multi Academy Trust (MAT) leaders. In May 2024, the Information Commissioner’s Office (ICO) issued a reprimand to Birmingham Children’s Trust Community Interest Company (BCTCIC) for an inappropriate disclosure of a child’s personal information. This unfortunate incident underscores the critical importance of robust Data Protection practices, especially when dealing with sensitive data related to children and criminal offences. As leaders in schools and MATs, understanding the implications of this reprimand and implementing key actions can help safeguard your institutions from similar breaches. Overview of the Incident
On 10 November 2022, BCTCIC experienced a significant data breach involving the inclusion of sensitive information about another person in a Child Protection Plan (CP Plan) sent to a family. This breach occurred within the Child Protection and Review (CP&R) department, which routinely handles both personal data relating to children and criminal offence data. The specific incident involved two neighbouring families. Family A had raised concerns about interactions between their child and Child X from Family B. During the formulation of a Child Protection plan, information from a separate strategy meeting with West Midlands Police, containing serious criminal offence allegations against Child X, was inappropriately included and this sensitive data was subsequently disclosed to Family A, resulting in a violation of Data Protection regulations. Key Findings and ICO Reprimand The Information Commissioner's Office (ICO) found that BCTCIC had violated Articles 5(1)(f), 32(1)(b), and 32(2) of the UK General Data Protection Regulation (UK GDPR). Articles that mandate personal data must be processed securely to protect against unauthorised or unlawful processing and accidental loss, destruction, or damage. Several key issues were identified:
Implications for Schools and MATs The ICO have highlighted that Schools and MATs must be vigilant to avoid similar data breaches: 1. Develop Robust Policies and Procedures Ensure that your Data Protection policies include specific, detailed guidance on handling sensitive personal data. This should cover what data is appropriate to share and under what circumstances. 2. Implement Role-Specific Training General Data Protection training is essential, but it should be supplemented with role-specific training. Staff should understand how Data Protection principles apply to their roles within the context of their setting. SchoolPro TLC are developing SEND and Designated Safeguarding Lead-specific Data Protection training to help boost staff confidence when responding to information requests. 3. Conduct Regular Audits and Reviews Regularly review and audit Data Protection practices to identify and mitigate risks. Look at who the school has shared information with, how much and the method for exchange. 4. Regular Records Review Create time to review the records you hold, checking the quality and accuracy. Feedback to staff to support the development of a safer culture within the school. Actions and Recommendations Based on the ICO’s recommendations and the lessons from the BCTCIC incident, there are specific actions for schools and MATs to consider.
Conclusion The reprimand issued to Birmingham Children’s Trust serves as a stark reminder of the importance of robust Data Protection practices, especially when dealing with sensitive information related to children. By understanding the implications of this incident and implementing the recommended actions, schools and MATs can better protect their data, ensure compliance with data protection regulations, and better safeguard their students. As leaders, it is our responsibility to foster both a culture of Data Protection and Child Protection within our settings, by going above and beyond to ensure the safety and privacy of all individuals whose data you handle. Data Protection is Child Protection. By Ben Craig, Director, SchoolPro TLC Ltd
0 Comments
1/2/2024 0 Comments Clarity about Sending Home Flyers for Third-Party Organisations from SchoolPro TLCAs part of their experience within the education sector, our sponsor SchoolPro TLC provides the role of Data Protection Officer (DPO) as a service for schools. The SchoolPro Team have been receiving a number of queries from schools about the issue of sending home flyers for third-party organisations by email or post. See below for their updated guidance on sending out communications from third-party organisations to parents. The team are able to draw on their knowledge as former school leaders, as well as their DPO expertise. Your school, for example, might be thinking about sending home a communication about local community events or third-party activity providers. Email is often used by schools for this, although SchoolPro TLC have reservations due to email being subject to Privacy and Electronic Communications Regulations (PECR) and additional consent requirements. Here are the various implications of each option for sending communication home and what requirement you should meet: Postal Leaflets in School Bags The process for sending postal leaflets via school bags is not subject to the privacy and electronic communications regulations (PECR), which means consent is not required. The school can rely on a Legitimate Interests lawful basis and perform a Legitimate Interests Assessment (LIA) for the overall practice of sending out these mailings. It is crucial that parents are informed about this process and have the clear option to opt-out. The school needs to ensure that parents are aware of their rights and the school’s processing activities through clear communication, such as a statement in a parent newsletter. This approach negates the need for separate LIAs for each third-party organisation's materials being