ICO issues first fines for non-payment of data protection fee
From 25 May 2018, the Data Protection (Charges and Information) Regulations 2018 requires every organisation who processes personal information to pay a data protection fee to the ICO, unless they are exempt.
On 28 November 2018 the Information Commissioner's Office (ICO) announced that it had issued its first fines to organisations across the business services, construction and finance sectors for non-payment of the data protection fee.
This follows on from the ICO issuing 34 notices of intent in September 2018. Fees range from £40 to £2,900 depending on the size and turnover of the organisation and fines range from £400 to £4000. The fees were introduced under the Data Protection (Charges
and Information) Regulations 2018 (SI 2018/480)
Please ensure your school is registered with the ICO to avoid fines
Schools are already doing good work to safeguard learners while they are using ICT but this good practice and awareness is not always reflected in the way schools handle personal and sensitive information.
Personal data on learners, staff and other people is held by schools to help them conduct their day-to-day activities. Some of this data could be used by another person or criminal organisation to cause harm or distress to an individual. The loss of personal
data could result in adverse media coverage, and potentially damage the reputation of your school. This can make it more difficult for you to use technology to benefit learners.
The following guidance is based on information provided by the Information Commissioner’s Office (ICO) and CESG (Communications-Electronics Security Group, the Government’s national technical authority for information assurance).
What is the risk?
The risk associated with the loss of data depends on the data. The biggest risk is that the data may be accessed by someone who should not have access to it. Such inappropriate access may lead to embarrassment for the individual(s) whose data is lost, embarrassment
for the school and, in the worst case, child protection issues.
It is a legal requirement of the Data Protection Act 2018 to protect and secure personal data. The Information Commissioner’s Office (ICO) recommendsthat portable and mobile devices (including media [eg USB sticks, CDs]) used to store and transmit personal
information, the loss of which could cause damage or distress to individuals, should be protected using approved encryption software which is designed to guard against the compromise of information.
What data do I need to protect?
You should secure any personal data you hold about individuals and any data that is deemed sensitive or valuable to your organisation.
It is good practice to protectively mark personal data. This will help people handling it understand the need to keep it secure and to destroy it when it is no longer needed. This is especially important if personal data information is combined into a report
What is Encryption?
Encryption is the process of scrambling data so it can’t be read without supplying the appropriate electronic key or password to unscramble, or decrypt, the data.
The Information Commissioner’s Office (ICO) recommendsthat portable and mobile devices (including media) used to store and transmit personal information should be protected using encryption software.
Personal or sensitive data that is removed or accessed from outside an approved secure space should be encrypted. Examples of approved secure spaces include physically secure areas in schools, colleges, universities, local authorities and the premises of
Although recommended for protecting data in the UK, some countries ban the use, or severely regulate the import, export or use of, encryption technology. You should always check current restrictions before leaving the UK with encryption software or encrypted
What is personal data?
According to the Data Protection Act 2018:
“’Personal data’ means data which relate to a living individual who can be identified –
- From those data, or
- From those data and other information which is in the possession of, or is likely to come into the possession of, the data controller,
And includes any expression of opinion about the individual and any indication of the intentions of the data controller or any other person in respect of the individual.”
In a school context this will include pupil and staff names, addresses, UPNs, SEN statements and any data in your Management Information System (eg SIMS).
What is protective marking and how do I apply it?
The HMG Security Policy recommends that the Government Protective Marking Scheme is used to indicate the sensitivity of data. The scheme is made up of five markings, which in descending order of sensitivity are: TOP SECRET, SECRET, CONFIDENTIAL,
RESTRICTED and PROTECT. Most learner or staff personal data that is used within educational institutions will come under the PROTECT or RESTRICTED classifications.
To ensure a uniform method of assessing the impact of potential compromises to the confidentiality, integrity or availability of information and information systems, and provide comparable levels of information protection when the data is shared, Business
Impact Levels tables have been devised. All data – electronic or on paper – should be labelled according to the protection it requires, based on these Impact Levels. Impact Levels 2 -6 correspond to the adjectival descriptions PROTECT to TOP SECRET.
