Month: May 2024

Why Schools Shouldn’t Share Security Information Online

Written on 29th May 2024. Posted in News.

In an age where transparency is highly valued, it is understandable that schools want to keep parents, students, and staff well-informed about what’s going on. However, when it comes to security, it’s best to keep things under wraps.

Here are just a few reasons why schools shouldn’t post their Critical Incident Plans or IT Disaster Recovery Plans on their websites:

1. You don’t have to!

There is government guidance available to all schools that informs them exactly what must or should be published on a school websites. It is regularly updated, and you can find it using the links below:

What maintained schools must or should publish online

What academies and further education colleges must or should publish online

2. Keep Your Plans Secret – Increase Your Cyber Resilience

Imagine if someone who wanted to cause trouble knew exactly how the school handles emergencies or IT Disasters. When security plans are posted online, it’s like giving potential attackers a blueprint of the school’s defences. Perpetrators could find weak spots and take advantage of them or target individuals to gain access to school systems. By not sharing this information online, schools reduce that risk and immediately increase cyber resilience.

3. Protecting Personal Information

School security plans often include information about the people who keep the school safe. This might encompass names, roles, access levels, and even personal contact details. If these details are shared online, not only could this be a potential breach of UK GDPR, but those individuals could be at risk of being targeted, perhaps by phishing.

4. Insurance Policies

If you left a note on your car that let someone know where the keys were, would you expect your insurance company to pay out if it was stolen? Publishing detailed school security and recovery plans on your school website may void insurance policies so please check the small print. To be on the safe side – don’t publish them!

Transparency is crucial in many aspects of school administration, but security information should be handled with the utmost discretion so that schools can better protect their students, staff, and wider school community from potential threats.

We support schools and MATs all over the UK. CONTACT US today to find out how Education Data Hub could support you.

How to Deal with Freedom of Information Requests in Schools.

Written on 23rd May 2024. Posted in News.

What is a Freedom of Information Request?

A Freedom of Information (FOI) Request is a request made by any member of the public for information held by public authorities or publicly owned companies. Therefore, schools fall under this Act.

Under the Act public authorities are obliged to publicly publish certain information about their activities in a publication scheme. Every organisation is required to have a publication scheme which sets out what information the public authority hold and if that information is public where it can be found.
Under the Act public authorities must provide information to anyone making a written request.

This Act does not give people access to their own personal data.

Who can make a Freedom of Information Request?

Anyone can make a valid freedom of information request – they do not have to be UK citizens, or resident in the UK.

Freedom of information requests can also be made by organisations, for example a newspaper, a campaign group, or a company.

If you are concerned about the validity of a request see the ICO guidance (What makes a valid request? | ICO) and talk to your DPO. However, it is likely that any request in writing will be valid.

Do we have to respond to every Freedom of Information Request?

Yes, under the Act you must release the information unless there is good reason not to.

There are two scenarios where you may not have to answer an FOI, that is if you have a right to refuse the request or an exemption applies.

Your Data Protection Officer will help you decide if either of these options apply.

What if I don’t know the answer?

You only have to disclose information you hold in a reportable format, you do not need to create information merely to respond to the request. If you do not hold recorded information, you do not have to respond to that question.

When do we have to respond by?

Under the FOI Act 2000, you must respond to requests for information within 20 working days, counting the first working day after the request is received as the first day. The time allowed for complying with a request starts when your organisation receives it, not when it reaches the relevant member of staff.

Section 1 (3) of the Act states that if you require clarification from the requester the time does not start until you receive the extra information you required to complete the request.

How do we respond to a Freedom of Information Request?

Here at Education Data Hub, we provide schools with a ‘How to Guide’ for dealing with FOIs.

Following this guide, the first step is to log the request. It is good practice to keep a log of all requests you have received, the relevant dates and your response, to produce an audit trail for your school.

Once the school have logged the FOI request, they will receive correspondence from us, as their data protection officer, with advice on how to deal with the request. This will contain, a template acknowledgement letter and a response template for your answer.

If you require any assistance with dealing with Freedom of Information Requests, or any other Information Requests, please get in touch at [email protected]

Updates to DfE Cyber Security Standards May 2024

Written on 20th May 2024. Posted in News.

Updates to the DfE Cyber Security Standards for schools and colleges were published today (20th May 2024) and our EDH Cyber Team are proud to have been involved and referenced in them as a source of help for schools aiming to improve their cyber resilience.

Given the increasing reliance on technology in education, the importance of cyber security in schools cannot be overstated. It is essential for numerous reasons, from protecting sensitive information, to supporting business continuity, to maintaining trust in your digital systems.

The updated cyber security standards address tasks that should be completed by both the senior leadership team in a school and IT support. It is recognised that cyber security is not something that IT teams can carry out alone – it is a shared responsibility between multiple roles and teams. They contain the same key information that the previous cyber security standards held, but the format of this has changed to make them more accessible to staff without cyber expertise.

A human layer of cyber security is integral to school cyber defences. Fostering a culture of awareness, education, and vigilance, significantly reduces the risk of cyber threats and can improve cyber security posture and data protection obligations.

To find out how we can help you improve your school cyber resilience, have a look at the services we offer or email us at [email protected]

Cookie	Duration	Description
cookielawinfo-checbox-analytics	11 months	This cookie is set by GDPR Cookie Consent plugin. The cookie is used to store the user consent for the cookies in the category "Analytics".
cookielawinfo-checbox-functional	11 months	The cookie is set by GDPR cookie consent to record the user consent for the cookies in the category "Functional".
cookielawinfo-checbox-others	11 months	This cookie is set by GDPR Cookie Consent plugin. The cookie is used to store the user consent for the cookies in the category "Other.
cookielawinfo-checkbox-necessary	11 months	This cookie is set by GDPR Cookie Consent plugin. The cookies is used to store the user consent for the cookies in the category "Necessary".
cookielawinfo-checkbox-performance	11 months	This cookie is set by GDPR Cookie Consent plugin. The cookie is used to store the user consent for the cookies in the category "Performance".
viewed_cookie_policy	11 months	The cookie is set by the GDPR Cookie Consent plugin and is used to store whether or not user has consented to the use of cookies. It does not store any personal data.