In our recent study of the ICO Security Report, we discovered that the education and childcare sector is the second worst offender for data breaches in the UK, accounting for almost 1 in 7 cases since 2019, making up 14 per cent of data breaches since the start of the ICO’s records.
Part of the 2018 GDPR regulations require businesses to report a data breach within 72 hours. Failure to notify a breach when required to do so can result in a significant fine of up to £8.7m, or 2 per cent of your global turnover. Rather concerningly, in the education and childcare sector, it’s taking over 72 hours to report 30 per cent of their data breaches. This is leaving our education system vulnerable to large fines.
The scale of the issue is rather alarming; in 2020 alone, the education sector was responsible for ‘884 million leaked records’. Back then, it was the third-worst affected sector, and since, the severity of the problem has only increased.
For the educational sector, data breaches have many adverse consequences. Schools may find themselves facing legal action, amounting to financial issues along with reputational losses.
One of the biggest concerns is that the loss of pupil’s sensitive data could compromise safeguarding initiatives, putting students at risk, or potentially leaving their families vulnerable to phishing scams and or identity theft.
The education and childcare sectors are likely to experience data breaches because these institutions handle sensitive information that other industries might not. This includes educational records, addresses, email addresses, and phone numbers.
The handling of sensitive information impacts the volume of data breaches in two ways. Firstly, our report shows that the number one reason behind data breaches within the education sector was due to data being emailed to the incorrect recipient. The total number of these cases was 858. There were also 400 cases of phishing and 309 cases of loss/theft of paperwork left in insecure locations.
Incorrectly sent emails are common in many industries, however, in sectors that often deal with sensitive data, like education and healthcare, a mis-sent email may be more likely to cause a GDPR data breach.
Secondly, hackers are more likely to target educational and childcare settings over other institutions.
Other industries, such as the financial sector, also store plenty of sensitive information, which could be incredibly valuable to a cyber criminal. However, these institutions tend to have more robust security measures to protect their data.
Since the GDPR was introduced in 2018, schools and childcare settings have increased accountability in terms of how they collect, store, handle, protect, and share data. This increased accountability, combined with a lack of experience and understanding of data protection laws, can often amount to unintentional data breaches.
How can the sector prevent data breaches?
The public puts a lot of trust in industries such as the education sector, as well as health and Government, with the expectation that their data is going to be handled securely. With so many of these data breaches being caused by human error, it’s very clear that these industries are in dire need of data handling training, at the very least.
The educational and childcare sector could benefit from improving their cyber security practices. Doing so would allow them to protect the sensitive data that they handle, particularly when using digital and tech-based systems.
Providing training for staff could help educational institutions to reduce the amount of data breaches caused by human error, including phishing attempts, and non cyber-related breaches. Equally, ensuring an in-depth understanding of the GDPR Data Protection Act should help to reduce missteps and errors.