In a world where technology is constantly evolving and developing, keeping information safe is an ongoing challenge.
Cyber attacks can be very sophisticated and dangerous. They can affect anyone, from an individual’s personal email account to websites belonging to large multi-nationals. As well as malicious attacks, cyber risks can materialise because computer systems have not been configured correctly or because staff have not been sufficiently trained. Schools are particularly vulnerable owing to the large amount of sensitive information that they hold.
Cyber security is about protecting computer systems from unauthorised or unintended access. It is relevant to all aspects of a school’s ICT infrastructure including software, hardware, email accounts and cloud services.
The law
The core requirements are set out in the Data Protection Act (DPA), and require schools to put in place appropriate ‘technical and organisational measures’ to keep personal data safe.
The DPA is set to be replaced by the new General Data Protection Regulation (GDPR) from May 2018. This will significantly increase the regulatory burden on schools, particularly around information security. The GDPR introduces the concept of privacy by design, which involves making data protection issues an integral part of any decision-making process that involves the handling of personal data, such as when a school procures a new IT system.
The GDPR will increase the penalties for non-compliance, with the maximum fine currently £500,000 increasing to the higher of €20m and 4% of worldwide turnover.
In addition, an assessment of cyber risks, and action to minimise them, is core to a school’s fundamental duty to promote and safeguard the wellbeing and welfare of its pupils. The latest version of Keeping Children Safe in Education emphasises the need for an effective approach to online safety to protect and educate the whole school community in their use of technology and establish mechanisms to identify, intervene in and escalate any incident where appropriate.
Cyber security is about protecting computer systems from unauthorised or unintended access
What should schools be doing?
Below are some of the issues which schools should consider when trying to identify and mitigate cyber risks:
Assess the threats – The best way to work out how to protect information is to first understand what information you hold and what the main risks are. Carrying out risk assessments are a good starting point. You should look at all processes that involve personal data, consider how sensitive the personal data is and what measures you have in place to keep it secure.
Technical security – Schools should ensure that they have technical measures in place to secure their systems. This should cover everything from encryption, using firewalls and anti-malware, to carrying out penetration testing on the school’s network. As lawyers we cannot advise on what schools need to do from a technical perspective, but there are a number of resources available to assist, such as the government’s Cyber Essentials Scheme.
Policies, procedures and training – Having comprehensive but easy to read policies around information security is key to helping staff understand their responsibilities and to demonstrate compliance with the DPA. The policies should include practical examples and tips to avoid common mistakes, for example, when to use encryption, what to do when working from home, and reminding staff to always lock computer screens. Written policies and procedures should be backed up with the appropriate training and awareness.
Home working and working ‘on the go’ – Schools should ensure that staff are given the tools they need when working away from the school. For example, consider providing remote access for staff (please see the sidebar). In addition, if staff are permitted to use their own handheld devices for schoolwork then consider using mobile device management (MDM). MDM should help protect anything school related (for example, by encrypting it or giving the school the ability to remotely wipe the device if it is stolen).
Information management systems – School information management systems are becoming increasingly sophisticated in terms of allowing information to be shared amongst staff and with pupils. Schools should therefore check that their systems are robust from an information security perspective and that they have been configured correctly. We have seen numerous cases of staff inadvertently sharing confidential information with pupils, for example, by not setting access permissions correctly.
Disaster recovery plan – Schools should have a written policy on how to respond should a serious data breach occur (please see the below).
When things go wrong
Here we look at an example of when something has gone wrong and how a school might respond:
A fraudster gains access to a computer system and uses that access to send emails to parents requesting payment for ‛school fees’. The fraudster amends the school’s template email such that the payment details are those of the fraudster rather than the school. Subsequent investigations reveal that malicious software was installed on the school computer. This happened because a member of staff used a personal USB stick to transfer a document from their personal computer to their school computer (the member of staff did not know that the malicious software was on the USB stick).
The ICO (the data protection and privacy regulator) recommends a four-step response to an information security incident. The school’s response against each of these four headings might include the following:
Containment and recovery
- Find out how the breach happened and ‛plug’ it as soon as possible to prevent further breaches. Consider blocking USB ports so as to prevent the transfer of data until the school is satisfied they can be used in a way that is secure.
- Contact those parents who received the email and warn them not to make a payment using the fraudulent details.
Assessment of ongoing risk
- Consider other risks that have arisen. For example, what personal data of parents has been compromised? If there is a risk of identity theft, consider purchasing identity-theft protection for parents.
- Similarly, if information about pupils has been accessed, does this represent a safeguarding risk?
Notification of breach
- The attack is likely to constitute a criminal offence and therefore the police ought to be involved. The school’s insurers should also be informed.
- The school should consider whether to refer the matter to the ICO. Currently there is no legal obligation to tell the ICO (although this will change under the GDPR) so the school will need to weigh up the pros and cons of voluntarily reporting.
- If the school is a charity then it should also consider whether it needs to make a serious incident report to the Charity Commission.
Evaluation and response
- This should include a ‛lessons learnt’ exercise. Remember, a school’s obligation is to put in place both ‛technical’ and ‛organisational’ measures to protect personal data. As such, the lessons learnt might involve looking at how the malicious software was able to infect the school computers despite the measures which the school (presumably) had in place. The school should also review its practices around staff working from home. Why did the member of staff use a personal USB stick? The school should ensure that it has made available alternative, more secure, ways of allowing staff to work from home. For example, remote access would have allowed the member of staff to login to their work desktop. This would mean that any documents would be automatically saved to the school’s network, not the employee’s private computer.
Andrew Gallie is a Senior Associate at leading law firm Veale Wasbrough Vizards.. T: 0117 314 5623 E: agallie@vwv.co.uk W: vmv.co.uk
For more detailed information and guidance on how your school can manage its data protection compliance and also prepare for the GDPR, please access for free the dedicated compliance portal for schools at onstream.co.uk.
Subscribers to My OnStream can, in addition, access an online information security training module which will assist schools discharge their obligation to provide data protection training. More info is at www.vwv.co.uk/compliance-onstream/about-my-onstream.