The following table illustrates the assignation of Impact Levels for Distress to the Public.
|Impact Level 1
||Impact Level 2
||Impact Level 3
||Impact Level 4
||Impact Level 5
||Impact Level 6
|Not Protectively Marked
||Likely to cause embarrassment to an individual or organisation
||Likely to cause loss of reputation to an individual or organisation
||Likely to cause embarrassment or loss of reputation to many citizens or organisations
||Likely to cause long term (eg months) or permanent loss of reputation to many citizens or organisations
||Likely to cause major long term damage to the UK population
*Confidential, Secret and Top Secret are not applicable in a school setting
||Example Data Types
- Google search results
- BBC News
|IL2 – PROTECT
- General student data
- Learning platforms/portals
|IL3 – RESTRICTED
- School MIS (eg SIMS data)
- Teacher access to learning platform/portals
- Special educational needs
- Pupil characteristic
- Health records
|IL4 - CONFIDENTIAL
- National Pupil Database
- Looked-after children
- Witness protection
- SEN IL4 data elements
The person writing a document is responsible for applying the correct protective marking. They do this by clearly labelling each page of a document, normally in the footer, with the correct marking.
When protectively marking a document, it is recommended that a damage or ‘harm test’ is conducted to consider the likely impact if the asset were to be compromised and to help determine the correct level of marking required.
If applied correctly, the Protective Marking System will ensure that only genuinely sensitive material is safeguarded. Be aware that applying too high a protective marking can inhibit access and impair efficiency while applying too low a protective marking
may lead to damaging consequences and compromise of the data.
How do I use encryption to protect my laptop and USB memory stick?
Laptops, by their nature, are easily stolen or lost. It is easy for a thief or someone who finds your lost laptop to bypass the Windows password and access all the files on it unless it is encrypted. The same is true for your USB memory stick.
If you are carrying personal data on your laptop or USB stick then you have a legal obligation to protect that data. The easiest way to protect these systems is using encryption software.
Laptops can be encrypted using full disk encryption or file based encryption. The easiest solution is full disk encryption. This scrambles the entire contents of your laptops hard disk and any files you create or copy to it. With full disk encryption you
normally need to enter a password to decrypt (unscramble) the disk when you turn on the laptop, followed by your normal Windows password. Once you have logged in you will not notice any difference to the way the laptop operates. Any files that you copy to,
or create on, your laptop will be automatically encrypted. Files stay encrypted while ever they are on the laptop hard disk. If you copy a file to an unencrypted USB memory stick the copy of the file on the memory stick will not be encrypted.
There are two options for encrypting files on a USB memory stick. You can encrypt individual files or folders (file based encryption) or use a solution that encrypts the entire contents of the USB memory stick. Which you use may depend on how many files
you are storing, how often you use the memory stick and cost. The easiest, but most expensive option is to use a hardware encrypted USB stick. A cheaper alternative would be to use software encryption to scramble the whole USB memory stick, but this is more
difficult to set up. Tools such as Winzip or 7Zip can be used to encrypt individual files.
Is there a safe way to send data by email?
Email is not a secure way to transfer files. You do not know the route your email will take to get to the recipient (it may go all the way round the world to reach someone in the next street). Any email server your message passes through may store a copy
of your message and any attachments. It is advisable to use alternative secure mechanisms to transfer files.
If there are no suitable alternatives to using email then any personal or sensitive data is best sent as an encrypted attachment. This may mean writing your email as a Word document, encrypting the Word document and sending this as an email attachment. Word
files can be encrypted using tools such as WinZip or 7Zip. If sending encrypted attachments always use an alternative communication method, such as a text or phone call, to send the password for the encrypted file. This way, if the email is intercepted, the
person who intercepts the email does not have access to the password. This also protects your email should you accidentally send the email to the wrong person.
