Skip to main content

Category: News

Data Protection Day 2024

5 things your school can do TODAY to improve data protection compliance.

Data Protection Day 2024 1The Data Protection for Schools team within The Education Data Hub offer a suite of services designed to support schools in complying with their obligations under UK General Data Protection Regulation (GDPR) and the Data Protection Act 2018.

Our services are delivered by experienced and specially trained information governance specialists, recruited specifically for their experience in data protection and their understanding of the education sector.

We’d like to use this Data Protection Day as an opportunity to remind schools of the importance of keeping up their data protection compliance journey.

School life is extremely fast-paced, busy and pressured. Sometimes schools do not have the time or staff to complete everything that needs to be done, however all schools have important data protection obligations.

A school’s data protection compliance journey has got to start somewhere, and these are the first 5 things you can do:

1. Check your ICO registration is up to date and includes the correct contact details.

All organisations who process personal information are required to pay a data protection fee to the Information Commissioners Office. This fee must be renewed annually.

You can find out more information about checking, editing and renewing your ICO registration by clicking here.

2. Contact your Data Protection Officer.

Schools have a statutory obligation to have a data protection officer (DPO), please make sure your school has a DPO and you know how to get in touch with them.

The role of the DPO is to assist the school in monitoring their compliance by informing and advising you on your data protection obligations. Whether your DPO is internal or external, make sure you are giving them the information they need to be able to support you.

3. Check your training records.

The ICO require organisations to have an all-staff data protection and information governance training programme and that you keep records of your staff completing this training.

You should keep records of who has had training and make sure you follow up with any staff members who have not completed training recently. Staff who have additional data protection obligations within the school will require an enhanced level of data protection training.

If you find yourself in the unfortunate position of having to report a data breach to the ICO, you will be asked to confirm whether that staff have had data protection training within the last 2 years.

4. Change your passwords and encourage your staff members to do the same.

Schools are storing more and more information online, on a variety of platforms such as management information systems, communication applications and behaviour logs. It is important to make sure staff have different passwords for different services and use secure password methods such as the National Cyber Security Centres three random words approach.

The ICO do not recommend changing passwords regularly. As a general rule, they recommend you get users to create a strong initial password and then only change them if there are pressing reasons, such as breach of your systems resulting in passwords being compromised.

Why not use Data Protection Day as an opportunity to remind staff that they should be creating strong passwords to help ensure data is adequately protected.

5. Check your privacy notice

Providing accessible information to individuals about their use of their personal data is a key element of their legal right to transparency as per the UK GDPR. Have a look on your website for your privacy notice and check when it was last reviewed.

Have your school changed the way they process data since that review date? For example, have the school signed up to new EdTech providers, or started using Cloud storage? If yes, you will need to put time aside to update your privacy notice, to clearly explain how you process personal data.


Data Protection Day 2024 2If you require any assistance or advice on the above, or any other data protection needs, please don’t hesitate to get in touch with us at [email protected].

Email related data breaches in schools: why realising the mistake after pressing send is so common

How many times have you sent an email to someone referring to an attached document, pressed send and seconds later realised you forgot to attach the document itself? It’s a painful and common occurrence.

In schools, like all other industry sectors, emails have become a non-negotiable business tool, critical to efficient functioning of business.  It is second nature to use the convenience of email messaging to communicate with all key stakeholders and providers of services to the school, particularly parents and carers, local authorities and external support services.  However, the ease and speed of these tools also contributes not only to many emails being sent without attachments but also some of the most significant causes of personal data breaches. The last ICO Annual Report reflects our clients’ experiences; of the 9,500 data breaches reported to the Information Commissioner in 2021/22, a massive 16.87% were due to data being emailed to the incorrect recipient.

Email data breaches that are reported to us as Data Protection Officer typically stem from human error and consist of:

  • emails sent to the wrong person
  • multiple recipients included in the ‘to’ or ‘cc’ box instead of ‘bcc’
  • incorrect documents attached with sensitive information relating to another individual.

Many of those that report email-related data breaches tell us that the second after they had pressed the ‘send’ button they had realised their mistake! This can cause distress and anxiety not just for the affected data subjects, but also the staff member responsible for the error.

