Skip to main content

Category: News

AI Training for School Senior Leaders

AI Training for School Senior Leaders 1Whether we like it or not AI is here and rapidly becoming a fact of life.  In order for schools to embrace and harness the potential of AI, it is essential to take strategic control, incorporating principles, practices, tools and governance.

In July 2024 the Audit and Risk Assurance Committee Handbook was updated to include a section on AI. This update requires MATs to be able to answer questions around AI, including:

  • Who owns your AI strategy at Executive level.
  • What appropriate expertise you have to oversee AI Development, and
  • How prepared you are for new regulation.

As a result, we have devised a training session to bolster senior leaders in schools knowledge of this area which will enable them to confidently instruct and advise the remainder of school staff.

Delivered by our Education Data Hub Team Manager, Clare Wilson, this session will cover:

  • What is AI?
  • Regulation and The Regulators.
  • AI Governors, Principles and Policy.
  • Personal Data collected by AI.
  • Where to get started.
  • DPIAS.

We have upcoming sessions that individual can book onto:

–          29th January 2025 at 3:30pm via Microsoft Teams.
–          14th May 2025 at 4pm at The Quad, Chesterfield.
–          17th September 2025 at 3:30pm via Microsoft Teams.
–          12th November 2025 at 3:30pm via Microsoft Teams.

Please contact us at [email protected] if you require any assistance with booking training.

A night to remember! Education Data Hub brings home coveted award…

A night to remember! Education Data Hub brings home coveted award... 2We are honoured to share that Education Data Hub has been awarded the Data Privacy Team of the year award at the PICCASO awards Europe.

Our team were shortlisted for the award alongside huge industry champions such as Royal Mail, Deliveroo, Revolut, and Visa.

This prestigious recognition is a testament to our continued commitment to support best practices in data protection, data privacy, and cyber risk in the education sector.

Big thanks go to the judges for their recognition, to our dedicated team, our loyal schools and MATs, and to our supportive partners. Your continued support inspires us to strive for even greater heights.

We now look forward to the Real Cyber Awards later on this month, with fingers crossed for a similar win in the Cyber Public Service category.

How to Deal with Environmental Information Requests in Schools

What is an Environmental Information Request?

The Environmental Information Regulations 2004 were created to provide public access to environmental information held by public authorities to encourage greater awareness of issues that affect the environment.

Schools have two main obligations under the Regulations. You must:

  1. Make environmental information available proactively.
  2. Respond to requests for environmental information.

What is Environmental Information?

The term Environmental information is defined in regulation 2(1) of the Environmental Information Regulations 2004.

In short, it refers to all information which relates to the environment in any way, please see a non-exhaustive list of the types of requests schools could expect below:

  • Requests for information about buildings and constructions on school sites.
  • Requests for information relating to planning permissions and land sales.
  • Requests for information relating to waste and contamination.
  • Any financial data in relation to environmental information / land use of school sites.

If you are not sure whether a request falls under environmental information, please ask your Data Protection Officer for assistance.

Who can make a request?

Anyone can make a request for information under the Regulations, including members of the public, journalists, researchers, and campaign groups.

An EIR request can be made either in writing or verbally, and they do not need to specifically quote the Environmental Information Regulations, if the request relates to Environmental information, you treat it as such.

Do we have to respond to every request?

Yes, you are required to respond to every request, even if your response is that you do not hold that information.

There are exceptions to consider under the Regulations which allow you to withhold information if it is deemed in the public interest to do so. In this case you are still required to respond to the request with your reasoning for withholding the data.

Your Data Protection Officer will help you decide if an exception applies.

What if I don’t know the answer?

You only have to disclose information you hold in a reportable format; you do not need to create information merely to respond to the request. If you do not hold recorded information, you do not have to respond to that question.

You are obligated to offer the requester guidance and support. If you do not have the requested recorded information, you must inform the requester of this. You should clarify why that information is unavailable and share any relevant details you do hold that might assist with their request.

When do we have to respond by?

Under the Regulations, you must respond to the request within 20 working days, however there is provision to extend the response time to 40 working days if the request is complex and voluminous.

