As we know from the recent international press, cyber security attacks are growing and will become increasingly costly. Schools and other organisations may be liable if they fail to do enough to protect themselves.
Cyberattacks have been in the news recently. The NHS was seriously affected by the WannaCry ransomware attack that was spread far and wide by email. The more recent global malware attack, said to originate with the Ukrainian MeDoc tax-filing software, has infected organisations in 64 countries. Last year, 46% of UK businesses of all kinds suffered some kind of breach.
Externally corrupted computer systems are also very much part of the landscape for schools which, in common with other businesses, are heavily dependent on the digital technology they use.
Some 61% of businesses hold personal data, not least schools which will keep records of pupils, parents and employees. Some of this data will be “sensitive personal data” within the meaning of the Data Protection Act 1998 (the Act), particularly with regards to pupils. This makes schools particularly vulnerable. Leakage of such data for any reason would be a serious matter. The safeguarding duty on schools will extend to the management of such data and the necessity to keep it secure even from the actions of the most persistent cyber attacker. Schools are obliged to educate teaching staff, management and pupils themselves on the safe use of technology and policies and processes in connection with it.
A cyberattack on a school’s systems may have devastating consequences. At worst, without adequate back-up and recovery resources, a school’s very ability to operate as a viable entity, both operationally and financially, may be put in issue. In some cases, failure to take steps that would protect the school against cyberattack (arguably the NHS failed to take available steps to avoid the WannaCry infection but cost factors were relevant) may result in a breach of contract with parents if the school is incapable to discharge its duties to pupils. The school’s liability is at least mitigated if it takes all reasonable steps to avoid or minimise the consequences of a cyberattack. In any event, the privacy and security of pupil data may be compromised. If it becomes clear that a school did not take adequate steps to protect itself, significant reputational damage may ensue.
Under the Act and the seventh data protection principle, all data controllers must take “appropriate technical and organisational measures against unauthorised or unlawful processing of personal data and against accidental loss or destruction of, or damage to, personal data”. The relevance to a school’s duties to pupils, parents and staff in the face of possible cyberattack threats is clear. Any failure to put in place technical measures (for example anti-virus protection or software patches) and implement staff training that would help to prevent cyberattacks would put a school in breach of the seventh principle.
“…Gloucester City Council has recently received a six figure fine from the Information Commissioner’s Office (ICO). Some 30,000 emails were unlawfully downloaded through hacking by the activist group Anonymous at a time when the Council was outsourcing its IT systems.”
As a result of an incident in July 2014, Gloucester City Council has recently received a six figure fine from the Information Commissioner’s Office (ICO). Some 30,000 emails were unlawfully downloaded through hacking by the activist group Anonymous at a time when the Council was outsourcing its IT systems. The emails related to Council staff and contained financial information as well as sensitive personal data. The ICO stated that the Council made a serious oversight in not repairing certain system vulnerabilities and this resulted in a breach of the Act. The ICO’s investigation revealed that the Council did not have sufficient security measures in place and provided no relevant oversight of the outsourcing process. Although the fine (“monetary penalty notice” or MPN) was £100,000, the maximum MPN that could be imposed under present law is £500,000. Any entity holding personal data that does not take measures that are appropriate to the nature of the data and the likely degree of harm that could be caused by the security breach by expending costs that are proportionate, could risk a significant MPN if it has acted deliberately or recklessly and the contravention was of a kind likely to cause substantial damage or distress.
When the General Data Protection Regulation (GDPR) replaces the Act in May 2018, MPNs will increase significantly. The maximum may be in the millions as a fixed penalty or a percentage of annual turnover. The GDPR will oblige a school to notify security breaches to the ICO within 72 hours of the event.
There are other aspects to compliance with the GDPR which need attention now. But high-profile cyberattacks underline an equally immediate need for schools to evaluate the personal data they hold and the technical measures (anti-virus packages, encryption, firewalls etc) and managerial processes (awareness promotion, policy development, remote access to data, staff and pupil training) which ensure their integrity and security.
For further advice, please call us on 01483 543210 or alternatively email [email protected]