Considering how to prevent a re-occurrence is a really important part of responding to data breaches and near-misses. However, saying “try harder not to make a mistake” isn’t particularly constructive or effective. So, what advice and action can really make a difference when it comes to email-related data breaches in schools?

Thinking fast vs thinking slow

Psychologists such as Daniel Kaherman and neuroscientists such as David Badre explain the complexity of our brains and how we operate in two thinking modes; one ‘fast’ and one ‘slow’.  When our brain thinks fast it is automatic, often reacting to a situation or deadline. This is crucial for our cognitive function, helping to keep us safe and to preserve our energy for tasks where more cognitive control is needed. If you’ve ever driven to a destination and wondered how you got there, your thinking fast brain was in charge during the journey!

We also use this thinking fast ability in work, for example, when we send an email quickly. When there are dozens of emails to work through each hour, with many tasks that seem routine, it is understandable to feel pressure to work quickly. During this time, our thinking slow part of the brain is inactive. It is this part of the brain that wakes up the second that email has been sent, and tells us we have forgotten that attachment, or sent the email using CC not BCC.

So, we need to take a minute to let our slower thought process take over and allow time to think in a more considered way. Even the knowledge that you need to check in with the ‘thinking slow’ part of your brain before hitting the send button can prevent a data breach. Setting a ‘delay send’ feature on your outbound emails can really help; here’s how to do it in Office 365 and Google. The option of recalling an email can also be used with some systems, however it is not a reliable tool to remove email from the recipient’s inbox- once an email has left your own outbox there are limits to how it can be managed. There are commercial vendors offering email management systems, which either add extensions to existing email systems or offer complete email management systems using algorithms which can help to flag and stop potential errors, and for larger organisations, it can be a cost-effective way to reduce risk.

Email related data breaches in schools: why realising the mistake after pressing send is so common 3

Stop – Think – Check

There are some additional simple measures that can put in place to prevent a significant proportion of data breaches:

  • Sending an email to the wrong recipient – this frequently happens if there are multiple people in your address book with the same or similar name, or when autofill predicts who you want to email.

Action:  Double check the recipient’s full email address is correct before sending, including the exact spelling of their name. Turn off and don’t rely on autofill if it is enabled.  Here’s how to do that in Office 365 and Google.

  • Sending to multiple recipients as ‘cc’ not ‘bcc’ – sending a message as a ‘carbon copy’ rather than ‘blind copy’ is a common but potentially serious mistake, resulting in the personal email addresses of multiple recipients being exposed.

Action:  Where possible, use the school’s communication platform (i.e. ParentPay, Weduc, ClassCharts etc) to send messages rather than messaging through a school email account.  If you are unable to use the school communication platform, ensure you double check ‘bcc’ is selected when it is not appropriate to share recipients email addresses with other recipients.

  • Attaching documents – often sensitive documents are attached to an email in error, and a serious data breach can occur if the wrong person receives sensitive data as a result.

Action:  Include extra security measures by adding a password to the document – remember to send the password separately (via a different means if possible).  Consider sharing documents using tools such as SharePoint or Google Drive instead of an attaching them, as extra security controls can be put in place, i.e. specifying the amount of time the recipient can view the document or removing access if a document is shared in error.

Reminders: other areas of good practice for email communications:

  • Post box – inbox: Avoid using your inbox as a filing cabinet – treat it as a post box for information. Delete messages as per school policy or save in an appropriate digital system if retention is needed.
  • Stop the email chain: Avoid ‘reply all’ if this is not needed and do not forward email chains unless you’ve checked the whole chain and it is necessary to share it.
  • Email etiquette: Always be professional when communicating with colleagues, parents/carers and other stakeholders – you are a representative of your school. Remember, school emails are not private and can be requested as part of a Subject Access or Freedom of Information request.   Never use personal emails to communicate school related matters.
  • Email security: Ensure access cannot be gained to your account – be aware of your own email security, use strong passwords and multi-factor authentication and be aware of phishing emails inviting you to click on links. Email security breaches remain a high threat to all industry sectors.