How do we respond to a EIR Request?

Here at Education Data Hub, we provide schools with a ‘How to Guide’ for dealing with Environmental Information Requests.

This works in a similar way to our Freedom of Information process, the first step is for the school to log the request and from there you will receive correspondence from us, as your data protection officer, with advice on how to deal with the request. This will contain a template acknowledgement letter and a response template for your answer.

If you are unsure whether a request falls under Freedom of Information Act 2000 or Environmental Information Regulations 2004, our client schools can forward the request to us, and we will decide for you.

It is good practice to keep a log of all requests you have received, the relevant dates and your response, to produce an audit trail from your school.

How to Deal with Environmental Information Requests in Schools 3If you require any assistance dealing with Environmental Information Requests, or any other Requests, please get in touch at [email protected]

Data Protection for Designated Safeguarding Leads

Data Protection for Designated Safeguarding Leads 4The DfE’s Keeping Children Safe in Education statutory guidance states that Designated Safeguarding Leads (DSLs) are required to ‘act as a source of support, advice and expertise for all staff’*

Annex C of the KCSIE outlines that one of the roles of DSLs is to ‘understand relevant data protection legislation and regulations, especially the Data Protection Act 2018 and the UK General Data Protection Regulation’*

Added to that, the concluding report and recommendations of the Independent Inquiry into Child Sexual Abuse suggest significant changes need to be made in the way school staff report concerns.

It has never been more important to ensure your DSLs are equipped to navigate this area of data protection and UK GDPR.

We have devised a training session to bolster and embed DSL knowledge in this area which will enable them to confidently instruct and advise the remainder of the school staff.

Delivered by our Education Data Hub Team Manager, Clare Wilson, this session is aimed at DSL’s and Deputy DSLs and will explore:

  • KCSIE 2024
  • the IICSA Recommendations
  • Information Sharing Advice for Practitioners May 2024
  • ICO 10 Steps to Information Sharing to Safeguard Children
  • DfE Dealing with Subject Access Requests Apr 2024
  • and the latest case law

to provide you with a thorough understanding of:

  • Recording concerns
  • Retaining records
  • Transferring records
  • Securing records
  • Sharing information
  • Responding to requests for records

We have an upcoming session that individuals can book onto HERE.

Please contact us at [email protected] to enquire about bespoke sessions for MATs.

 

*information taken from KCSIE May 2024 pending publication Sept 2024

Why Schools Shouldn’t Share Security Information Online

Why Schools Shouldn't Share Security Information Online 5In an age where transparency is highly valued, it is understandable that schools want to keep parents, students, and staff well-informed about what’s going on. However, when it comes to security, it’s best to keep things under wraps.

Here are just a few reasons why schools shouldn’t post their Critical Incident Plans or IT Disaster Recovery Plans on their websites:

1. You don’t have to!

There is government guidance available to all schools that informs them exactly what must or should be published on a school websites. It is regularly updated, and you can find it using the links below:

What maintained schools must or should publish online

What academies and further education colleges must or should publish online

2. Keep Your Plans Secret – Increase Your Cyber Resilience

Imagine if someone who wanted to cause trouble knew exactly how the school handles emergencies or IT Disasters. When security plans are posted online, it’s like giving potential attackers a blueprint of the school’s defences. Perpetrators could find weak spots and take advantage of them or target individuals to gain access to school systems. By not sharing this information online, schools reduce that risk and immediately increase cyber resilience.

3. Protecting Personal Information

School security plans often include information about the people who keep the school safe. This might encompass names, roles, access levels, and even personal contact details. If these details are shared online, not only could this be a potential breach of UK GDPR, but those individuals could be at risk of being targeted, perhaps by phishing.

4. Insurance Policies

If you left a note on your car that let someone know where the keys were, would you expect your insurance company to pay out if it was stolen?  Publishing detailed school security and recovery plans on your school website may void insurance policies so please check the small print. To be on the safe side – don’t publish them!

Transparency is crucial in many aspects of school administration, but security information should be handled with the utmost discretion so that schools can better protect their students, staff, and wider school community from potential threats.