sent out. In order to notify parents about this processing, the school could add the following into a parent newsletter (or similar) – words to the effect of: "we will occasionally send home flyers from trusted third parties such as the local authority in pupil bags. This is to make you aware of events, activities, services and products that we think may be of interest to you or your family. Please let us know if you object to this and we will ensure that you don’t receive this information.” Electronic Communication (including Email) There are two distinct categories regarding electronic communication: 1. Direct Marketing Messages These include communications where a paid service is being offered, or there is fundraising or similar activities involved. Examples include services like school photography or extracurricular activities run by external companies that require payment. These types of messages require prior opt-in consent from the recipients, and it must be straightforward for them to withdraw consent at any time. It is important to ensure that this consent is specific, informed, and unambiguous. The school should not use opt-out forms for these types of communications; instead, an explicit opt-in mechanism should be in place. 2. Promotional Messages Not Classified as Direct Marketing This category includes communications that can be considered part of the school's or trust's legal function as a public body and do not have a paid-for element. Examples might include free educational opportunities from the local library or informational leaflets from the NHS. These messages do not require prior consent but fall under the 'public task' legal basis. While upfront consent is not needed, parents should still be informed about these communications and have the ability to object to receiving them, akin to the opt-out process in legitimate interests. Similar notification to that quoted above for the school bag method could be used to ensure transparency. In Summary For non-commercial promotional messages sent by electronic media, and leaflets (commercial or otherwise) in school bags, consent is not required upfront, but there should be an option for parents to opt-out or object. Schools must inform individuals about this processing beforehand, maintaining transparency and adhering to data protection principles. For commercial promotional messages sent by electronic media, including paid-for services or fundraising, schools must obtain clear, opt-in consent from parents before sending these communications. By distinguishing between these types of communications and applying the correct legal basis for each, schools can ensure compliance with data protection regulations while keeping parents informed about relevant services and opportunities. This marketing definition might be helpful clarification for you. Direct marketing is any type of advertising or promotional material aimed at a particular person. Mass marketing, such as an advertisement in a magazine, is not aimed at anyone in particular. We hope that you find this advice helpful and the SchoolPro TLC Team are available should you need further guidance and support.
With thanks to Director Ben Craig and the SchoolPro TLC Team. Our sponsor SchoolPro TLC provide some helpful and current advice about confidential references and subject access requests. When it comes to subject access requests and exemptions, it is important to understand the various exceptions that apply to certain types of personal data. One specific exemption relates to confidential references. According to the Information Commissioner’s Office (ICO) and the Data Protection Act 2018, personal data included in a confidential reference is exempt from the right of access in specific circumstances. The exemption applies to references given or received for the purpose of prospective or actual education, training, employment, volunteer placement, appointment to office, or provision of services by an individual. It is important to note that this exemption only applies to references that are provided in confidence. To ensure clarity in your documentation, especially for educational references, it is advisable to state explicitly that all references will be treated as confidential. This should be communicated to both the individuals providing the referees and those providing the reference itself. For example, instead of a simple instruction like “Please provide details of two referees.” You can modify it to convey that all references will be treated as confidential. A revised statement could be: “Please provide details of two referees. All references will be treated as confidential.” If your references are considered confidential, you will need to ensure staff dealing with subject access requests are aware of, and have adequate guidance to follow in order to prevent accidental release of your confidential references. Understanding these exemptions and clearly communicating the confidentiality of references will help ensure compliance with Data Protection regulations and maintain the privacy and trust of individuals involved in the process. By Ben Craig for the SchoolPro TLC Team More Information For more detailed information on other exemptions that apply to subject access requests, check out SchoolPro TLC's SAR Guidance and/or the ICO website and contact the SchoolPro TLC team directly for support. If you are interested in this topic and wish to find out more about working in this area, you can find out more about how you could Make a Difference with SchoolPro TLC. We are grateful to our SWIFT sponsors for their services and their support helps to provide additional funding for us to subsidise the cost of conferences and events as part of our high-quality professional development offer to school leaders, teachers and staff.