Finally, we are all human, mistakes do happen and when they do, your DPO should be there to help mitigate and learn from data breaches.  It is the steps taken to reduce the risk, and actions to prevent reoccurrences in the future, that show you take the security of the data you hold seriously.  Continue to reinforce a positive culture of data protection compliance in your school – report your data breaches and near misses to your DPO is an important part of that culture.

Author: Jacqui Wheatcroft.

What the DfE Cyber Standards mean for you

What the DfE Cyber Standards mean for you 4

The DfE Cyber Standards for Schools aim to guide schools in meeting a minimum standard for cyber security, user accounts and data protection, and can support settings in implementing safer practices for all staff and students.

Having worked on school cyber resilience and awareness projects with the DfE and the National Cyber Security Centre, The Cyber Team at Education Data Hub are ideally placed to support school leaders in meeting the DfE Cyber Security Standards for Schools, which were updated on 10th October 2022.

These new cyber standards should be met by schools as soon as possible.  But what are schools being asked to do and why is it important to meet these standards?  Read our straightforward guide:-

  1. Protect all devices on every network with a properly configured boundary or software firewall. Properly configured firewalls prevent many cyber attacks.
  2. Network devices should be known and recorded with their security features enabled, correctly configured and kept up-to-date.
    Using the security features that devices already have is the most basic form of cyber security
  3. Accounts should only have the access they require to perform their role and should be authenticated to access data and services.
    Successful cyber attacks target user accounts with the widest access and highest privileges on a network.
  4. You should protect accounts with access to personal or sensitive operational data and functions by multi-factor authentication.
    Multi-factor authentication is especially important if an account has access to sensitive or personal data.
  5. You should use anti-malware software to protect all devices in the network, including cloud-based networks.
    Up-to-date anti-malware and anti-virus software reduces the risk from many forms of cyber attack.
  6. An administrator should check the security of all applications downloaded onto a network.
    Applications can insert malware onto a network or have unintentional security weaknesses.
  7. All online devices and software must be licensed for use and should be patched with the latest security updates.
    Hackers try to identify and exploit the vulnerability that each new security update addresses.
  8. You should have at least 3 backup copies of important data, on at least 2 separate devices, at least 1 must be off-site.
    If all copies were held in the same location, they would all be at risk from natural disasters and criminal damage.
  9. Your business continuity and disaster recovery plan should include a regularly tested contingency plan in response to a cyber attack.
    Being unprepared for a cyber attack can lead to poor decisions, slow recovery, and expensive mistakes.
  10. Serious cyber attacks should be reported.
    Cyber attacks are crimes against a school that need to be investigated so perpetrators can be found and counter-measures identified.
  11. You must conduct a Data Protection Impact Assessment by statute for personal data you hold as required by General Data Protection Regulation.
    The protection of sensitive and personal data is vital to the safety of staff and students, and the reputation and confidence placed in schools.
  12. Train all staff with access to school IT networks in the basics of cyber security.
    The most common forms of cyber attack rely on mistakes by busy staff members to be successful.

Our ‘Cyber Ready Project’ was launched at the start of this academic year and has already successfully engaged with over 130 schools who have now started their cyber compliance journey.
CONTACT US to find out more about our Cyber Ready Project and how we can help your school meet these new cyber requirements.

Education Data Hub work with Education Providers across the UK.  Our team members are all former school staff who understand the pressures of a school environment, meaning our support is mindful of the school day/calendar.

Follow us on Linked In

Online Safety – a new normal

Online Safety - a new normal 5Online Safety is not just a computing or IT issue in schools… it links directly with safeguarding, and schools need a range of robust safeguarding policies in place to demonstrate this.

On the 1st September 2022, new content was added to the Keeping Children Safe in Education statutory guidance with the new section covering online safety, remote learning, information security, cyber-crime, and reviewing online safety provision.   The word safeguarding now appears 402 times in the KCSIE, and the word online appears 156 times.

In this digital age, children are users of tech and the internet from a very young age, and I think it’s safe to say that these young generations are the most digitally savvy we have ever had.

We all need to understand just how accessible and engaging the internet is to our young people today.  We have to get into their mindset.  It’s easy as adults to just accept that our children might ‘always be on their phone’, or ‘always looking at a screen’, without us thinking about why?   Why aren’t they out meeting friends and playing like we did when we were their age?  Well, for a start, we probably didn’t have the internet as an alternative!