What else do I need to consider?
Social engineering and Phishing: Wikipedia describes social engineering and phishing as follows:
Social engineering is commonly understood to mean the art of manipulating people into performing actions or divulging confidential information. While it is similar to a confidence trick or simple fraud, the term typically applies to trickery or deception
for the purpose of information gathering, fraud, or computer system access; in most cases the attacker never comes face-to-face with the victims.
Phishing is a way of attempting to acquire information such as usernames, passwords, and credit card details by masquerading as a trustworthy entity in an electronic communication. Communications purporting to be from popular social web sites, auction sites,
online payment processors or IT administrators are commonly used to lure the unsuspecting public. Phishing is typically carried out by e-mail spoofing or instant messaging, and it often directs users to enter details at a fake website whose look and feel are almost
identical to the legitimate one.
Hoaxes, scams and chain letters: Hoaxes and scams do not normally carry viruses or ask you for personal information; instead they are designed to cause confusion, worry and inconvenience. They are often passed on by well-intentioned friends and colleagues.
It is good practice to verify the content of an email before forwarding it on. A good place to do this is http://www.hoax-slayer.com/
Physical security: You will already have secure reception areas in your school but do you have a robust process for cancelling lost swipe cards and passes? If you invite contractors or parents into staff only areas of your premises such as the staff room,
what information can they see displayed on whiteboards, noticeboards or left on printers. Sensitive paperwork should be kept in locked filing cabinets and shredded when it is no longer required.
Conversations: Be aware of who is around when you have a conversation. If you are on the telephone you should consider closing your office door, or moving to a more private place with your mobile phone if you are discussing anything of a sensitive nature.
IT disposal: It is good practice to securely wipe the hard disks of PCs and Laptops before they are sent for disposal or recycling. Deleting files, and even formatting the hard disk does not remove the file from the hard disk, it just hides it from Windows
and makes the disk space available to written to. Securely deleting the hard disk ensures that any sensitive files that may have been written any time during the lifetime of that computer are destroyed.
What standards should I look for when buying security products?
Antivirus solutions should be certified by ICSA (www.icsalabs.com).
A number of encryption solutions are available, some of which may be certified as CAPS (CESG Assisted Products Service), CCTM (CESG Claims Tested Mark) approved, FIPS (Federal Information Processing Standards) 140-2 compliant or have no formal certification.
Certified products have been independently evaluated to verify that they operate correctly and are robust. Ideally, organisations should use certified products where possible. The certification process, however, is expensive and time-consuming, so certified
solutions tend to be more expensive and respond more slowly to changes to operating systems or applications. Non-certified solutions can also provide effective data security.
Should conform to DIN 32 757 level 3 or higher. This means the shreds are at most 4mm wide and 80mm long. Most cross cut shredders are DIN 32 757 level 3 or higher.
Where can I find further information?
Advice on the Data Protection Act, the Freedom of Information Act and all related issues is provided by BMDC. Please contact
firstname.lastname@example.org or the BMDC legal team on 01274 432233
Get Safe Online is “a joint initiative between the Government, law enforcement, leading businesses and the public sector. Our aim is to provide computer users and small businesses with free, independent,
user-friendly advice that will allow them to use the internet confidently, safely and securely.” Their website can be found at http://www.getsafeonline.org/
The Information Commissioners Office (ICO) is the UK's independent public body set up to uphold information rights in the public interest, promoting openness by public bodies and data privacy for individuals. Their website can be found here:
The ICO produce a clear guide to identifying data covered by the data protection act. The guide can be found here: http://www.ico.gov.uk/news/current_topics/what_is_personal_data.aspx
CESG protects the vital interests of the UK by providing policy and assistance on the security of communications and electronic data, working in partnership with industry and academia.
CESG are the UK Government's National Technical Authority for Information Assurance (IA). http://www.cesg.gov.uk