Our sponsor SchoolPro TLC provides guidance for schools and MATs following the recent infringements by a primary school in relation to the Article 5 (1)(f), Article 24 (1) and Article 32 of UK GDPR. The unfortunate data breach has emphasised the importance of robust Data Protection practices in schools, colleges and MATs. The Information Commissioner's Office (ICO) publicly reprimanded Parkside Community Primary School for infringements of the UK General Data Protection Regulation (UK GDPR). Whilst this is clearly a concern for the school and data subjects involved, it also provides a valuable opportunity for all schools to reassess their Data Protection strategies. The incident involved the inappropriate disclosure of personal and special category data in a classroom setting, affecting four data subjects including three children. According to the reprimand published, key contributing factors to the breach included insufficient Data Protection policies, inadequate guidance around email security, and a lack of explicit procedures regarding the use of a case management system. SchoolPro TLC delve here into the key lessons to be learned from this unfortunate event, and provide a checklist to ensure that you are adequately protecting the personal data of your pupils and staff. Lessons to Learn The reprimand presents several key lessons that could apply to other schools in the UK: 1. Ensure Adequate Data Protection Policies The reprimand highlighted that the school lacked detailed Data Protection policies, specifically on the safe handling of personal data over emails and the usage of a specific case management system. Policies should clearly outline the procedures for maintaining data security and confidentiality, especially when it involves sensitive or special category data. Schools should have policies specific to high risk software and platforms they use, created in conjunction with risk assessments or Data Protection Impact Assessments (DPIAs). 2. Provide Clear Procedures and Guidance The lack of written guidance for employees was a significant issue. Clear instructions need to be in place for using security and confidentiality classifications on emails, and for the usage of any case management system or software. Guidelines regarding when and where to open sensitive emails, and how to operate electronic devices securely (like electronic whiteboards), should also be clearly provided. 3. Staff Training Regular and thorough training for staff is necessary to ensure compliance with Data Protection regulations. This should include training on the operation of specific software or systems, data breach reporting procedures, operation of electronic devices, and general Data Protection principles. 4. Incident Reporting Mechanisms In this case, staff failed to report the data breach internally. An effective incident reporting mechanism should be in place, and staff should be well aware of the process to follow if a data breach is suspected or has occurred. 5. Sensitive Data Handling Emails or alerts containing sensitive information should be appropriately labelled and only accessed under safe conditions (e.g., not in the presence of children or during teaching hours). Controls should be in place on who can access highly sensitive information and when. 6. Policy Enforcement and Review All staff and stakeholders should be familiar with the school's Data Protection policies. Policies should be reviewed and updated regularly, especially in response to incidents, and staff should be required to affirm their understanding and acceptance of these policies. 7. Testing and Audit of New Processes Any new processes or procedures introduced in response to a data breach should be tested to ensure they are effective and embedded within the organisation. Action Plan / Checklist Taking those lessons into consideration, what key actions can a school, college or MAT take to reduce their data breach risk and improve practice? Policies and Procedures Review your Data Protection policies and procedures, ensuring they cover all aspects of data handling, including specific written guidelines for using software and systems that process sensitive data. Training and Awareness Develop a regular training schedule on Data Protection for all staff. Emphasise what constitutes a data breach, the importance of reporting breaches promptly, and the consequences of failing to do so. As a guide, staff should receive Data Protection training as part of their induction to the organisation, and refresher training should be completed at least biennially if not more frequently. Annual refresher training would be best practice. Email Security Implement security measures for emails that contain sensitive data, such as security classifications or labels. Provide clear guidelines on when and where such emails can be safely opened. Where possible, use alternative methods of communicating sensitive data such as access-controlled, secure, shared folders, or internal secure data transfer systems if available to your school. Software and System Security Review the security measures for all software and systems that process sensitive data. Ensure staff are trained on how to use these systems securely such as the use of strong passwords and multi-factor authentication. Also, include procedures, guidance and training for those systems that could be used to view sensitive data such as electronic whiteboards and screen-sharing from staff members' electronic devices. Monitoring and Review Regularly monitor and review your Data Protection measures to ensure their effectiveness and make improvements where necessary. By following this checklist along with your existing practices, and continually investing in data protection, you can better protect the personal data of your pupils and staff, and ensure compliance with the UK GDPR. The incident highlighted by this ICO reprimand serves as a stark reminder of the potential repercussions of insufficient Data Protection, and the importance of making it a priority in your school, college or MAT. Stay safe and healthy. Report by the SchoolPro TLC Team SchoolPro TLC is led by a committed team of former school and education leaders and Governors with over 60 years combined experience across all stages of education and in a variety of contexts who worked to improve educational provision.
