Breach Management

This is a summary taken from Judicium’s GDPR ‘Sofa Session’ from the 19th of March, with our Data Protection Consultant Falguni Bhatt. This session covered: why breach management matters, who’s responsibility is the detection, investigation and risk assessment as well as how to prevent or lessen the impact when a breach does occur.

Poll 1

Breach Management – why does it matter?

What is a personal data breach?

Firstly, to clarify Personal data is any form of data that could be used to identify a person. For example, name, address, DOB, an email address, Unique Pupil Number.

There is also special category data, which is any form of personal data that needs more protection due to its sensitivity such as health data, ethnicity, religious data.

So, a personal data breach is a breakdown in security that leads to loss, alteration, destruction, unauthorised access, and disclosure of personal data.

Examples of Personal data breaches can include:

• Access by an unauthorised third party, e.g. Hacker
• Deliberate or accidental action (or inaction) by a controller or processor;
  • Incorrect level of access rights to systems or drives or accidentally or intentionally deleting records containing personal information
• Sending personal data to an incorrect recipient;
  • Typical breach in schools when information about a child has been sent to the wrong parent.
• Computing devices containing personal data being lost or stolen; - e.g. Lost laptop or USB stick
• Alteration of personal data without permission; and
• Loss of availability of personal data.

Poll 2

Why care about data breaches?

Understanding the implications of data breaches is crucial for any organisation handling personal data. Failing to prevent or address breaches adequately can lead to severe consequences for the School and for the individuals affected. Ensuring that your school is complying with the law and handling data breaches appropriately is important for several reasons, including:

1. Harm to Individuals - Data breaches can directly impact the lives of the individuals concerned. Exposure of sensitive personal data such as health information or child protection information can have devastating implications on the child and/or their family. Breaches therefore have the potential to cause significant material and emotional distress to those whose data is compromised.
2. Reputational Damage - A data breach can tarnish the reputation of a school, leading to a loss of trust among students, parents, and the community. This can result in decreased enrolment, loss of funding, and difficulty attracting top talent.
3. ICO enforcement and penalties (e.g. fines) - The UK GDPR and DPA 2018 set a maximum fine of £17.5 million or 4% of annual global turnover – whichever is greater – for infringements. Although not all data protection infringements lead to fines. Supervisory authorities such as the ICO (Information Commissioner’s Office) can take a range of other actions, including:

• • Issuing warnings and reprimands;
  • Imposing a temporary or permanent ban on data processing;
  • Ordering the rectification, restriction or erasure of data; and
  • Suspending data transfers to third countries.

4. Compensational Claims – Schools could face the risk of legal costs when affected individuals pursue compensation for the mishandling of their data. This can result in significant legal fees, payouts, and overall, the claim is a costly and time-consuming process.
5. Disruption of operations:Data breaches can disrupt school operations, leading to downtime, loss of productivity, and interruption of critical services. This can impact teaching and learning activities, administrative functions, and extracurricular programs.

Detect, investigate, risk-assess the breach - who's responsibility is it?

Data breaches affect everyone in an organisation. By the same token, everyone can help to prevent or minimise the impact of a data breach.  If you become aware of a personal data breach or incident, you should follow your organisation’s reporting procedure. 

Poll 3

UK GDPR places certain legal obligations onto organisations relating to the handling of personal data breaches. It is important to make sure that the School is properly prepared to handle such a breach, one way a School can do this is by making sure they have a Data Breach policy or procedure in place.

If you know or suspect a personal data breach has occurred, staff should:

Step 1: Notify your line manager or designated data protection point of contact within the school.

Step 2: The DP Lead should notify the DPO, and collectively they will take immediate steps to establish whether a personal data breach has in fact occurred.

Step 3: Identify how the breach occurred and take immediate steps to stop or minimise further loss, destruction or unauthorised disclosure of personal data.

Step 4: Based on the information you have so far, the DPO & the School will need to assess the risk to the data subjects involved and determine the next steps i.e. whether the breach is reportable to the ICO.

Step 5: It is important to make sure that the School accurately records all details of the breach onto a data breach log (this proves accountability/identify weaknesses, see trends and training issues).

