School Cyber attacks – know your reporting duties
Schools hold large amounts of personal data relating to pupils and staff, which makes them particularly vulnerable to data breaches through hacking.
There have been various reports of organisations being subject to hacking in recent months. All organisations are at risk of cyber attacks and schools are no exception.
1. Duty to report
Hacking is a form of 'Unauthorised access to computer material' under the Computer Misuse Act 1990, a criminal offence which can be punishable by imprisonment and/or fine where intent can be proven. It is important to bear in mind that hacking isn't just about some computer geek sitting in a dark bedroom late in the night trying to crack code. Modern hacking is as more likely to be a disgruntled employee or pupil seeking to delete data, change it, or to make it public.
Due to its serious nature, schools should consider reporting concerns of unauthorised access or use to Action Fraud (the UK's national reporting centre for victims of fraud or financially motivated internet crime), to the Information Commissioners Office ('ICO') and to the police.
2. Prevention is better than the cure
In light of the potential devastating impact of hacking, reputational damage and potential ICO penalties for failing to secure data (up to £500,000 fine for serious cases), schools must take reasonable measures to protected against such circumstances arising including:
- restricting access to your system to users and sources you trust, with each user having a unique username and password;
- changing computer passwords on a regular basis and avoiding repeating passwords;
- training provided to both pupils and staff on what constitutes 'unauthorised access;'
- ensure the same level of security is applied to own devices brought on site and any devices taken off site;
- ensure you keep computer equipment and software up to date;
- have anti-virus or anti-malware products regularly scanning your network to prevent or detect threats and ensure these are kept up to date;
- have an ICT policy in place to ensure you address risks in a consistent manner and an acceptable use policy stipulating how the schools computer systems should be used;
- ask your ICT provider to undertake a security audit to the systems containing data to help to identity any vulnerabilities which can be addressed; and
- arrange a free ICO advisory visit. The aims of these visits are to provide small, medium sized charities and not for profit organisations with a one day site visit and to provide practical advice on how organisations can improve their data protection practices.
3. Further information and useful contact details
Further guidance on measures that can be implemented to assist with cyber security includes guidance by the ICO and NEN – The Education Network which can be accessed by using the following links:
NEN – The Education Network guidance:
Government guidance detailing free of charge cyber security programmes and resources available for schools:
If you would like to discuss any aspect of this article further, please contact Chris Billington on 0113 244 6100.
You can also keep up to date by following Wrigleys Schools team on Twitter here
The information in this article is necessarily of a general nature. Specific advice should be sought for specific situations. If you have any queries or need any legal advice please feel free to contact Wrigleys Solicitors