We recently saw the release of the Government’s response to their consultation on the proposed Data Reform Bill. It is still early days for the proposed legislation and there is a lot to go through from this response. In addition, the timeline for the new legislation and exactly what it will look like based on this response is unclear at this stage. But our sponsor, SchoolPro TLC, has looked at the consultation outcome and you can read their initial reaction and thoughts about how it might impact on working with schools in the future. Privacy Management Programmes to be a Compliance Requirement This is one that we have been expecting and we have built the online audit/accountability tool in the new portal with this possibility in mind. Essentially, the proposal is to reduce down the accountability requirement to the following six key areas (from the current ten):
This potentially simplifies the process and our audit tool has been developed to be fully configurable. So, if this change goes ahead as suggested, the existing tool can be adapted to the new Privacy Management Programme and relevant information, actions etc already in the tool, can be ported across as required. The Government have been keen to highlight that this is not to reduce the rigour of accountability and lower standards, but to create a more flexible tool that can scale depending on the risk level of the organisations. This may well ease some of the burden on smaller schools, for example. Data Protection Officers (DPO) to no longer be mandatory and to be replaced with a ‘senior responsible individual’ This proposal removes the need for an independent DPO with no conflicts of interest and allows the role to be taken on by a senior individual within the organisation. That person will still fulfil many of the existing roles of a DPO, so it is likely that many organisations will simply continue with their existing arrangement. The ‘senior responsible individual’ will be responsible for:
At present, it is not fully clear if this will apply to all organisations; or whether it will be only small organisations and those that do not process high levels of sensitive data that are able to drop the requirement for a “DPO”. We are obviously going to keep a keen eye on this one! Removal of Data Protection Impact Assessments (DPIAs) The thought here is to provide a more flexible and tailored approach to organisations. Again, the Government are keen to emphasise that this is not to reduce rigour and lower standards and they state that organisations will still have to identify, assess and manage risk. This may allow for a more risk-based approach where lower risk processing has a simpler risk management approach and higher risk processing still follows a similar DPIA process to what is currently in place. However this is implemented; thankfully, this should not involve new risk management for legacy systems as the Government has stated that “existing DPIAs would remain valid as a way of achieving the new requirement. Removal of the Record of Processing Activities (RoPA) Requirement As with DPIAs, this is to provide a more flexible approach that can be tailored to different organisation depending on size and the nature of their processing activities. This will link to the Privacy Management Programmes and will require organisations to have “personal data inventories” that “describe what and where personal data is held, why it has been collected and how sensitive it is.” From what we have read so far, we believe that our existing data mapping tool will allow for these inventories to be created still with very little need to be adapted from their current format. Those are a few of the points we think will have an immediate impact on schools. Of course there are more detailed analyses of all the proposals available online, such as this useful one from the IAPP: It is also clear that not everyone is happy with the proposals.
Reading through the response, the prevailing theme appears to be “we asked about this, most of you weren’t happy with proposed changes… so we’re going to make some anyway;” which is an interesting approach to a consultation. All we can say is, watch this space… Report by Ben Craig CIPP/E, Director of SchoolPro TLC Ltd |
SWIFT News
|
SPONSORED BY
Join us, be a part of our SWIFT community |
© COPYRIGHT 2022 SOUTH WEST INSTITUTE FOR TEACHING SWIFT. ALL RIGHTS RESERVED | Website by brightblueC
VIEW OUR PRIVACY NOTICES | VIEW OUR COURSE T&CS
VIEW OUR PRIVACY NOTICES | VIEW OUR COURSE T&CS