with confidential information about pupils, staff and parents being leaked onto the dark web.
Files with names such as ‘contracts’ with staff pay scale and contract details, ‘passports’ with scans of pupil passports and ‘SEN information’ were among the first targeted by the cyber attackers.
Such a breach of security triggers notification to the Information Commissioner’s Office (ICO). Data controllers are required to notify the ICO without undue delay and within 72 hours of becoming aware of the data breach.
Controllers may also need to inform the data subjects (although there are some exemptions). In the reported cases, staff and pupils were informed and support was offered.
Implications for safeguarding
From a safeguarding perspective, states that schools are responsible for ensuring that the appropriate level of security protection procedures are in place to safeguard systems, staff and learners. The effectiveness of these procedures should be reviewed periodically.
These incidents come as a timely reminder to schools to update internal breach notification procedures, including incident identification systems and incident response plans.
Check your school’s insurance policy to ensure data breaches are covered and keep the internal breach register up to date.
Further information and support
Links to additional guidance on cyber security, including for governors and trustees, are also cited in KCSIE. ( and )
We offer a range of expert support, guidance and training for staff at all levels to mitigate and handle data breaches effectively and compliantly.
Find out more about data protection and information security for schools