In the earlier blog we looked at ‘why should a school or MAT have a comprehensive IT security strategy, and what does this entail?’
In this blog we explore what this means for a school or MAT.
In order to ensure GDPR IT compliance, each school or MAT needs to undertake a detailed assessment of the various IT systems and services for confidentiality, integrity and availability including the personal data processed within them. This assessment should include evaluating the steps needed to ensure that IT systems access can be restored in a timely manner, should a physical or technical incident arise. This requires having the appropriate processes in place that test and validate the effectiveness of the counter measures deployed, which should form part of a regular detailed IT risk assessment.
When GDPR was implemented in 2018, all schools and MATs evaluated the requirements and implemented solutions to ensure compliance that was predominantly focussed on user data including data security. However, as identified, GDPR compliance for a school or MAT also covers the use of the various IT systems, as these create vulnerabilities to cyber-attacks, phishing and other fraud or disruptive activities through penetrating the IT systems and networks. Such vulnerabilities include IT system software such as Windows 11; IT application systems such as Outlook and network security including an internet connection. However, other local non-networked security vulnerabilities also exist. These vulnerabilities include USB memory sticks connected to a PC that have onward connectivity to a network as this can lead to breaches of the cyber security network defences at the local level.
IT security breach may put user data outside the control of the school or MAT and therefore a detailed risk analysis should be undertaken that includes a review of the organisational policies but also the physical and technical measures deployed for all IT systems, IT infrastructure and IT security. In addition, an IT security strategy needs to be created and implemented that addresses and mitigates the various IT vulnerabilities.
An IT security breach could result in a school or MAT receiving an ICO fine, particularly if the breach is likely to be regarded as the school’s or MAT’s non-compliance with GDPR. It is therefore imperative that a school or MAT identifies all the IT risks and puts in place mitigating actions to address each risk as the ICO will take into account both the technical and organisational measures applied when considering if any fine should be incurred, and if so, how much.
The administrative and IT security measures a school or MAT puts in place to address their obligations to comply with GDPR and the processing of electronic data need to cover the following aspects:
Data is only accessed by those authorised to do so; within any delegated authority limits.
Accurate and appropriate to why the school or MAT is processing the data.
Accessible and usable. Therefore, if any electronic personal data is accidentally lost, altered or destroyed, the school or MAT must be able to recover it in a timely manner.
Whilst GDPR does not actually define the security measures that a school or MAT should have in place, the GDPR principles do require a school or MAT to have a level of IT security that is appropriate to the risks presented through the processing of the electronic data. GDPR takes a risk-based approach to information data security with different solutions being appropriately used within each school or MAT. The various IT security solutions will be dependent upon each school or MAT’s individual circumstances and the associated risks that the specific IT systems used generate.
More specifically, all IT security measures deployed must be appropriate to the nature of the personal data being processed and should include the following:
IT system security and cyber-security measures should be appropriate to the size and use of the school or MAT’s IT systems and IT networks.
IT data security of all the electronic data within the various IT application systems and the business operational practices operated by the school or MAT.
Online security including the security of a school or MAT’s website as well as all other online services and IT application systems used.
Device security, including policies on Bring-your-own-Device (BYOD).
Current IT developments including the cost of implementation and ongoing maintenance of the various counter measures deployed.
To conclude, various approaches can be used by a school or MAT to better understand their IT risks including developing and establishing a school or MAT IT Strategy. This IT strategy should assess the current IT setup including an IT Technical Audit that includes assessment of the different IT systems used for teaching and non-teaching including back office administration. This IT Technical Audit should provide a benchmark on the health of the school or MAT’s current IT set-up. This can then be used to identify where improvements are required to address any weaknesses. The chosen option to close off any weakness can then be developed and implemented by each school or MAT. Following each implementation, an assessment of the effectiveness of that solution needs to be undertaken to validate that the weakness has actually been addressed.