The ICO has recently published details of a reprimand issued against a primary school following an incident where a safeguarding email was shared in the classroom via an electronic white screen. The reprimand issued is the another example of the ICO's change in regulatory approach to public sector authorities.
Details of Breach
The reprimand states that the ICO has found that the school inappropriately disclosed personal data, including special category data, in a classroom environment. From reading the reprimand it appears that an email alert from the school's safeguarding case management system was sent to a member of staff who opened the email and it was displayed to others in the classroom via an electronic whiteboard. It also appears that there was a delay in reporting the breach internally.
After an investigation, the ICO found that the school had breached the UK GDPR's security principle meaning that the school had failed to prevent the unlawful disclosure of personal data. The school had also failed to implement appropriate technical and organisational security measures to ensure personal data is kept secure under Article 32 UK GDPR.
In reaching these findings, the ICO found that the school did not have adequate:
- Data Protection Policies- The ICO stated that although the school had in place a data protection policy and data breach response plan, there was no detail in the policies of when it was appropriate to open emails containing personal data.
- Policies covering the use of the school's safeguarding case management system.
- Written guidance for staff on the classification of emails. The ICO found that the school did not have any labelling or classification system to indicate that an email contained sensitive information.
- Procedures or guidance relating to when it is appropriate in the school day to open emails generated by the safeguarding case management system.
- Procedures or guidance in relation to the safe operating of electronic whiteboards especially when screen sharing.
The reprimand states that following the breach, the school took the following action to ensure such an incident would not occur again:
- The governor responsible for the strategic management of UK GDPR reviewed current practices and made recommendations to the governing body.
- Formal guidance was issued to all staff about how data breaches should be reported.
- Staff were instructed to only access email alerts from the safeguarding case management system before and after the school day.
- Governors are to be altered to an incident as soon as it is reported to the Head.
- All staff and governors are to receive data protection refresher training.
- All staff to sign an electronic document to confirm they have read and understood the data protection policy.
Further Action Recommended
In addition to the remedial steps taken as detailed above, the ICO also recommended that the following steps be taken to improve data protection compliance:
- Consider refresher training on the operation of electronic whiteboards for all relevant employees. Emphasis should be given to the relevant steps for employees to take to avoid a personal data breach when operating an electronic whiteboard.
- Consider whether the written guidance the school has in relation to the use of its safeguarding case management system is sufficient and adequate to reduce the risk of a recurrence of a similar incident.
- Consideration should be given to refresher data protection training to all members of staff, as it was noted that both members of staff involved in the incident failed to report the breach. Emphasis should be given on the requirement to report a suspected or actual personal data breach.
- Satisfy itself that it has adequate technical and organisational measures in place to ensure the security and confidentiality of emails sent internally which include personal data, particularly when these contain sensitive or special category data.
- Policies and procedures should have prominent, sufficient and adequate practical guidance for employees in order to avoid a similar breach occurring again. This also needs to include regular reviews, and proactive work to increase staff awareness of these.
- Take steps to test all of the new processes introduced as a result of this incident and ensure they are embedded within the school.
Consequences of a Reprimand
A reprimand is issued by the ICO under Article 58(2) UK GDPR following an investigation where the ICO considers an organisation has not complied with the UK GDPR. They may be issued by the ICO where it has found a breach of the UK GDPR but the breach is not serious enough to attract a fine. They are also commonly issued against public sector organisations in the alternative to issuing a fine which would have to be paid for out of public funds.
From December 2022, the ICO announced it would now publish details of reprimands on its website. Therefore despite avoiding a fine, organisations may now face additional scrutiny and reputational damage as a result of a reprimand being issued. An organisation may also find the reprimand being used as evidence in claims for compensation for a data breach.
This reprimand highlights the importance of having policies, procedures and guidance in place which reflects the activity members of staff are actually taking in part in. Whilst in this case, the ICO found that the member of staff did act in breach of the school's data protection policy and data breach response plan, it still criticised the school for the lack of practical guidance to support staff in complying with their obligations under data protection law.
A full copy of the reprimand is available to view here
For more information contact Bethany Paliga in our Education department
via email or phone on 01254 222347.
Alternatively send any question through to Forbes Solicitors via our online Contact Form.
Learn more about our Education department here
AB v Worcestershire County Council and Birmingham City Council…
Merging of Registered Providers - An Increasing Trend