 

We support schools and MATs all over the UK. CONTACT US today to find out how Education Data Hub could support you.

 

 

 

How to Deal with Freedom of Information Requests in Schools.

What is a Freedom of Information Request?

A Freedom of Information (FOI) Request is a request made by any member of the public for information held by public authorities or publicly owned companies. Therefore, schools fall under this Act.

  1. Under the Act public authorities are obliged to publicly publish certain information about their activities in a publication scheme. Every organisation is required to have a publication scheme which sets out what information the public authority hold and if that information is public where it can be found.
  2. Under the Act public authorities must provide information to anyone making a written request.

This Act does not give people access to their own personal data.

Who can make a Freedom of Information Request?

Anyone can make a valid freedom of information request – they do not have to be UK citizens, or resident in the UK.

Freedom of information requests can also be made by organisations, for example a newspaper, a campaign group, or a company.

If you are concerned about the validity of a request see the ICO guidance (What makes a valid request? | ICO) and talk to your DPO. However, it is likely that any request in writing will be valid.

Do we have to respond to every Freedom of Information Request?

Yes, under the Act you must release the information unless there is good reason not to.

There are two scenarios where you may not have to answer an FOI, that is if you have a right to refuse the request or an exemption applies.

Your Data Protection Officer will help you decide if either of these options apply.

What if I don’t know the answer?

You only have to disclose information you hold in a reportable format, you do not need to create information merely to respond to the request. If you do not hold recorded information, you do not have to respond to that question.

When do we have to respond by?

Under the FOI Act 2000, you must respond to requests for information within 20 working days, counting the first working day after the request is received as the first day. The time allowed for complying with a request starts when your organisation receives it, not when it reaches the relevant member of staff.

Section 1 (3) of the Act states that if you require clarification from the requester the time does not start until you receive the extra information you required to complete the request.

How do we respond to a Freedom of Information Request?

Here at Education Data Hub, we provide schools with a ‘How to Guide’ for dealing with FOIs.

Following this guide, the first step is to log the request. It is good practice to keep a log of all requests you have received, the relevant dates and your response, to produce an audit trail for your school.

Once the school have logged the FOI request, they will receive correspondence from us, as their data protection officer, with advice on how to deal with the request. This will contain, a template acknowledgement letter and a response template for your answer.

How to Deal with Freedom of Information Requests in Schools. 6

If you require any assistance with dealing with Freedom of Information Requests, or any other Information Requests, please get in touch at [email protected]

 

Updates to DfE Cyber Security Standards May 2024

Updates to DfE Cyber Security Standards May 2024 7Updates to the DfE Cyber Security Standards for schools and colleges were published today (20th May 2024) and our EDH Cyber Team are proud to have been involved and referenced in them as a source of help for schools aiming to improve their cyber resilience.

Given the increasing reliance on technology in education, the importance of cyber security in schools cannot be overstated. It is essential for numerous reasons, from protecting sensitive information, to supporting business continuity, to maintaining trust in your digital systems.

The updated cyber security standards address tasks that should be completed by both the senior leadership team in a school and IT support. It is recognised that cyber security is not something that IT teams can carry out alone – it is a shared responsibility between multiple roles and teams. They contain the same key information that the previous cyber security standards held, but the format of this has changed to make them more accessible to staff without cyber expertise.

A human layer of cyber security is integral to school cyber defences. Fostering a culture of awareness, education, and vigilance, significantly reduces the risk of cyber threats and can improve cyber security posture and data protection obligations.

To find out how we can help you improve your school cyber resilience, have a look at the services we offer or email us at [email protected]

Data Protection Day 2024

5 things your school can do TODAY to improve data protection compliance.

Data Protection Day 2024 8The Data Protection for Schools team within The Education Data Hub offer a suite of services designed to support schools in complying with their obligations under UK General Data Protection Regulation (GDPR) and the Data Protection Act 2018.

Our services are delivered by experienced and specially trained information governance specialists, recruited specifically for their experience in data protection and their understanding of the education sector.

