All schools and MATs incur costs in establishing and maintaining IT systems, IT infrastructure and IT security. The UK Information Commissioners Office (ICO) indicates that the costs of maintaining appropriate IT security measures can be used by a school or MAT when deciding what IT security steps need to be taken.
The ICO upholds the information rights in the public interest that ensures data privacy for individuals. The General Data Protection Regulation (GDPR) came into effect on 25th May 2018 and applies to UK businesses and organisations including schools and MATs. More specifically, Principle F of the GDPR covers data integrity and confidentiality (or security) which puts an obligation on every school and MAT to ensure that appropriate security measures are in place to protect the personal data held and processed both in paper form but also in electronic form on IT systems. The ICO further states that steps taken by each organisation (a school or MAT) must be appropriate, both to the circumstances and the risks that the IT systems and the IT infrastructure create, and this varies according to the IT systems used by each school and MAT.
Whilst there are clear data security principles defined within GDPR that apply to IT systems, it is for each school or MAT to determine what level of IT risk they feel is appropriate for their specific school or MAT. Failure to comply with GDPR for IT can result in significant fines being incurred by the school or MAT. In 2020 alone, the ICO fined various organisations for differing GDPR IT related breaches including:
Ticketmaster UK Limited fined £1.25 million for failing to keep its customers’ personal data secure as it failed to put appropriate security measures in place to prevent a cyber-attack on a chat-bot installed on its online payment page.
Marriott International Inc fined £18.4 million as it failed to put appropriate technical or organisational measures in place to protect the personal data being processed on its IT systems.
British Airways fined £20 million for processing a significant amount of personal data with weaknesses in its security measures when solutions were available at the time that would have prevented the successful cyber-attack.
Cathay Pacific Airways Limited fined £500,000 for failing to protect the security of its customers’ personal data as malware was installed that harvested data resulting from a catalogue of other errors that were found. These errors included no password protection on back-up files; unpatched software on internet-facing servers; use of operating systems that were no longer supported by the supplier and inadequate anti-virus protection.
DSG Retail Limited fined £500,000 after a ‘point of sale’ computer system was compromised as a result of a cyber-attack due to various vulnerabilities including inadequate software patching, absence of a local firewall, lack of network segregation and no routine security testing.
It is worth noting that GDPR security principles cover a school or MAT’s IT processing of personal data; not just cybersecurity and this includes confidentiality, integrity and availability of that data in the various IT systems. However, outsourcing any, or all aspects of IT security does not negate the school’s or MAT’s GDPR obligations i.e. outsourcing does not transfer any of the school’s or MAT’s GDPR obligations in the IT domain.
Failure of a school or MAT to take reasonable precautions with their IT systems, IT infrastructure and IT security can lead to a GDPR breach. Any GDPR breach through non-compliance is likely to lead to the ICO imposing a fine on the school or MAT and the fine can up to 4% of the organisation’s turnover, with a maximum fine of €20m. The repercussions of any school or MAT incurring such an ICO fine is likely to be catastrophic, putting the school’s or MAT’s ongoing survival in serious doubt.
Each school and MAT should now be able to understand the implications of IT non-compliance with GDPR. They should also be able to recognise that all IT systems, IT infrastructure and IT security need to be carefully considered and evaluated to ensure compliance with GDPR. In the next blog we will consider what this means for a school or MAT.