Why should a school or MAT have a comprehensive IT security strategy, and what does this entail?

All schools and MATs incur costs in establishing and maintaining IT systems, IT infrastructure and IT security. The UK Information Commissioners Office (ICO) indicates that the costs of maintaining appropriate IT security measures can be used by a school or MAT when deciding what IT security steps need to be taken.

The ICO upholds the information rights in the public interest that ensures data privacy for individuals. The General Data Protection Regulation (GDPR) came into effect on 25th May 2018 and applies to UK businesses and organisations including schools and MATs. More specifically, Principle F of the GDPR covers data integrity and confidentiality (or security) which puts an obligation on every school and MAT to ensure that appropriate security measures are in place to protect the personal data held and processed both in paper form but also in electronic form on IT systems. The ICO further states that steps taken by each organisation (a school or MAT) must be appropriate, both to the circumstances and the risks that the IT systems and the IT infrastructure create, and this varies according to the IT systems used by each school and MAT.

Whilst there are clear data security principles defined within GDPR that apply to IT systems, it is for each school or MAT to determine what level of IT risk they feel is appropriate for their specific school or MAT. Failure to comply with GDPR for IT can result in significant fines being incurred by the school or MAT. In 2020 alone, the ICO fined various organisations for differing GDPR IT related breaches including:

  • Ticketmaster UK Limited fined £1.25 million for failing to keep its customers’ personal data secure as it failed to put appropriate security measures in place to prevent a cyber-attack on a chat-bot installed on its online payment page.

  • Marriott International Inc fined £18.4 million as it failed to put appropriate technical or organisational measures in place to protect the personal data being processed on its IT systems.

  • British Airways fined £20 million for processing a significant amount of personal data with weaknesses in its security measures when solutions were available at the time that would have prevented the successful cyber-attack.

  • Cathay Pacific Airways Limited fined £500,000 for failing to protect the security of  its customers’ personal data as malware was installed that harvested data resulting from a catalogue of other errors that were found. These errors included no password protection on back-up files; unpatched software on internet-facing servers; use of operating systems that were no longer supported by the supplier and inadequate anti-virus protection.

  • DSG Retail Limited fined £500,000 after a ‘point of sale’ computer system was compromised as a result of a cyber-attack due to various vulnerabilities including inadequate software patching, absence of a local firewall, lack of network segregation and no routine security testing.

It is worth noting that GDPR security principles cover a school or MAT’s IT processing of personal data; not just cybersecurity and this includes confidentiality, integrity and availability of that data in the various IT systems. However, outsourcing any, or all aspects of IT security does not negate the school’s or MAT’s GDPR obligations i.e. outsourcing does not transfer any of the school’s or MAT’s GDPR obligations in the IT domain.

Failure of a school or MAT to take reasonable precautions with their IT systems, IT infrastructure and IT security can lead to a GDPR breach. Any GDPR breach through non-compliance is likely to lead to the ICO imposing a fine on the school or MAT and the fine can up to 4% of the organisation’s turnover, with a maximum fine of €20m. The repercussions of any school or MAT incurring such an ICO fine is likely to be catastrophic, putting the school’s or MAT’s ongoing survival in serious doubt.

Each school and MAT should now be able to understand the implications of IT non-compliance with GDPR. They should also be able to recognise that all IT systems, IT infrastructure and IT security need to be carefully considered and evaluated to ensure compliance with GDPR. In the next blog we will consider what this means for a school or MAT.

Latest News

Featured
Handforth Grange Primary School has been shortlisted for the Tes Awards 2024
Handforth Grange Primary School has been shortlisted for the Tes Awards 2024

Mrs Andrea Booth, Head Teacher of Handforth Grange Primary School, expressed her pride and joy in the school’s recent outstanding achievement: “Receiving an outstanding rating from Ofsted is a testament to the dedication and collaborative spirit of our exceptional staff, parents, pupils and the entire school community.

She added: “We are delighted to announce we have been shortlisted for the 2024 TES Primary School of the Year award and we are looking forward to attending the ceremony event in London.

Jon Severs, Editor of Tes Magazine said, “Congratulations to all the shortlisted entries – the standard was so high this year despite the challenges schools face. It is critical we celebrate excellence and share it widely so we can ensure that the fantastic work happening in education is properly recognised.” 

Winners will be announced on 21st June at a glittering gala awards night at the Grosvenor Hotel, Park Lane, in London.

Read More →
Early Life Group at Frank Field Education Trust has been shortlisted for the Tes Awards 2024
Early Life Group at Frank Field Education Trust has been shortlisted for the Tes Awards 2024

The best schools and teachers across the country have been shortlisted in this year’s Tes Schools Awards. The Tes Schools Awards, which have been dubbed the ‘Oscars of education’, is a prestigious awards programme which celebrates the best of education across the UK. It has now been revealed that Frank Field Education Trust and The Ellesmere Port C of E College has been shortlisted in the category of The Tim Brighouse Community Engagement Initiative of the Year award.

Read More →
The Rt Hon. The Lord Field of Birkenhead: 1942 – 2024
The Rt Hon. The Lord Field of Birkenhead: 1942 – 2024

It is with huge sadness that we heard about Frank’s passing. 

Throughout his impressive career, Frank gave his life to improving the lives of those around him. His unwavering commitment to social justice not only defined his decades of public service, but is also the foundation stone for so many causes and organisations he was involved in.

That is why, as the founder of Frank Field Education Trust, our mentor and, above all, our friend, he had such a profound impact on our multi-academy trust and all those who are connected to our schools. Frank’s focus on ensuring that all young people have access to the same educational opportunities is at the heart of everything we do. Chris Hampshire Chair of The Frank Field Education Trust, stated that he will do all he can to ensure Frank’s vision and legacy lives on.

Read More →
Handforth Grange achieves United Against Bullying GOLD School status
Handforth Grange achieves United Against Bullying GOLD School status

Handforth Grange has been awarded the United Against Bullying GOLD School status by the Anti-Bullying Alliance, marking a significant achievement in their commitment to creating a safe and inclusive environment for all pupils. The United Against Bullying programme aims to support schools in their efforts to combat bullying and enhance the overall well-being of all pupils.

Handforth Grange’s attainment of the United Against Bullying GOLD School status underscores their dedication to creating a nurturing and inclusive learning environment where every student feels valued and protected. Achieving this recognition is no small feat, as it requires a concerted effort and commitment from the entire school community.

Read More →
Handforth Grange Primary School celebrates as it receives Ofsted ‘Outstanding’ rating
Handforth Grange Primary School celebrates as it receives Ofsted ‘Outstanding’ rating

Handforth Grange Primary School (HGPS) was recently inspected by Ofsted and has been graded OUTSTANDING after its first Ofsted inspection since joining the Frank Field Education Trust.

The school was rated as ‘outstanding’ in all five key judgement areas, which include: The Quality of Education, Behaviour and Attitudes, Personal Development, Leadership & Management and Early Years provision.

Read More →
Vacancies to sit on the Birches Head Academy Governing Body
Vacancies to sit on the Birches Head Academy Governing Body

At Birches Head Academy, we have provision for two parent governors and there is currently a vacancy as one of our parent governors will sadly reach the end of his term this summer.

No special qualifications are needed, and the most important thing is to have a keen interest in the school and be prepared to play an active part in the local governing board’s work. Training is available for all local governors and the Trust has an expectation that those new to being a local governing board member undertake induction and safeguarding training.

Read More →