School data security incidents rise in wake of GDPR

The number of data security incidents reported by the education sector rocketed by more than 43 per cent after the introduction of general data protection regulations.

The Information Commissioner’s Office (ICO) has reported a rise in reports of disclosure issues – where sensitive information is inadvertently shared – and cyber-attacks between July and September this year.

Overall, the number of data security incidents reported in education rose from 355 in the second quarter of 2017-18 to 511 in the same period this year.

Schools are now actually aware of what data breaches are and are reporting these to demonstrate compliance with the law

This is the first data to be released since the general data protection regulations (GDPR) came into force this May.

GDPR require schools to be clearer about the data they hold about their pupils and respond more quickly to requests for copies of personal data. They must also have a data protection officer in place.

The number of incidents involving the disclosure of data reported to the ICO rose to 353 in quarter two of this year, up from 239 during the same period last year and just 26 the year before.

Common disclosure issues include the loss or theft of paperwork or data, information accidentally sent by email to the wrong recipient and inadvertent verbal disclosure.

Mark Orchison, a consultant whose firm 9ine works with schools on data protection, said the increase (in disclosure reports) was likely to be because of GDPR and work by the ICO to raise awareness.

“Schools are now actually aware of what data breaches are and are reporting these to demonstrate compliance with the law,” he told Schools Week.

However, he is also concerned about a rise in cyber-attacks on schools. Reports of these attacks, which can include malware, phishing and ransomware, have risen by 69 per cent in the past year alone. Between July and September 2017, there were 26 such reports. In the same period this year, there were 44.

He warned that schools “don’t have the internal expertise” on cyber security and that institutions “haven’t got the skills to understand the risks or what to do when it happens”.

“Schools are seen as an easy target,” he said. “Sending false invoices, for example, is easy money.”

Earlier this year, it was revealed that fraudsters impersonating headteachers managed to con schools across the country out of tens of thousands of pounds after their phone systems were hacked and calls diverted to pricey premium-rate numbers.

Between last September and this spring, 48 schools reported the scam. Of those, 12 lost £145,124 between them and one lost £19,150.

The government recently published new draft guidance for schools on security, which includes advice on cyber-attacks. It advises schools to create boundary firewalls and internet gateways to “prevent unauthorised access to or from private networks”.

Schools are also being told to use secure configuration, access level controls and the latest malware and virus controls, and put effective policies in place to “educate staff and pupils about online security”.

Nick Gibb, the schools minister, said it was “important that schools remain vigilant and prepare for potential risks”.