Veritau Learn

Principle 6 – Security

This Principle requires that appropriate technical and organisational security measures are implemented when processing personal data. This includes ensuring that personal information is protected against unlawful or unauthorised processing and against accidental loss, destruction or damage (e.g. a data breach). The school should consider a number of points in relation to information security:

-Escorting visitors and confronting people without lanyards

-Ensuring filing cabinets/storage cupboards are locked

-Following a clear desk policy and locking/securing unattended devices such as computers

-Follow school policy on wall displays to prevent unauthorised disclosure

-Ensuring IT devices are encrypted and provide a level of assurance against cyber-attacks

These are just a few examples, what other considerations can you come up with?

Personal Data Breaches

A breach of security leading to the accidental or unlawful destruction, loss, alteration, unauthorised disclosure of, or access to, personal data”

This covers most things that could go wrong with the personal information that a school processes. If personal data has been disclosed to someone who isn’t authorised to see it, is accidentally lost or destroyed, or is recorded inaccurately leading to harm to someone, it is a breach. You must be able to recognise this and report it to the right person.

It is the law that any data breach which is likely to result in a risk to the rights and freedoms (causing them to suffer financial/emotional/mental or physical harm) of individuals must be reported to the ICO within 72 hours. It is therefore imperative that any breaches are reported to the appropriate person in your school or Trust as soon as possible so that determination can be made about whether the breach should be reported. Not all breaches will meet the reporting threshold and once the breach has been reported to the appropriate internal person, the school should consult their Data Protection Officer to advise where necessary.

Your school should have a policy in place that outlines your breach reporting procedure, please refer to this for additional information on your school’s specific process. You should familiarise yourself with this policy after you have completed this training.