The GDPR: When do schools need to report data breaches?

As you should by now be aware, all organisations that process EU residents’ personal data must comply with the GDPR (General Data Protection Regulation). The Regulation intends to unify data protection requirements among EU member states and give individuals more control over the ways their data is used.

As a result, the rules for processing personal data have become a lot stricter. This has caused problems for many organisations, but few have been affected as much as schools and universities, which process huge amounts of personal data but often lack the resources to strengthen their compliance posture.

A major concern is the GDPR’s requirement that organisations report certain types of data breach to their supervisory authority within 72 hours of becoming aware of the incident. It’s one of the toughest rules to meet, but this blog provides you with all the details you need.


What’s considered a data breach?

The term ‘data breach’ is often used synonymously with cyber attacks. However, not all cyber attacks result in data breaches, and not all data breaches are the result of a cyber attack.

A data breach is whenever the confidentiality, integrity and availability of information is compromised. Data doesn’t only need to be stolen to be breached; it might also have been lost, altered, corrupted or accidentally disclosed.

Data breaches can happen to any kind of information, but the GDPR is concerned only with personal data (the definition of which is perhaps much broader than you’d think).


Examples of personal data breaches in schools

  • Unauthorised access: A pupil or unauthorised staff member finds a teacher’s laptop unlocked and uses it to access saved files. The teacher might also have autosaved login details for their email or other accounts, which would give the user access to further information.
  • Deliberate or accidental action (or inaction): A member of staff sends an old PC to be destroyed without wiping the hard drive. Another example is physical records that are thrown away without first being shredded.
  • Accidental disclosure: An administrator sends an email containing a student’s personal data to the wrong recipient.
  • Alteration: Someone accesses the school’s payroll system and enters incorrect information about staff pay grades.
  • Loss of availability: The school suffers a power cut that shuts down access to information that’s only available electronically.


Not all breaches need to be reported

The GDPR states that personal data breaches must be reported only if they pose a risk to the rights and freedoms of those affected. This will be the case if the breach is likely to result in:

  1. Discrimination

This is relevant when the following information is breached:

  • Pupil special needs information
  • Staff and pupil health records
  • Child protection records
  • Staff pay scale and payroll information
  • Pupil progress and attainment records
  1. Identity theft or fraud

This is relevant when the following information is breached:

  • Names, dates of birth and addresses (when breached together)
  • Completed pupil data collection sheets
  1. Financial loss

This is relevant when the following information is breached:

  • Banking information from payroll data or recruitment forms
  • School parent payment software, billing information or bank accounts
  1. Reputational damage

This is relevant when the following information is breached:

  • Staff performance management records
  • Pupil behaviour records
  • Child protection records
  1. Loss of confidentiality

This is relevant when the following information is breached:

  • Staff performance management records
  • Child protection records
  1. Social disadvantage

This is relevant when the following information is breached:

  • Payroll information
  • Pupil premium records
  • Information about pupils receiving bursary or other financial support

Breaches must also be reported whenever sensitive information is affected:

  • Racial or ethnic origin
  • Political opinions, religion or philosophical beliefs
  • Trade union membership
  • Genetic data
  • Health data
  • Data concerning sex life
  • Criminal convictions and offences or related security measures

Sensitive data is held in many places across a school, such as its management information system, staff and pupil recruitment forms, data collection sheets, staff and pupil medical records and minutes of trade union meetings.


Are you GDPR compliant?

Do you think you have everything in place to meet the GDPR’s requirements when a data breach happens? Or are you still figuring out what needs to be done?

Either way, you can get the answers you need by taking our #BreachReady questionnaire.

This quick and easy-to-understand survey will ask you a series of simple questions about your data protection methods. We’ll score you on your setup, and advise you on any weaknesses that we find.

Completing the questionnaire also gives you access to a tailored summary of the steps you must take to prepare for data breaches and comply with the GDPR.


One Response

  1. Orsolya Bhullar 20th November 2019

Leave a Reply

Your email address will not be published. Required fields are marked *

This site uses Akismet to reduce spam. Learn how your comment data is processed.