Navbar button The Headteacher

How secure is your school data?

November 24, 2021, 11:28 GMT+1
Read in 8 minutes
  • Governance expectations for cyber security are changing. Mark Orchison outlines what you need to know...
How secure is your school data?

Having an adequate data protection programme is imperative to protecting the members of your school community. Primary schools must take a variety of measures into consideration when approaching data privacy and cyber security requirements in order to ensure they’re doing things right.

Within this article, we’ll cover how to handle personal data properly, the changing governance expectations and the associated risk context, and resources to help your school with data protection compliance.

Through understanding these aspects of GDPR compliance, you’ll be able to build the foundations of a sufficient privacy culture and protect your data subjects from cyber threats. 

Handling personal data

Under GDPR, the school is the controller of its members’ personal data. The school is responsible for protecting the data of:

  • students
  • staff
  • parents and
  • members of the public.

When you’re handling personal data, procedures must be implemented to ensure it’s adequately protected. You can do this by:

  • Being open and transparent about how data is processed and why it’s needed.
  • Processing the minimum amount of personal data necessary to fulfil the purposes for which it was collected.
  • Ensuring that appropriate security and controls are in place to prevent data being mishandled.
  • Taking responsibility for data that belongs to other people and safeguarding it while it’s under your control.
  • Building trust between your school and the people whose data is processed through open communication about data handling and data protection practices.

Recognising that data subjects have a right to control over their personal data, while striking a balance with the needs of your organisation and wider society.

Changing governance expectations

The Academy Financial Handbook has been updated and renamed as the Academy Trust Handbook. The requirements and guidance within the handbook have been building over recent years, with the update this year emphasising three areas.

The first area focuses on reserving places in your governance structure for parents and other stakeholders. The second highlights the benefit of commissioning an external review of governance as a means for identifying improvements.

And thirdly, the handbook emphasises cyber security. The Governance Handbook is likely to follow these cyber security requirements in its update in October. 

The Handbook states:

  • 6.16 Academy trusts must also be aware of the risk of cybercrime, put in place proportionate controls and take appropriate action where a cyber security incident has occurred.
  • 6.17 Trusts must obtain permission from ESFA to pay any cyber ransom demands. ESFA supports the National Crime Agency’s recommendation not to encourage, endorse, or condone the payment of ransom demands. Payment of ransoms has no guarantee of restoring access or services and is likely to result in repeat incidents.

So, what can your school do? Well, first, you can prioritise understanding the threat context.

Cyber threat context

Recent research from Microsoft suggests that education providers across the world are increasingly falling victim to malware encounters. In June 2021, over 64% of all reported enterprise malware encounters across all industries involved organisations in the education sector.

This isn’t just a blip, though; the education sector has averaged this disproportionate volume of malware encounters for over nine months.

We already know some of the reasons why this increase is occurring. Schools have traditionally taught children in the classroom. However, distance learning creates a larger attack surface, with people at home often having lower security protections than at school.

Weaknesses in device and system security and management make it easier for attackers to compromise accounts, spread malware and potentially gain access to sensitive information.

These challenges have been widely reported. The National Cyber Security Centre in the UK, for example, notified all educational organisations in September 2020, March 2021 and June 2021 of the increasing cyber risks.

In December 2020, the FBI and associated authorities published an urgent security notice communicating the risk of cyber threats to distance learning programmes.

In April, John Gilbert, chief information officer of the DfE, warned that “it is important that as heads of Multi Academy Trusts you understand the nature of the threat and the potential for ransomware to cause considerable damage to your institutions in terms of lost data and access to critical services […] Part of this is identifying your ‘crown jewels’ and ensuring you have an incident action plan, along with your defences. Having the ability to restore the systems and recover data from backups is vital in the event of an incident.”

We’ve been warned!

This threat is becoming so severe that even schools that haven’t suffered a malware encounter are being impacted. The increased frequency of cyberattacks has increased the number and severity of risks posed to schools’ information systems.

For those who are insured, an additional consequence is that there’s an increased likelihood of insurers having to cover consequential damages in the event of a successful attack.

Effective information and cyber security is about understanding your school’s susceptibility to vulnerabilities being compromised. Through identifying and managing those vulnerabilities, your setting will be protected to an extent that is reasonably possible.

Training staff

The privacy culture within your school community is an important aspect of understanding how GDPR compliance works. With this, when approaching your data protection compliance programme, the correct people will be informed on the correct aspects of the programme.

This can be successfully achieved through training. Ensuring that staff are sufficiently trained allows data protection leaders and teams to understand what measures should be implemented to protect the members of your school, and where the roles and responsibilities should be shared cross-departmentally. 

A Guide to Data Protection Law: Education

Tes Develop and 9ine jointly offer a training course, ‘A Guide to Data Protection Law: Education’, that ensures schools are adequately equipped to advance their GDPR compliance programmes.

It covers key terms within UK data protection law, the legal requirements for data protection, the underlying principles of data protection law, your responsibilities in an education setting, and the key risks and challenges in an education setting.

The GDPR applies to both automated personal data and to manual filing systems where personal data is accessible according to specific criteria.

By utilising the applicable information and resources within this training course, your school can rest assured that its data protection team understands the foundations of data protection and privacy under the GDPR.

Points to remember

  • You are responsible: your school is a data controller, responsible for handling pupil, staff, parent and public data. You must follow proper procedures to keep it safe and abide by the law.
  • Understand the threat context: distance learning creates a larger ‘attack surface’, meaning those who want to carry out cyberattacks on your school have a better chance of being successful.
  • Have an incident action plan: you need to be able to restore your school’s systems and recover data in the event of an attack.
  • Mitigate the risks: ensure that your staff know how to handle personal data, what their own GDPR responsibilities are and what they need to do in the event of a data breach.
  • Be aware: the GDPR applies not just to automated personal data, but also to manual filing systems where personal data is accessible. Are physical and technological barriers in place to keep data locked up in your school?


Mark Orchison, education privacy and cybersecurity expert and founder of education technology consultancy 9ine Consulting.