Data Breach | Implications and Guidance for School and MAT Leaders with SchoolPro TLC

Our sponsor SchoolPro TLC shares here their GDPR and Data Protection expertise in understanding the Birmingham Children’s Services Data Breach and the implications and guidance for school and Multi Academy Trust (MAT) leaders.
 
In May 2024, the Information Commissioner’s Office (ICO) issued a reprimand to Birmingham Children’s Trust Community Interest Company (BCTCIC) for an inappropriate disclosure of a child’s personal information.
 
This unfortunate incident underscores the critical importance of robust Data Protection practices, especially when dealing with sensitive data related to children and criminal offences.
 
As leaders in schools and MATs, understanding the implications of this reprimand and implementing key actions can help safeguard your institutions from similar breaches.

Overview of the Incident
On 10 November 2022, BCTCIC experienced a significant data breach involving the inclusion of sensitive information about another person in a Child Protection Plan (CP Plan) sent to a family.
This breach occurred within the Child Protection and Review (CP&R) department, which routinely handles both personal data relating to children and criminal offence data.
 
The specific incident involved two neighbouring families.
Family A had raised concerns about interactions between their child and Child X from Family B.
During the formulation of a Child Protection plan, information from a separate strategy meeting with West Midlands Police, containing serious criminal offence allegations against Child X, was inappropriately included and this sensitive data was subsequently disclosed to Family A, resulting in a violation of Data Protection regulations.
 
Key Findings and ICO Reprimand
The Information Commissioner's Office (ICO) found that BCTCIC had violated Articles 5(1)(f), 32(1)(b), and 32(2) of the UK General Data Protection Regulation (UK GDPR).

Articles that mandate personal data must be processed securely to protect against unauthorised or unlawful processing and accidental loss, destruction, or damage.
 
Several key issues were identified:

• Inadequate Policies and Procedures | BCTCIC’s existing policies lacked detailed, practical guidance on Data Protection, particularly regarding the inclusion of personal data in documents like Child Protection plans.
• Over-Reliance on Professional Standards | BCTCIC relied too heavily on Social Work England’s standards, which were not specifically designed for Data Protection compliance.
• Insufficient Training | Whilst BCTCIC provided general Data Protection training, it lacked specific, role-related training for social workers, reducing the effectiveness of the training.   

Implications for Schools and MATs
The ICO have highlighted that Schools and MATs must be vigilant to avoid similar data breaches:
 
1. Develop Robust Policies and Procedures 
Ensure that your Data Protection policies include specific, detailed guidance on handling sensitive personal data.
This should cover what data is appropriate to share and under what circumstances.

2. Implement Role-Specific Training
General Data Protection training is essential, but it should be supplemented with role-specific training.
Staff should understand how Data Protection principles apply to their roles within the context of their setting.

SchoolPro TLC are developing SEND and Designated Safeguarding Lead-specific Data Protection training to help boost staff confidence when responding to information requests.

3. Conduct Regular Audits and Reviews
Regularly review and audit Data Protection practices to identify and mitigate risks.
Look at who the school has shared information with, how much and the method for exchange.

4. Regular Records Review
Create time to review the records you hold, checking the quality and accuracy.
Feedback to staff to support the development of a safer culture within the school.
 
Actions and Recommendations
Based on the ICO’s recommendations and the lessons from the BCTCIC incident, there are specific actions for schools and MATs to consider.

• Granular Standard Operating Procedures (SOPs): Develop detailed SOPs for producing and reviewing sensitive documents such as safeguarding documentation. Ensure these procedures include independent checks for personal data.
• Comprehensive Training Programmes: Enhance your training programmes to include specific modules on Data Protection relevant to different roles within the institution.
• Risk Assessments and Mitigation Plans (DPIAs): Conduct thorough risk assessments to identify potential Data Protection vulnerabilities and implement measures to mitigate these risks. These would be in the form of Data Protection Impact Assessments (DPIAs).
• Regular Policy Updates and Staff Briefings: Regularly update your Data Protection policies and conduct staff briefings to ensure everyone is aware of their responsibilities and any changes in procedures.
• Feedback and Continuous Improvement: Create a feedback loop to continuously improve Data Protection practices. Encourage staff to report any issues or suggestions for improvement.

Conclusion
The reprimand issued to Birmingham Children’s Trust serves as a stark reminder of the importance of robust Data Protection practices, especially when dealing with sensitive information related to children.

By understanding the implications of this incident and implementing the recommended actions, schools and MATs can better protect their data, ensure compliance with data protection regulations, and better safeguard their students.
 
As leaders, it is our responsibility to foster both a culture of Data Protection and Child Protection within our settings, by going above and beyond to ensure the safety and privacy of all individuals whose data you handle. Data Protection is Child Protection.
 
By Ben Craig, Director, SchoolPro TLC Ltd

find out about the schoolpro tlc data protection service here

contact schoolpro tlc here