ICO Tool: Self-assessment for Data Breaches
A Five Minute Check To See if You Need to Report a Breach
A data breach in a school can cause serious problems. Schools hold a huge amount of sensitive data and if this is not managed with real care and attention, the safety and security of both staff and students can be compromised.
What is Education Data?
The Data Protection Act 2018 defines ‘education data’ as:
- Personal data which consists of information that forms part of an educational record; and
- Is not data concerning health.
The definition of ‘educational record’ in the DPA 2018 differs between England and Wales, Scotland and Northern Ireland. Broadly speaking, however, the expression has a wide meaning and includes most information about current and past pupils that is processed by or on behalf of a school. The definition applies to nearly all schools including maintained schools, independent schools and academies.
However, information a teacher keeps solely for their own use does not form part of the educational record. It is likely that most of the personal information a school holds about a particular pupil forms part of the pupil’s educational record. However it is possible that some of the information could fall outside the educational record, eg information a parent of another child provides about the pupil is not part of the educational record.
Under the terms of GDPR a new data champion has been created to serve as an independent moderator at all levels of data practice, the Data Protection Officer. Handsam can fulfil the role of the DPO for your site, providing impartial independent advice and answering your everyday data questions.
The Self-assessment for Data Breaches Tool
This easy to use tool provided by the ICO will help you ascertain if you have a breach which must be reported. They state:
A personal data breach is a breach of security leading to the accidental or unlawful destruction, loss, alteration, unauthorised disclosure of, or access to, personal data.
If you experience a personal data breach you need to consider whether this poses a risk to people. You need to consider the likelihood and severity of the risk to people’s rights and freedoms, following the breach. When you’ve made this assessment, if it’s likely there will be a risk then you must notify the ICO; if it’s unlikely then you don’t have to report. You do not need to report every breach to the ICO.
The Role of the Data Protection Officer (DPO)
Designating a Data Protection Officer (DPO) is a requirement under the UK-GDPR for organisations such as public authorities or those whose activities involve the regular and systematic monitoring of data subjects on a large scale.
The ICO state:
“The important thing is to make sure that someone in your organisation, or an external data protection advisor, takes proper responsibility for your data protection compliance and has the knowledge, support and authority to do so effectively. Therefore you should consider now whether you will be required to designate a DPO and, if so, to assess whether your current approach to data protection compliance will meet the UK-GDPR’s requirements”.
Under UK-GDPR, you must appoint a data protection officer (DPO) if you:
- Are a public authority (except for courts acting in their judicial capacity);
- Carry out large-scale systematic monitoring of individuals (for example, online behaviour tracking); or
- Carry out large-scale processing of special categories of data or data relating to criminal convictions and offences.
You may appoint a single data protection officer to act for a group of companies or for a group of public authorities, taking into account their structure and size.
How can Handsam Help?
Handsam can offer a range of services to assist schools and colleges with data protection. They include:
- E-Training;
- Validation Visits;
- Polices;
- Quick Guides,
- Templates; and
- Data Protection Officer Services.
Visit our dedicated E-Training Centre website at www.etrainingcentre.org for full details of the Handsam data protection course.
E-Training
Use Handsam’s easy-to-access GDPR E-Training course, suitable for all levels of school employees who handle and manage data, to teach your team about data protection quickly and easily. This short course walks through the key aspects of the GDPR legislation and tests participants' knowledge of data law and best practices.
Validation Visits
To help you on your journey to GDPR compliance, Handsam can provide validation visits to quality assure your data documents and practices. A brief tour of your site, a chat and resource review will inform a follow-up report with action points to boast your data procedures.
Policies, Quick Guides and Templates
Handsam Quick Guide library has a range of data protection resources on all aspects of data compliance. This includes a large document containing templates to help you build the administrative structures of positive data management. Policy purchasing clients can also use our policy templates for data protection management.
Data Protection Officer Service
Under the terms of GDPR a new data champion has been created to serve as an independent moderator at all levels of data practice, the Data Protection Officer. Handsam can fulfil the role of the DPO for your site, providing impartial independent advice and answering your everyday data questions.
Contact us on 03332 070737 or email info@handsam.co.uk to find out more.