Schools reported for hack attacks and data breaches avoid ICO punishment

Schools reported for hack attacks and data breaches avoid ICO punishment

Dozens of schools that breached data protection rules have walked away without punishment, despite being reported to the information watchdog.

New figures obtained exclusively by Schools Week show that during the past school year the Information Commissioner’s Office (ICO) dealt with 66 reports of breaches by schools of the Data Protection Act 1998.

Almost half the reports related to information accidentally revealed, with five of the cases occurring at special schools. Twenty-four related to the loss or theft of data.

Seven breaches came as a result of cyber attacks or IT failures, and three were down to unauthorised access of information or incorrect permissions.

But not a single school faced enforcement action from the ICO, although schools must protect information held about staff, pupils, parents, governors and contractors.

However, this term Schools Week found personal pupil data published on the website of a prominent independent school.

An exam timetable, openly published and searchable via Google, named pupils, their exam entries, plus any identified special needs and accessibility arrangements.

In its advice to schools, the ICO states that security breaches must be dealt with “effectively”, regardless of whether they are a result of “theft, a deliberate attack on your systems, from the unauthorised use of personal data by a member of staff, or from accidental loss or equipment failure”.

The advice goes on to say: “However the breach occurs, you must respond to and manage the incident appropriately.”

The school, which is not being named to protect the data from further circulation, removed the documents from its website after being informed of the breach by Schools Week, but further checks have revealed that some is still available in Google search results.

The potential breach has been reported to the ICO and Google. The school did not reply to phone calls or email requests for comment.

It is not alone in leaking personal data about pupils. At the end of November, Greenland Primary School in east London accidentally revealed the name of seven pupils aged between nine and 11 believed to be at risk of radicalisation.