So what does GDPR IT compliance mean for a school or MAT and how is IT compliance achieved?

In the earlier blog we looked at ‘why should a school or MAT have a comprehensive IT security strategy, and what does this entail?

In this blog we explore what this means for a school or MAT.

In order to ensure GDPR IT compliance, each school or  MAT needs to undertake a detailed assessment of the various IT systems and services for confidentiality, integrity and availability including the personal data processed within them. This assessment should include evaluating the steps needed to ensure that IT systems access can be restored in a timely manner, should a physical or technical incident arise. This requires having the appropriate processes in place that test and validate the effectiveness of the counter measures deployed, which should form part of a regular detailed IT risk assessment.

When GDPR was implemented in 2018, all schools and MATs evaluated the requirements and implemented solutions to ensure compliance that was predominantly focussed on user data including data security. However, as identified, GDPR compliance for a school or MAT also covers the use of the various IT systems, as these create vulnerabilities to cyber-attacks, phishing and other fraud or disruptive activities through penetrating the IT systems and networks. Such vulnerabilities include IT system software such as Windows 11; IT application systems such as Outlook and network security including an internet connection. However, other local non-networked security vulnerabilities also exist. These vulnerabilities include USB memory sticks connected to a PC that have onward connectivity to a network as this can lead to breaches of the cyber security network defences at the local level.

IT security breach may put user data outside the control of the school or MAT and therefore a detailed risk analysis should be undertaken that includes a review of the organisational policies but also the physical and technical measures deployed for all IT systems, IT infrastructure and IT security. In addition, an IT security strategy needs to be created and implemented that addresses and mitigates the various IT vulnerabilities.

An IT security breach could result in a school or MAT receiving an ICO fine, particularly if the breach is likely to be regarded as the school’s or MAT’s non-compliance with GDPR. It is therefore imperative that a school or MAT identifies all the IT risks and puts in place mitigating actions to address each risk as the ICO will take into account both the technical and organisational measures applied when considering if any fine should be incurred, and if so, how much.

The administrative and IT security measures a school or MAT puts in place to address their obligations to comply with GDPR and the processing of electronic data need to cover the following aspects:

  • Data is only accessed by those authorised to do so; within any delegated authority limits.

  • Accurate and appropriate to why the school or MAT is processing the data.

  • Accessible and usable. Therefore, if any electronic personal data is accidentally lost, altered or destroyed, the school or MAT must be able to recover it in a timely manner.

Whilst GDPR does not actually define the security measures that a school or MAT should have in place, the GDPR principles do require a school or MAT to have a level of IT security that is appropriate to the risks presented through the processing of the electronic data. GDPR takes a risk-based approach to information data security with different solutions being appropriately used within each school or MAT. The various IT security solutions will be dependent upon each school or MAT’s individual circumstances and the associated risks that the specific IT systems used generate.

More specifically, all IT security measures deployed must be appropriate to the nature of the personal data being processed and should include the following:

  • IT system security and cyber-security measures should be appropriate to the size and use of the school or MAT’s IT systems and IT networks.

  • IT data security of all the electronic data within the various IT application systems and the business operational practices operated by the school or MAT.

  • Online security including the security of a school or MAT’s website as well as all other online services and IT application systems used.

  • Device security, including policies on Bring-your-own-Device (BYOD).

  • Current IT developments including the cost of implementation and ongoing maintenance of the various counter measures deployed. 

To conclude, various approaches can be used by a school or MAT to better understand their IT risks including developing and establishing a school or MAT IT Strategy. This IT strategy should assess the current IT setup including an IT Technical Audit that includes assessment of  the different IT systems used for teaching and non-teaching including back office administration. This IT Technical Audit should provide a benchmark on the health of the school or MAT’s current IT set-up. This can then be used to identify where improvements are required to address any weaknesses. The chosen option to close off any weakness can then be developed and implemented by each school or MAT.  Following each implementation, an assessment of the effectiveness of that solution needs to be undertaken to validate that the weakness has actually been addressed.

