9ine Insights | Latest news from 9ine

ICO Audit - Important Lessons for Schools

Written by 9ine | Dec 2, 2020 9:01:42 AM

In the UK, businesses, organisations and government bodies are mandated to follow specific guidelines in order to protect the sensitive information they are trusted with. The supervisory authority overseeing the application of these guidelines is the Information Commissioner Office (ICO). They are responsible for enforcing and promoting compliance with the General Data Protection Regulation (GDPR), the Data Protection Act 2018 (DPA18) as well as other data protection legislation. 

Given the reported rise in targeted cyber attacks on the education sector, there is a pressing need for schools to explicitly understand how effective their organisational and technical measures are at protecting the personal data entrusted to them. 

In many cases, school leadership, boards and governing bodies are not even aware of the defences and security controls they have in place, or how to benchmark those they do have. But, how can you measure GDPR compliance? The best method for evidencing this is through an audit.

The ICO carried out a programme of audits at multi academy trusts (MATs) to understand how each organisation processes personal data. The audits were conducted via telephone interviews and onsite visits. 11 MATs, including 325 schools, ranging from nursery school to post-16 education participated in the voluntary audit exercise. The aim of the exercise was to understand the effectiveness of the current data protection protocols in place at each MAT and identify any shortfall trends. This blog highlights the findings of the ICO’s audit report and summarises the action plan recommended by the ICO to improve data protection practices. 

“Since August 2020, the NCSC has been investigating an increased number of ransomware attacks affecting education establishments in the UK, including schools, colleges and universities"
(NCSC, 17 September 2020)

In many cases, school leadership, boards and governing bodies are not even aware of the defences and security controls they have in place, or how to benchmark those they do have. But, how can you measure GDPR compliance? The best method for evidencing this is through an audit.

The ICO carried out a programme of audits at multi academy trusts (MATs) to understand how each organisation processes personal data. The audits were conducted via telephone interviews and onsite visits. 11 MATs, including 325 schools, ranging from nursery school to post-16 education participated in the voluntary audit exercise. The aim of the exercise was to understand the effectiveness of the current data protection protocols in place at each MAT and identify any shortfall trends. This blog highlights the findings of the ICO’s audit report and summarises the action plan recommended by the ICO to improve data protection practices. 

The audit was more of a constructive process for the schools to help them understand the extent of their compliance and the processing risks related to the rights of the individual under the DPA and GDPR. The audit report highlighted good practices, recommendations and major concerns around non-compliant activities. The focus of the ICO audit report was based upon three relevant areas: governance and accountability, training and awareness, and data sharing.

For a deeper dive into how to improve data protection in your school, you can book a free workshop with one of our experts

 

Areas of Good Practice

  • Most schools had a designated data protection officer (DPO) in place with specific responsibilities for managing data protection and satisfactory reporting mechanisms to communicate with senior management
  • The vast majority had information governance steering groups or equivalent data protection groups in place, demonstrating a consistent effort by the schools to raise awareness and provide regular updates about data protection compliance activities through internal communication channels (monthly newsletters, bulletins, posters codes of conduct etc.)
  • Most schools were operating with an intranet site, or equivalent, where data protection policies and procedures are available to staff
  • Records of consent obtained from individuals, including how and when, were also found to be maintained by most schools
  • Almost all staff interviewed across the MATs were aware of the contact person in their organisation to consult for any information governance-related queries 

 

Areas for improvement

The ICO highlighted a number of areas where schools can make crucial improvements to their governance and accountability. One of the trends found was that every audited school needed to be in a more defensible position in regards to their organisational processes for managing and protecting data. This will help to attain better scores in future audits. Below are the recommendations by the ICO for schools to ensure good data protection policies are in place:

1) Robust information risk management framework

Over 70% of the MATs did not have clearly defined roles and responsibilities framework for managing everyday data protection tasks, records management, information security and data

sharing at both a Trust and academy level. Having a robust responsibilities matrix is key to managing your risks in the event of a data breach. Equally vital is the need to maintain a risk register with activity logs and a detailed breakdown of each risk at different levels of severity. Classification of risk and reporting channels / authorities framework will make it easier to manage data. 

2) Technical deficiencies in contractual requirements

It was found that more than half of the schools failed to follow guidelines on data processor contracts as outlined in the GDPR (Article 25, 28, 32). 72% also did not have suitable procedures in place with all their processors to ensure GDPR obligations were being met, in relation to: the notification of personal data breaches, complying with the rights of individuals, and data protection impact assessments (DPIAs).

3) Internal audit requirement 

Almost half of the schools did not have proper internal audit programmes. Internal audits are an important tool to assess, improve and provide assurance of organisations efficient policies and procedures. 

4) Documenting and data sharing 

Around half of the MATs did not have appropriate documentation protocols in place for recording privacy information relating to the purpose of the data sharing and the legal basis. This also extended to inconsistencies in the privacy notices relating to the lawful basis. In one case, the MAT documented that the data was shared due to a legal obligation but in another section, it showed the same data sharing was done on the basis of consent.

5) Periodical Training

Although the MATs had established good channels for raising data protection awareness amongst their staff, it was evident from findings that enhanced and more specific training of staff is required. Specialist training is recommended to those designated as a DPO, IT Manager and those responsible for dealing with data breach scenarios. A periodical refresher course and regular scrutiny of “all” staff understanding should be taken up from time to time and an appropriate log of the same needs to be maintained.

The ICO audit report is a learning curve for a lot of schools. It’s recommended that schools periodically revisit their record of processing activities (RoPA), DPIAs and review existing data protection processes to bring them in line with the GDPR regulations. Non Compliance can invite serious consequences including hefty fines from the ICO. Hopefully the conclusions from the ICO report are helpful and useful for your own data protection practices.

If you’re still looking for help, you can book a data protection and cyber security workshop with 9ine. The workshops are free of charge and will provide you with schools specific knowledge for making improvements in your school. 

ABOUT THE AUTHOR:

Cameron is a PMO at 9ine - providing governance and programme management across operations, sales, marketing and service. With a BA in English Literature, Cameron lends his hand to the occasional 9ine blog here and there.