Information Technology (IT) has always been an effective school support system particularly in back office operations. However, over the last couple of years IT has become adopted in other areas of a school including providing teachers with the ability to deliver lessons online which was a necessity when Covid-19 lockdowns applied and even now when pupils are following COVID regulations and isolating at home. However, compliance by a MAT with General Data Protection Regulations (GDPR) is predominantly focussed on data security, although GDPR compliance is much wider and includes a MAT’s use and management of the various IT systems.
Furthermore, whilst IT systems are now an integral part of a school’s day to day operation, Trustees’ eyes quickly glaze over and switch off when IT systems and IT risks are mentioned and discussed. Perhaps discussing IT in a Board meeting is boring when compared to teaching and learning, or maybe Trustees feel that it is too technical and complicated and as a result hope that it is someone else’s problem. However, the use of numerous IT systems in schools in a MAT creates IT vulnerabilities through cyber-attacks, phishing and other fraud or disruptive activities including IT systems penetration. Therefore, Trustees need to understand that failure by a MAT to take reasonable precautions with their IT systems, IT infrastructure and IT security can lead to a GDPR breach that could well result in a fine by the Information Commissioner's Office (ICO).
So how do we ensure that Trustees recognise and manage the IT risks and mitigating actions that operating IT systems bring beyond the standard GDPR data protection compliance? Perhaps understanding the risks related to IT non-compliance with GDPR can help focus the Board’s mind! Any IT breach of GDPR can lead to the ICO imposing a fine on the MAT of up to 4% of the MAT’s turnover (with a €20m maximum fine) and that is just one reason why IT is a regular Board agenda item at Frank Field Education Trust. Even a number of well know larger companies and recognised names have received significant ICO fines for IT non-compliance, and MATs are not exempt. In 2020 alone, the ICO fined various organisations for differing IT GDPR breaches. Marriott International Inc was fined £18.4million for failing to put appropriate technical or organisational measures in place to protect the personal data whilst British Airways was fined £20m for processing a significant amount of personal data with weaknesses in the IT security measures deployed.
However, even assuming that IT security and IT risk management are regularly on the Board’s meeting agenda and on the Trustees’ radar, trying to establish what level of IT security measures must be deployed by the MAT is an art, not a science. The UK GDPR legislation states that ‘IT security measures must be appropriate to the nature of the personal data held’ but what does taking reasonable precautions actually mean and whose definition of ‘appropriate’ applies? The repercussions of any MAT incurring a large ICO fine due to a failure to take reasonable IT security measures is likely to be catastrophic, with the MAT’s ongoing survival being put in serious doubt.
As a result, it would not be unreasonable to expect that all MATs to have a clearly defined IT strategy that covers all the IT hardware, IT system software and IT application software as well as IT networks along with a comprehensive IT Risk register. This then supports a collaborative approach that can be taken between the MAT CEO and the MAT’s IT team, to identify the individual IT risks, the level of each risk and what mitigating actions are needed for each of these IT risks. This collaborative approach ensures all parties participate actively in agreeing the IT risks and mitigating actions that the Trustees can oversee and be comfortable that appropriate IT risk mitigation measures have been taken.