Latest News

Featured
Handforth Grange Primary School has been shortlisted for the Tes Awards 2024
Handforth Grange Primary School has been shortlisted for the Tes Awards 2024

Mrs Andrea Booth, Head Teacher of Handforth Grange Primary School, expressed her pride and joy in the school’s recent outstanding achievement: “Receiving an outstanding rating from Ofsted is a testament to the dedication and collaborative spirit of our exceptional staff, parents, pupils and the entire school community.

She added: “We are delighted to announce we have been shortlisted for the 2024 TES Primary School of the Year award and we are looking forward to attending the ceremony event in London.

Jon Severs, Editor of Tes Magazine said, “Congratulations to all the shortlisted entries – the standard was so high this year despite the challenges schools face. It is critical we celebrate excellence and share it widely so we can ensure that the fantastic work happening in education is properly recognised.” 

Winners will be announced on 21st June at a glittering gala awards night at the Grosvenor Hotel, Park Lane, in London.

Read More →
Early Life Group at Frank Field Education Trust has been shortlisted for the Tes Awards 2024
Early Life Group at Frank Field Education Trust has been shortlisted for the Tes Awards 2024

The best schools and teachers across the country have been shortlisted in this year’s Tes Schools Awards. The Tes Schools Awards, which have been dubbed the ‘Oscars of education’, is a prestigious awards programme which celebrates the best of education across the UK. It has now been revealed that Frank Field Education Trust and The Ellesmere Port C of E College has been shortlisted in the category of The Tim Brighouse Community Engagement Initiative of the Year award.

Read More →
The Rt Hon. The Lord Field of Birkenhead: 1942 – 2024
The Rt Hon. The Lord Field of Birkenhead: 1942 – 2024

It is with huge sadness that we heard about Frank’s passing. 

Throughout his impressive career, Frank gave his life to improving the lives of those around him. His unwavering commitment to social justice not only defined his decades of public service, but is also the foundation stone for so many causes and organisations he was involved in.

That is why, as the founder of Frank Field Education Trust, our mentor and, above all, our friend, he had such a profound impact on our multi-academy trust and all those who are connected to our schools. Frank’s focus on ensuring that all young people have access to the same educational opportunities is at the heart of everything we do. Chris Hampshire Chair of The Frank Field Education Trust, stated that he will do all he can to ensure Frank’s vision and legacy lives on.

Read More →
Handforth Grange achieves United Against Bullying GOLD School status
Handforth Grange achieves United Against Bullying GOLD School status

Handforth Grange has been awarded the United Against Bullying GOLD School status by the Anti-Bullying Alliance, marking a significant achievement in their commitment to creating a safe and inclusive environment for all pupils. The United Against Bullying programme aims to support schools in their efforts to combat bullying and enhance the overall well-being of all pupils.

Handforth Grange’s attainment of the United Against Bullying GOLD School status underscores their dedication to creating a nurturing and inclusive learning environment where every student feels valued and protected. Achieving this recognition is no small feat, as it requires a concerted effort and commitment from the entire school community.

Read More →
Handforth Grange Primary School celebrates as it receives Ofsted ‘Outstanding’ rating
Handforth Grange Primary School celebrates as it receives Ofsted ‘Outstanding’ rating

Handforth Grange Primary School (HGPS) was recently inspected by Ofsted and has been graded OUTSTANDING after its first Ofsted inspection since joining the Frank Field Education Trust.

The school was rated as ‘outstanding’ in all five key judgement areas, which include: The Quality of Education, Behaviour and Attitudes, Personal Development, Leadership & Management and Early Years provision.

Read More →
Vacancies to sit on the Birches Head Academy Governing Body
Vacancies to sit on the Birches Head Academy Governing Body

At Birches Head Academy, we have provision for two parent governors and there is currently a vacancy as one of our parent governors will sadly reach the end of his term this summer.

No special qualifications are needed, and the most important thing is to have a keen interest in the school and be prepared to play an active part in the local governing board’s work. Training is available for all local governors and the Trust has an expectation that those new to being a local governing board member undertake induction and safeguarding training.

Read More →