/ Liza Adebisi
While the threat of a new coronavirus caught us by surprise last year, by now we have grown accustomed to an older and more constant threat that menaces not our health but our personal records: data breach and cybercrime.
Luckily, we can rely on regulation and guidance that describe how to help protect our information and combat breaches.
GDPR legislation has been issued to protect data from cyber-attacks and for organisations and individuals to preserve privacy and security against compromise, corruption, and loss.
Nonetheless, many concerns arose when GDPR was firstly announced by the European Union in 2016 in replacement of the Data Protection Directive of 1995. Understandably, companies were anxious about meeting compliance and adjusting their record-keeping practices to the new rules.
So, where are we at with GDPR right now? Well, despite the UK leaving the EU, data protection legislation will remain in place under the GDPR act of 2018, now referred to, in Great Britain and Northern Ireland, as UK GDPR. In this sense, not much has changed, and UK organisations that complied with the initial EU guidelines will still meet today’s requirements.
Data breach is still a threat in 2021, and it will likely remain so for years to come. We will continue to hear news on how big, and small companies that may have been the victim of cyber attacks or failed to protect their data, have consequently had to declare the breach, respond to lawsuits denouncing it, or deal with media attention.
Indeed, the possibility and implications of media involvement should never be underestimated.
Only recently, headlines and articles on news publications have talked about the 2018 claim filed against British Airways, who allegedly had lost its customer data. Were it not for the COVID19 crisis still dominating the first pages, the company’s reputation would be seriously at risk – not an example any other organisation or school would want to follow.
Unfortunately, this won’t be the last report we see on data loss or breaches, as they will always be a risk with increasing data accumulated year on year.
So what is the meaning of this for schools?
Like any other organisation, schools hold enormous amounts of personal data: students’ data, teachers’ data, administration staff’s data and parents’ data; as well as structural data (information of how the school runs), transactional data (records of payments); etc. Data is the most valuable asset in today’s insight-driven society, and as such, it must be protected.
Since May 2018, UK schools must adhere to strict guidelines published in the UK GDPR legislation. The regulatory framework is more rigorous than previous legislation and comes with severe penalties for non-compliance.
All UK schools must both comply with the GDPR provisions and prove to regulators that they have various data protection policies in place.
Data is an attractive and valuable ransom for cybercriminals, and schools are often the target of online fraud activity.
The latest pandemic, unfortunately, has added to the issue. Data breaches and hacking attempts have become more frequent, as digitisation increasingly becomes a necessity, with many documents and processes being now hosted on the web.
Alarmingly, in September 2020 the National Cyber Security Centre (NCSC) issued an alert to the education sector, following a reported spike in ransomware attacks, which caused various levels of disruption.
Many of the incidents reported were ransomware attacks, typically involving the encryption of data by cybercriminals, who would then demand money in exchange for data recovery. Because important and sensitive data is targeted by this sort of attacks, institutions infected by ransomware see their ability to operate effectively significantly obstructed, and risk fines for breaching GDPR.
According to the NCSC, a 2020 Survey in Cyber Security Breaches found that 41% of primary schools, 76% of secondary schools and 80% of further/higher education facilities have identified breaches or attacks in the last 12 months. The incidents recorded reflect a general increase in attacks targeting education in recent years, primarily for financial gain and data theft.
To avoid this from happening, schools must adopt secure systems to store data and adhere to GDPR protocols.
GDPR gives detailed instruction for the processing of personal data kept by the school, be this stored on the school’s website, paper documents, servers, or databases.
In order to ensure regulatory compliance, schools must familiarise with governmental policy and requirements and follow these steps:
For all schools, GDPR compliance is a legal obligation. It implies that if a school fails to evidence effective management of all information systems, the school may be acting against the law and subject to legal recourse.
Bromcom’s MIS complies with GDPR and is committed to high standards of information security, transparency and privacy. We place a high priority on protecting and managing data in accordance with regulatory requirements.
Bromcom continually seeks to ensure the confidentiality, integrity and availability (to authorised persons) of the personal data we store and process. At Bromcom, we maintain robust technical and organisational security measures to protect personal data against accidental or unlawful destruction or loss, alteration, unauthorised disclosure or access.
Through our technical partnership with Azure, Bromcom inherits and adheres to the same standards upheld by Microsoft.
Bromcom’s partners recently completed a new set of independent third-party ISO, and Cloud Security Alliance (CSA) audits to expand their certification portfolio. Microsoft Azure leads the industry with the most comprehensive compliance coverage.
By meeting all regulatory demands, Bromcom is able to offer schools all the reassurance they need around security.
Personal data collected by the school is processed by Bromcom MIS in a private and secure manner in accordance with governmental law.
All data that is accessed by Bromcom MIS users, such as schools, Local Authorities or Multi Academy Trusts, is processed with the only intent to provide a very wide selection of timely, critical, strategic and up to date information, and the management of this.
Here are some examples of data processed by the MIS:
This type of data is hosted by Bromcom and some of it is shared on the MyChildAtSchool portal. The data is for the most part available to parents and guardians of students, as well as teachers and staff, who by contract agree to host the data on the MIS for it to be managed.
The usage of data by Bromcom is fully transparent and detailed at the beginning of any partnership.
Should any data breach occur on the Bromcom platform, the school can contact our service desk. We have the expertise in place to respond to any data or cyber incidents that may happen. We will quickly assess the severity of the incident and take the responsibility to report it to ICO.
Our product has been developed on the solid base of an ongoing collaboration with schools that we’ve had for over thirty years.
Our experience has taught us that what schools care about is having a reliable and secure system with integrated functions and a great user interface at a convenient cost. Therefore, this is also what we care about and what we strive to provide.
Because we understand that demands are constantly changing, and cybercrime is on the rise, we are committed to always innovating our solution to meet any new challenge and comply with official standards.
Bromcom is secure and efficient.
Many things make Bromcom stand out among the competition. To name a few:
If you’d like to know more or check our products, features and services, just drop us a line or call us, we are always happy to help.