Persuasive design uses insights from psychology to make products more engaging, and is used extensively in games and social media apps to make sure that users spend as much time as possible on those sites.    Once we understand that psychological tactics such as infinite scrolling, auto-play, or ellipses are utilised to keep people engaged, it easier to understand how our children might get lost in it.

So, what do your children, your pupils, love doing online?  What services and devices do they use?   Do children use the internet in a different way to adults?  Who do they chat to?  What do they see?  What do they share?   The online world can be exciting and inspiring.  Young people can create their own content, play games or watch videos, however, it is important to manage and minimise the associated risks, which can happen anywhere, to anyone, at any time.

Online Safety and Safeguarding don’t have to be topics for Computing or PSHE or RSE.  All staff can play a crucial role in preventative education and find a way to embed messages across the curriculum.  Create a safe space and let pupils know that you will not be angry or upset, but would like to support them in using the internet safely and responsibly.  Use neutral language and avoid being critical of pupils’ online behaviour.  Focus on key risks and the support available, not young peoples’ choices.

For pointers on how to start a conversation, Internet Matters have created a helpful guide to assist in creating an environment to make it easy to talk.

Embedding Online Safety across the curriculum is best achieved through a whole-school approach, with effective policies and reporting routes. As well as supporting young people to stay safe online, school staff also need to protect their own online reputation.

Our Online Safety training webinar has been produced to help school leaders fulfil statutory requirements and has been created with the updated KCSIE and Ofsted in mind.  Please get in touch at [email protected] to enquire about our whole-school staff Online Safety training.

Education Data Hub work with Education Providers across the UK.  Our team members are all former school staff who understand the pressures of a school environment, meaning our support is mindful of the school day/calendar.

Follow us on Linked In












From Vision to Strategy to Daily Good Practice

From Vision to Strategy to Daily Good Practice 6How can growing MATs develop a high-profile culture of privacy, efficiency and trust? 

The School’s Bill may be gone, but the government has indicated that it is wedded to its principles. And although that means we no longer have academisation as a statutory target, the juggernaut is unlikely to be halted in its tracks. 

However, the DfE itself has called existing academy rules “complex,” “inconsistent” and “ineffective”; coupled with revolt sparked last year by the widening of the handbook beyond finances – Multi Academy Trusts are in a no man’s land when it comes to this area of compliance.  The bottom line is, there is no constitutional framework that addresses privacy and data protection.  Therefore, as any good teacher will tell you, if you leave a void where behaviour expectations should be – the behaviour that fills that void is unlikely to be the behaviour that you hoped for. 

So how do MATs develop and prioritise that high profile culture of privacy, efficiency and trust, beyond mere compliance without a framework?   The answer is obviously – work with us at Education Data Hub!   We are very much aware that ‘one size’ fits no-one, so we work with Trusts in an entirely bespoke way. 

There are many reasons this matters from a regulatory perspective, audit, reputation, publicity etc; but we think the most important reasons are respect, trust, transparency, well-being, time, and pride. 

Understanding and documenting where all the elements of compliance sit; from HR to Safeguarding, from records management to IT acceptable use, from CCTV to DPIAs, from curriculum to business management, from recruitment to parent communications, from policies to privacy notices, from ROPAs to cyber security; we work with Trusts to understand and reflect on their own position so an effective gap analysis can be devised to assess new schools coming on board. 

This proactive work makes your reactive work with us so much easier. If the basics above are in place, responding to data breaches, cyber incidents, SARs and FOIs becomes much more straight forward and less draining. All of our staff have a background in education so we know first-hand and inside out the pressures faced by your staff and the impact they can have – be assured you will always get not only an expert but also an empathic and supportive hand to hold.   Please contact us at [email protected] to find out how we can help you.

Further reading: although based on US research and commercial enterprises, this study shows the impact and return on investment a good privacy programme will have: From Privacy to Trust and ROI – Cisco Blogs

Education Data Hub work with Education Providers across the UK.  Our team members are all former school staff who understand the pressures of a school environment, meaning our support is mindful of the school day/calendar.

