Data Breach Management Procedure for Schools
Schools must have an appropriate procedure in place to detect, assess and, where necessary, report data breaches. Please find below a template Data Breach Management Procedure, which includes useful guidance and templates that can be used by schools when managing data breaches. You should download the template procedure and complete and revise the highlighted sections as appropriate.
Please note: you will need to review and revise the some of the highlighted sections of the Data Breach Management Procedure depending on whether or not your school has appointed the Education Authority (EA) as its Data Protection Officer (DPO). This is clearly explained in the template Data Breach Management Procedure. For further information on appointing EA as your School’s DPO, please see the Data Protection Officer (DPO) Service for Schools section within this Data Protection School Resource Hub.
Your School’s Data Breach Management Procedure should be made available to all School staff to guide them in the event of a data breach.
If your School has appointed EA as its DPO and needs to report a personal data breach, further guidance on how to do so (including the Data Breach Report Form to use) is also set out below.
Reporting a personal data breach
A personal data breach is a breach of security leading to the accidental or unlawful destruction, loss, alteration, unauthorised disclosure of, or access to, personal data.
Many personal data breaches are accidental, for example sending personal data to an incorrect recipient or the loss of a file or computing device containing personal data, while others are deliberate such as unauthorised access by a third party.
If you believe that a personal data breach may have occurred you should report this to your school’s Data Protection Officer (DPO) immediately. If your school has appointed the Education Authority (EA) as its DPO, it should report any data breaches to EA’s Information Governance (IG) team. It is crucial that breaches are reported as soon as a breach becomes known in order that any remedial actions can be taken at once. To report a breach to EA please download the data breach report form below, complete the form providing as much detail as possible and return to the IG team following the instructions on the bottom of the form.
If your school has appointed EA as its DPO, the IG team will provide support and advice in the event of a data breach. The team will assist in considering whether the breach poses a risk to people and the likelihood and severity of the risk to people’s rights and freedoms following the breach. Not all data breaches are reportable to the Information Commissioners Office (ICO). However if it’s likely there will be a risk to individuals then the ICO must be notified. If your school has appointed EA as its DPO, the IG team will manage the reporting of all notifiable breaches to the ICO.
Preventing personal data breaches
The ICO has produced guidance on how to prevent some common personal data breaches which occur in the Education sector. This highlights some key considerations when processing personal data and may also be of use to schools to include as part of their data protection training for staff.