We’d like to use this Data Protection Day as an opportunity to remind schools of the importance of keeping up their data protection compliance journey.

School life is extremely fast-paced, busy and pressured. Sometimes schools do not have the time or staff to complete everything that needs to be done, however all schools have important data protection obligations.

A school’s data protection compliance journey has got to start somewhere, and these are the first 5 things you can do:

1. Check your ICO registration is up to date and includes the correct contact details.

All organisations who process personal information are required to pay a data protection fee to the Information Commissioners Office. This fee must be renewed annually.

You can find out more information about checking, editing and renewing your ICO registration by clicking here.

2. Contact your Data Protection Officer.

Schools have a statutory obligation to have a data protection officer (DPO), please make sure your school has a DPO and you know how to get in touch with them.

The role of the DPO is to assist the school in monitoring their compliance by informing and advising you on your data protection obligations. Whether your DPO is internal or external, make sure you are giving them the information they need to be able to support you.

3. Check your training records.

The ICO require organisations to have an all-staff data protection and information governance training programme and that you keep records of your staff completing this training.

You should keep records of who has had training and make sure you follow up with any staff members who have not completed training recently. Staff who have additional data protection obligations within the school will require an enhanced level of data protection training.

If you find yourself in the unfortunate position of having to report a data breach to the ICO, you will be asked to confirm whether that staff have had data protection training within the last 2 years.

4. Change your passwords and encourage your staff members to do the same.

Schools are storing more and more information online, on a variety of platforms such as management information systems, communication applications and behaviour logs. It is important to make sure staff have different passwords for different services and use secure password methods such as the National Cyber Security Centres three random words approach.

The ICO do not recommend changing passwords regularly. As a general rule, they recommend you get users to create a strong initial password and then only change them if there are pressing reasons, such as breach of your systems resulting in passwords being compromised.

Why not use Data Protection Day as an opportunity to remind staff that they should be creating strong passwords to help ensure data is adequately protected.

5. Check your privacy notice

Providing accessible information to individuals about their use of their personal data is a key element of their legal right to transparency as per the UK GDPR. Have a look on your website for your privacy notice and check when it was last reviewed.

Have your school changed the way they process data since that review date? For example, have the school signed up to new EdTech providers, or started using Cloud storage? If yes, you will need to put time aside to update your privacy notice, to clearly explain how you process personal data.

 

Data Protection Day 2024 9If you require any assistance or advice on the above, or any other data protection needs, please don’t hesitate to get in touch with us at [email protected].

Email related data breaches in schools: why realising the mistake after pressing send is so common

How many times have you sent an email to someone referring to an attached document, pressed send and seconds later realised you forgot to attach the document itself? It’s a painful and common occurrence.

In schools, like all other industry sectors, emails have become a non-negotiable business tool, critical to efficient functioning of business.  It is second nature to use the convenience of email messaging to communicate with all key stakeholders and providers of services to the school, particularly parents and carers, local authorities and external support services.  However, the ease and speed of these tools also contributes not only to many emails being sent without attachments but also some of the most significant causes of personal data breaches. The last ICO Annual Report reflects our clients’ experiences; of the 9,500 data breaches reported to the Information Commissioner in 2021/22, a massive 16.87% were due to data being emailed to the incorrect recipient.

Email data breaches that are reported to us as Data Protection Officer typically stem from human error and consist of:

  • emails sent to the wrong person
  • multiple recipients included in the ‘to’ or ‘cc’ box instead of ‘bcc’
  • incorrect documents attached with sensitive information relating to another individual.

Many of those that report email-related data breaches tell us that the second after they had pressed the ‘send’ button they had realised their mistake! This can cause distress and anxiety not just for the affected data subjects, but also the staff member responsible for the error.

Considering how to prevent a re-occurrence is a really important part of responding to data breaches and near-misses. However, saying “try harder not to make a mistake” isn’t particularly constructive or effective. So, what advice and action can really make a difference when it comes to email-related data breaches in schools?