Follow us on Linked In

Data Privacy Day – a School’s Reflections 

Data Privacy Day - a School's Reflections  7This year, for Data Privacy Day, we’ve been reflecting on the journey that our school clients have taken to improve their data protection compliance. We interviewed one of our clients for their reflections on the changes they’ve made to their data protection practice since working with our service.

Q1) Does data protection matter to you? If so, what is it that makes you think this?
Yes, Data protection absolutely does matter. There are guidelines and legalities that apply to all of us, rightly so, and it is our duty to follow, protect and respond to these. Annual training, GDPR updates and getting into good ‘habits’ reminds me on a daily basis why these matter. Data protection can sometimes seem a minefield, however, it is an area where I feel brilliantly supported by the GDPR team so that makes it feel less frightening and more rewarding.

Q2) How do you keep data protection ‘alive’ in your school?
Annual training as well as regular mentions in staff meetings, staff emails and additional training. It is part of the ‘ethos’ of the school. Staff are aware of data breaches and always bring them to me. These are then mentioned in staff meetings as ‘reminders’ to be vigilant.

Q3) Do you feel you have a positive data protection culture where staff are confident and engaged?
I feel like we have a positive culture in school. I make it very clear that as Headteacher I have over-arching responsibility for much of data protection. As a school we encourage an open and positive culture and communicate well together. Staff are aware that they can speak out on breaches without feeling like they are ‘telling’ on each other. I will always mention if I make any data breaches so that staff know that we are ‘in it together’.

Q4) What is it like working with an external Data Protection Officer? What is it like working with the Education Data Hub Team?
I cannot speak highly enough of the support we get from our Data Protection Officer and Education Data Hub team. Responses to queries are always timely and detailed and a phone call is made if something needs to be spoken about in more detail. Information is always clear and concise.

Q5) What is the most important data protection lesson you have learned in recent years? What do you do differently as a result?
We think much more about how we present names / information regarding children, particularly as we have an increasing number of vulnerable children in school. School reports are always collected rather than handed out, displays are not named, and we double check permissions for naming children outside of school with parents etc.

Q6) What would your advice be to other schools regarding data protection?
Don’t go it alone. Develop a positive culture in school around data protection – encourage staff to be curious but don’t frighten them. Encourage open and honest lines of communication.
Above all, if in doubt – ask! Use the highly skilled individuals in the team and your data protection officer to ask for help – I do it all the time! We can’t expect to be experts ourselves so ask the experts instead!

Many thanks to Catherine Robinson at Stonelow Junior School for taking part in this interview.

To find out more about how our Data Protection Service can help your school, please email us on [email protected]

Top Tips for Schools

Top Tips for Schools 8

Data Privacy Day is celebrated on 28th January every year, so to join in with the celebrations, we asked our schools for their top tips about the importance of Data Protection in schools:

“Don’t go it alone. Develop a positive culture in school around data protection – encourage staff to be curious, but don’t frighten them. Encourage open and honest lines of communication. Above all, if in doubt ask! Use the highly skilled individuals in the EDH team to ask for help – I do it all the time! We can’t expect to be experts ourselves so ask the experts instead!”  Catherine Robinson, Stonelow Junior School.

“It MUST be taken seriously. Look at your emails – having a lax attitude about how we receive, respond to and store communication is one of the ways that we could sleepwalk into loads of bother. And stop saving passwords!!”  Rebecca Fenby, Hady Primary School.

“The small things matter. Keeping data secure and now only writing what is essential makes a huge difference to the possibility of a data breach and therefore of keeping ourselves and our data protected.”  Sarah Bentley, Etwall Primary School.

“Passwords are king. Approach any data with ‘fresh eyes’ and treat all data you handle as if it is your own data.”  Tim Cocking, Eckington Camms Primary School.

“The most important lesson for me is around pupil data and safety. Having started my teaching career over 20 years ago, there were many practices I followed because I knew they worked or that was how it was always done! Looking at how easy it was for someone to gain information about a pupil from a book cover or a school tracker made me rethink how information should be presented and shared in school.”  Prince Regent Street Trust.

To find out more about how our Data Protection Service can help your school, please email us on [email protected]

A Practical Guide for Schools Cyber Incident Response

…or How to Plan for the Proverbial Hitting the Cyber Fan!

