ICO reprimands Finham Park Multi Academy Trust following cyber-security breach

Together we are Forbes

Education Article

07 December, 2023

Laura_Rae
Laura Rae
Solicitor

The Information Commissioner's Office (ICO) has recently announced its decision to reprimand Finham Park Multi Academy Trust (the MAT), after an unauthorised third party accessed and encrypted the MAT's systems.

Background

The MAT reported a cyber-security breach to the ICO following unauthorised access to its systems by a third party. It was identified that the third party used compromised log-in credentials to gain access to and encrypt the MAT's IT systems.

Prior to the incident, the MAT reported three similar incidents to the ICO, following which the ICO issued guidance to the MAT outlining the importance of implementing appropriate password policies and account management procedures. As part of its investigation into the MAT's most recent security breach, the ICO identified that it had failed to follow the guidance previously issued and therefore had not implemented appropriate technical and organisational measures to secure its systems. This failure to act was ultimately deemed an aggravating factor in the decision to reprimand the MAT.

Findings

Following its investigation, the ICO identified breaches of the following provisions of the UK GDPR:

  • Article 5(1)(f) - principle of integrity and confidentiality.
  • Article 32(1) - security of personal data.

In support of this decision, the ICO explained that the MAT did not have sufficient measures in place to ensure confidentiality and integrity of its systems. For example, it had an inadequate lockout policy, despite the advice of the National Cyber Security Centre, and had reversable password encryption enabled. In the ICO's view, these measures could have reduced the likelihood of an attack occurring.

Another influencing factor in the decision was that the MAT did not have multi-factor authentication (MFA) as part of its login procedures and that employees did not have sufficient knowledge and understanding regarding the re-use of passwords. Again, it was speculated by the ICO that had this training been effectively delivered, it was possible that the incident could have been avoided.

The reprimand

In providing its recommendations, the ICO acknowledged that the MAT had taken a number of remedial steps in light of the security breach, including the implementation of MAT-wide MFA, creation of a digital transformation project plan and IT system restoration.

Notwithstanding these actions, the ICO decided to issue a formal reprimand to the Council in respect of the identified infringements of the UK GDPR.

Consequences of a Reprimand

A reprimand is issued by the ICO under Article 58(2) UK GDPR following an investigation where the ICO considers an organisation has not complied with the UK GDPR. They may be issued by the ICO where it has found a breach of the UK GDPR but the breach is not serious enough to attract a fine. They are also commonly issued against public sector organisations in the alternative to issuing a fine which would have to be paid for out of public funds.

From December 2022, the ICO announced it would publish details of reprimands on its website. Therefore, despite avoiding a fine, organisations may now face additional scrutiny and reputational damage as a result of a reprimand being issued. An organisation may also find the reprimand being used as evidence in claims for compensation for a data breach.

Conclusion

This reprimand reinforces the need for all schools to have robust IT security policies and procedures in place, given the sensitivity and large amount of data they hold. By having clear password policies and lockout procedures, schools should significantly reduce the likelihood of cyber-security incidents occurring, but then also have a clear process for managing and mitigating the effects of these incidents when they occur.

Alongside this, staff should be made aware of the importance of password security and regularly updating passwords, as part of regular data protection training.

This decision provides a clear indication to schools that reporting the issue to the ICO manages only one aspect of compliance. Should schools then fail to implement the guidance issued by the ICO as a result of a breach, the ICO will consider these actions as part of its approach to enforcement moving forwards.

For more information contact Laura Rae in our Education department via email or phone on 01772 220221. Alternatively send any question through to Forbes Solicitors via our online Contact Form.

Learn more about our Education department here

Changes to Holiday Pay & Other Employment Law Issues

Was an agency worker entitled to 'suspension pay' in between…

Contact Us

Get in touch to see how our experts could help you.

Call0800 689 0831

CallRequest a call back

EmailSend us an email

Make an Enquiry

Contacting Us

Monday to Friday:
09:00 to 17:00

Saturday and Sunday:
Closed