Thinking fast vs thinking slow

Psychologists such as Daniel Kaherman and neuroscientists such as David Badre explain the complexity of our brains and how we operate in two thinking modes; one ‘fast’ and one ‘slow’.  When our brain thinks fast it is automatic, often reacting to a situation or deadline. This is crucial for our cognitive function, helping to keep us safe and to preserve our energy for tasks where more cognitive control is needed. If you’ve ever driven to a destination and wondered how you got there, your thinking fast brain was in charge during the journey!

We also use this thinking fast ability in work, for example, when we send an email quickly. When there are dozens of emails to work through each hour, with many tasks that seem routine, it is understandable to feel pressure to work quickly. During this time, our thinking slow part of the brain is inactive. It is this part of the brain that wakes up the second that email has been sent, and tells us we have forgotten that attachment, or sent the email using CC not BCC.

So, we need to take a minute to let our slower thought process take over and allow time to think in a more considered way. Even the knowledge that you need to check in with the ‘thinking slow’ part of your brain before hitting the send button can prevent a data breach. Setting a ‘delay send’ feature on your outbound emails can really help; here’s how to do it in Office 365 and Google. The option of recalling an email can also be used with some systems, however it is not a reliable tool to remove email from the recipient’s inbox- once an email has left your own outbox there are limits to how it can be managed. There are commercial vendors offering email management systems, which either add extensions to existing email systems or offer complete email management systems using algorithms which can help to flag and stop potential errors, and for larger organisations, it can be a cost-effective way to reduce risk.

Email related data breaches in schools: why realising the mistake after pressing send is so common 10

Stop – Think – Check

There are some additional simple measures that can put in place to prevent a significant proportion of data breaches:

  • Sending an email to the wrong recipient – this frequently happens if there are multiple people in your address book with the same or similar name, or when autofill predicts who you want to email.

Action:  Double check the recipient’s full email address is correct before sending, including the exact spelling of their name. Turn off and don’t rely on autofill if it is enabled.  Here’s how to do that in Office 365 and Google.

  • Sending to multiple recipients as ‘cc’ not ‘bcc’ – sending a message as a ‘carbon copy’ rather than ‘blind copy’ is a common but potentially serious mistake, resulting in the personal email addresses of multiple recipients being exposed.

Action:  Where possible, use the school’s communication platform (i.e. ParentPay, Weduc, ClassCharts etc) to send messages rather than messaging through a school email account.  If you are unable to use the school communication platform, ensure you double check ‘bcc’ is selected when it is not appropriate to share recipients email addresses with other recipients.

  • Attaching documents – often sensitive documents are attached to an email in error, and a serious data breach can occur if the wrong person receives sensitive data as a result.

Action:  Include extra security measures by adding a password to the document – remember to send the password separately (via a different means if possible).  Consider sharing documents using tools such as SharePoint or Google Drive instead of an attaching them, as extra security controls can be put in place, i.e. specifying the amount of time the recipient can view the document or removing access if a document is shared in error.

Reminders: other areas of good practice for email communications:

  • Post box – inbox: Avoid using your inbox as a filing cabinet – treat it as a post box for information. Delete messages as per school policy or save in an appropriate digital system if retention is needed.
  • Stop the email chain: Avoid ‘reply all’ if this is not needed and do not forward email chains unless you’ve checked the whole chain and it is necessary to share it.
  • Email etiquette: Always be professional when communicating with colleagues, parents/carers and other stakeholders – you are a representative of your school. Remember, school emails are not private and can be requested as part of a Subject Access or Freedom of Information request.   Never use personal emails to communicate school related matters.
  • Email security: Ensure access cannot be gained to your account – be aware of your own email security, use strong passwords and multi-factor authentication and be aware of phishing emails inviting you to click on links. Email security breaches remain a high threat to all industry sectors.

Finally, we are all human, mistakes do happen and when they do, your DPO should be there to help mitigate and learn from data breaches.  It is the steps taken to reduce the risk, and actions to prevent reoccurrences in the future, that show you take the security of the data you hold seriously.  Continue to reinforce a positive culture of data protection compliance in your school – report your data breaches and near misses to your DPO is an important part of that culture.

Author: Jacqui Wheatcroft.