With a noted increase in cyber incidents involving schools since Covid, it is
imperative that schools know how they can prepare A Practical Guide for Schools Cyber Incident Response 9and protect themselves against a cyber attack.  

Data has become big business in the world of crime, and with this there has been a rise in the number of cyber attacks. One of the most powerful tools that hackers use is Social Engineering, which relies on manipulation of the end user into first activating the cyber attack, commonly through phishing, although this is not the only method of infiltration. Educating your school staff on understanding hackers’ tools and tactics can help bolster your schools cyber defences.  

In the last six months alone there have been several cyber incidents in schools reported in the media, where personal and special category data has been breached, leaving staff and pupils unable to access school systems. Most recently was an Academy Trust where fourteen schools were affected.  

In the event that school cyber defences are breached, it is vitally important to have contingency plans in place to maintain a minimum level of functionality – not only to safeguard pupils and staff, but to also restore the school back to an operational standard. This planning is known as a Cyber Incident Response Plan (CIRP) and should form part of an overall School Continuity Plan (Disaster Recovery Plan) as per the DfE Cyber Security Standards (Oct 2022).   

The key to a successful Cyber Incident Response Plan (CIRP) and improvement of the schools cyber resilience is the ownership of it by the Governors and Senior Leadership team. This is outlined by the DfE Cyber Security Standards and National Cyber Security Centre (NCSC) By enforcing the school’s cyber strategy, from the top, a culture of cyber compliance is built.  

A robust Cyber Incident Response Plan (CIRP) contains all the information that your school would need to respond to a cyber incident. This includes:  

  • A named Cyber Recovery Team including roles and responsibilities 
  • A list of critical data assets and how long school could function without them 
  • Plans for internal/external communications, including your cyber insurance provider 
  • How to access registers/staff and pupil contact details 
  • Actions log 

Understanding your school’s data and where and how it is stored is key to a successful CIRP. Time should be taken to review and risk assess your school information systems, IT infrastructure, and policies and procedures relating to these as part of an ongoing Cyber Resilience cycle. This enables informed decisions to be made and a formal digital strategy to be developed as part of ongoing school improvements. The DfE Digital and Technology Standards in Schools and Colleges should form a basis for this. 

If technology isn’t your bag, or the busy school environment consumes your time, contact us at Education Data Hub on [email protected] to find out how our Cyber Ready Project can help you. 

Becca De Ville, Service Manager for our Cyber Security for Education Team, will be speaking at the GDPRiS Conference in Bristol and London about cyber response planning for schools.

Cyber Safe Schools

Cyber Safe Schools 10Our thanks go out to Ian Hickling, National Coordinator of Police CyberAlarm and Sam Hancock, Cyber Protect Officer for Derbyshire Constabulary for contributing to a successful IT Provider Round Table meeting on Tuesday 17th Jan.  They both took time out of their incredibly busy schedules to attend and it was much appreciated.

Sam explained exactly what her busy role within Derbyshire Police entailed and how that translated into fantastic cyber security and online safety support for our schools, while Ian spoke about the benefits of registering for Police CyberAlarm before taking questions from IT Providers in attendance, which made for a really interesting and informative session.

Education Data Hub aim to hold these Round Table discussions every half term.  They are designed to be supportive, informative, and collaborative, and bring together school IT suppliers to discuss the challenges of working in and around schools, and the security and privacy issues that impact the education sector.   It provides a chance for School IT Providers to advise us of any concerns they may have and to discuss how we can work together to ensure children are kept safe in a digital world, as well as providing updates on Education Data Hub projects.

We are aiming to hold our next RoundTable meeting in March 2023 and will endeavour to have relevant guests in attendance.  If you are a schools IT Solution Provider, or think you could add value as a guest contributor and would like to attend, please register your interest by completing this short form or email us on [email protected] if you would like to discuss anything raised in this article.

You can find out how we are helping schools improve cyber resilience in our article Meeting the New DfE Cyber Security Standards for Schools – Education Data Hub


Samantha Hancock, Cyber Protect Officer for Derbyshire Police is available to contact on [email protected]