When a data breach occurs, as a school you have a legal obligation to:

1. Notify the Information Commissioner’s Office (ICO) when a breach is likely to result in a risk to the rights and freedoms of individuals
2. Notify affected individuals without undue delay where the breach is likely to result in a high risk

Risk

To know the level of risk involved, you will first need to assess the Risk of the Data Breach. Risk, in terms of a personal data breach, means the risk to the people who are affected. You’re assessing how seriously you think people might be harmed and the probability of this happening.

A data breach should always be assessed on a case-by-case basis. Whilst a breach such as disclosure of data to an incorrect person may at first appear minor and common, upon further investigation, there may be influences and factors that mean that the risk involved is more serious than first assumed.

When assessing a data breach, we look at the risk of “damage” or “harm” to the data subject(s) involved.  There can be a wide variety of effects on the individual(s) whose data has been compromised. Some data breaches do not pose a risk and are little more than an inconvenience to those whose data is affected.

Other breaches may cause negative consequences such as:

• Discrimination
• Financial loss
• Loss of confidentiality
• Identity theft
• Damage to reputation

Risk can be determined by two factors: likelihood and severity.

1. Likelihood – e.g., the likelihood that the risk will happen, and
2. Severity – e.g., should the risk happen, the seriousness of the consequences

Always look at the ‘full picture’ when making an assessment.

There are some factors which will help determine whether further steps need to be taken, for example notifying the ICO and/or data subjects as set out above. These factors include:

• What type of data is involved and how sensitive it is;
• The volume of data affected;
• Who is affected by the breach (i.e., the categories and number of people involved);
• The likely consequences of the breach on affected data subjects following containment and whether further issues are likely to materialise;
• Are there any protections in place to secure the data (for example, encryption, password protection, pseudonymisation, two factor authentication);
• What has happened to the data, e.g., if data has been stolen, could it be used for harmful purposes;
• What could the data tell a third party about the data subject;
• What are the likely consequences of the personal data breach on the school; and
• Any other wider consequences which may be applicable.

Reactive and Proactive, how can we prevent breaches or lessen their impact?

It is important to take steps to reduce the possibility of personal data breaches occurring. This might include:

• Annual Data Protection training - have mandatory data protection training in place for all staff that includes how to recognise and report a personal data breach
• Policies/Procedures - have clear and appropriate data protection policies including a data breach policy/procedure in place.
• Staff Awareness - ensuring staff have an awareness of common data breaches and how they can be avoided, such as by checking recipients and attachments are correct before sending emails.
• Staff Reminders - Reminding staff of the basics for example,locking your computer when stepping away from your desk and locking paper documents away as little things can make all the difference!
• Controls - having appropriate controls in place to protect personal data. Think of ways to improve e.g. a school who implemented time delay on emails, or multifactor authentication on logins.
• Annual data protection auditswith your DPO – During an audit, your DPO will advise and provide guidance on best practice and ensure that you are complying with data protection legislation.

Top Tips

1. Keep a data breach log – ALL data breaches should be recorded on a data breach log.
2. Establish a clear point of contact within the school – We strongly recommend having a clear point of contact within the school to ensure that staff know who to refer to with any data matters including data breaches. Make it easy for staff to raise any concerns!
3. Create a positive culture – Within school where staff are not worried about raising any concerns or potential data breaches.
4. Data breach policy – Does your school have a data breach policy in place? Does it detail the school’s DPO and internal data protection point of contact?
5. Don’t sit on a concern – Take action and speak to your DPO!

Additional Info

You can find information regarding our Data Protection Officer (DPO) service here.

Jedu is Judicium's online GDPR compliance tracking software for schools. Our platform is suitable for single schools to large MATs and is designed to assist schools with two critical needs: To enable trustees, Governors and other SLT to monitor GDPR compliance; and to assist you managing your data protection.

If you would like more information on how we can support you or more information regarding Jedu, please get in touch with us.

If you require any support in any of these steps or would like to talk to someone surrounding some support for your school, please do not hesitate to call us on 0345 548 7000 or email georgina.decosta@judicium.com.

 Follow us on Twitter: @DPOforSchools and @JudiciumEDU

© This content is the exclusive property of Judicium Education. The works are intended to provide an overview of the sofa session you attend and/or to be a learning aid to assist you and your school. However, any redistribution or reproduction of part or all of the contents in any form is prohibited. You may not, except with our express written permission, distribute or exploit the content. Failure to follow this guidance may result in Judicium either preventing you with access to our sessions and/or follow up content.