Managing breaches of data

Good practice for preventing personal data breaches in your school. It explains how to recognise and respond effectively to a personal data breach.

A data breach is a security incident that has resulted in personal data you hold being:

  • lost or stolen
  • destroyed without consent
  • changed without consent
  • accessed by someone without permission

Data breaches can be deliberate or accidental. A breach is about more than just losing personal data.

Identify and investigate a personal data breach

UK GDPR places certain legal obligations onto organisations relating to the handling of personal data breaches. It is important to make sure that you’re properly prepared to handle such a breach.

You can find more guidance on personal data breaches on the Information Commissioner’s Office website.

Identify a personal data breach or a suspected personal data breach

The first step is to make sure that all members of staff:

  • are able to recognise when a personal data breach has taken place
  • know how to report it formally within your school

Your school’s data protection officer should:

  • support you throughout the process
  • where necessary, liaise with the Information Commissioner’s Office

Check if any personal data is involved

Once you become aware of a suspected personal data breach, you need to check if the incident involves personal data. If it does, there are actions you’ll need to take.

Understand the type of personal data involved

This is an important step in understanding the seriousness of the breach. You’ll need to understand as soon as possible:

  • what types of personal data are involved
  • who the data subjects are

For example, is it:

  • basic personal details of staff, such as name and email addresses
  • full records of pupils, including special category data such as disabilities and ethnic origin

Take action to limit further impact

Your priority is to establish what has happened to the personal data. You need to find out where the personal data that has been accessed, lost or stolen now is, and who might have it. This will affect the level of risk involved. For example, if you’ve shared some information via email by mistake with another part of your school or trust, this is much less of a risk than an unknown party stealing paper records.

If you can recover the data, you should do so immediately. You should do whatever you can to protect those who’ll be most impacted. This might include:

  • recalling, or asking someone to delete, an email containing personal data sent by mistake
  • retracing your steps or contacting reception if you have physically lost some personal data to see if it has been handed in
  • checking if you can lock or wipe a laptop, phone or tablet containing personal data that has been stolen remotely

Work out how many data subjects might be affected by the breach

You need to be aware of how many people are affected by the breach. This will help you determine the level of risk involved.

Assess the severity of the personal data breach

It is important to make sure that you accurately record all details of the breach. You may need to make an assessment before you have the full details. Based on the information you have so far, you should assess the risk to the data subjects involved.

Risk, in terms of a personal data breach, means the risk to the people who are affected. You’re assessing how seriously you think people might be harmed and the probability of this happening.

Consider all the information currently available, for example:

  • who’s affected
  • how many people are affected
  • the ways it might affect them, such as:
    • safeguarding issues
    • identity theft
    • significant distress

When assessing risk, put yourself into the shoes of those who’ve been impacted. This may help you think about any steps you can take to reduce that risk.

If you’re unsure, get help and support from the Information Commissioner’s Office.

Report the personal data breach

If you decide that there is a risk to data subjects:

  • notify the Information Commissioner’s Office within 72 hours of becoming aware of it
  • inform data subjects, so they can take steps to protect themselves

If you’re unsure how best to handle a breach, call the ICO helpline on 0303 123 1113. They’ll support you assess the impact and appropriate steps, including how to let data subjects know.

Report a personal data breach to the Information Commissioner’s Office.

Review the personal data breach

After every personal data breach or near miss, you should review:

  • what happened
  • how it happened
  • why it happened
  • what actions you can take to prevent it happening again

Do this even if you have determined there are no risks.

It is good practice to record and investigate every personal data breach, however small. Recording every incident allows your data protection officer to spot any trends. If they notice that a particular system or process is regularly having minor incidents, they can reduce the risk and take action to prevent similar breaches from happening again.

You should always make sure you document all lessons and actions you’ve taken.

How to prevent a personal data breach

It is important to take steps to reduce the possibility of personal data breaches occurring. This might include:

  • having mandatory data protection training in place for all staff that includes how to recognise and report a personal data breach
  • having clear and appropriate data protection policies
  • ensuring staff have an awareness of common data breaches and how they can be avoided, such as by checking recipients and attachments are correct before sending emails
  • having appropriate controls in place to protect personal data

Example 1

A member of school staff emailed a spreadsheet containing a number of pupils’ names and ages to a member of staff at a local authority by mistake. The spreadsheet was not encrypted, as it was meant for internal use only.

They realised their mistake immediately and contacted the recipient of the email. They asked them not to read it, and to delete it from their email system. The member of staff then reported it to their data protection team.

The recipient confirmed that they had not opened the attachment and that they had deleted the email entirely.

In this instance, a small amount of personal data was sent insecurely to the wrong person by mistake. The recipient was a known and trusted partner the school often worked with, who confirmed that action had been taken to contain the breach.

Due to the nature of the recipient and the actions taken, the school felt there was not a likely risk to the data subjects. They did not notify the Information Commissioner’s Office but logged the incident internally to consider if there was any action that could be taken to prevent a similar incident happening in the future.

Example 2

A member of school staff uploaded a spreadsheet containing the personal details of all members of school staff to a school app. This meant all users of the app could view the spreadsheet.

The personal data included:

  • names
  • addresses
  • bank details
  • information relating to disabilities
  • National Insurance numbers

The error was not noticed for over 24 hours, until a parent reported it to the school. The spreadsheet was then taken down.

The school sent a message out to ask parents and carers to delete the file if they had downloaded it.

In this instance, sensitive personal data was available to view for over a day to all registered users of the app.

The school reported the incident to the Information Commissioner’s Office because of the:

  • nature of the personal data
  • length of time it was available for
  • lack of control the school had over any further distribution or use

They also made the data subjects aware of the situation.

Example 3

A tablet was stolen during a break-in at a nursery. The tablet contained an app that held the personal details of the children who attended. This included names, addresses and information relating to their time at the nursery.

The tablet was turned off and had strong encryption in place. The app itself was also password protected. After being made aware of the theft, the nursery was able to remotely wipe the tablet.

The nursery felt that sufficient protections were in place to ensure that there was no risk to any of the data subjects. They did not inform either the Information Commissioner’s Office or the data subjects.

Example 4

A ransomware attack took place against a school that resulted in the encryption of all its data. This included the full personal data of more than 1,000 pupils and members of staff, such as information relating to:

  • ethnic origin
  • disabilities
  • bank details

The school had a backup of the data. However, this was also encrypted.

Due to the risks to the rights and freedoms of the data subjects, the school made both the Information Commissioner’s Office and the data subjects aware. The school also reported the incident to the National Cyber Security Centre for support.