Data breaches in schools: How should an academic institution report a security incident to comply with the GDPR?

Share this…

Some recommendations for compliance with the EU’s data security regulation

As reported by information security and digital forensics specialists, all organizations that process personal data from residents of the European Community member countries must comply with the European Union’s General Data Protection Regulation (GDPR). The GDPR main mission is to unify data protection measures between EU member States and to ensure that citizens have a better control over how these organizations manage their personal information.

As a result, the guidelines for processing personal data have become more stringent, which has been a drawback for some companies, although few have been as affected as academic institutions. These organizations process considerable amounts of personal information, but most lack the human, financial, and technological resources for information protection.

The GDPR establishes that an organization must report certain types of security incidents to the competent authorities within a period of less than 72 hours after the incident acknowledgement. Specialists in digital forensics consider this to be one of the most complex GDPR rules in a real scenario, so here you’ll find some tips that any academic organization can follow in order to comply with these standards.

Let’s start from the beginning, what is a data breach?

The term ‘data breach’ is often used as a synonym for cyberattack. However, not all cyberattacks end in a data breach, and not all data breaches are the result of a cyberattack.

According to specialists in digital forensics from the International Institute of Cyber Security, a data breach occurs when the confidentiality, integrity and availability of information is compromised. This also includes incidents of loss, alteration, corruption or public disclosure of confidential information, in addition to premeditated theft.

Examples of data breaches in schools include:

  • Unauthorized access: A pupil or unauthorized staff member may access confidential information given the poor safety measures in a school
  • Deliberate or accidental action or omission: A staff member could destroy a deprecated PC without formatting the hard drive. Another example are the paper files, which may be dumped without being destroyed first
  • Accidental disclosure: An admin could send an email with a pupil’s personal data to the wrong recipient
  • Alteration: Someone could access a school’s payroll system and enter incorrect information

GDPR dictates that a data breach should be notified only if it poses a risk to the rights and freedoms of the affected person. For this to be considered, the consequences of the data breach should lead to scenarios such as:

  1. Discrimination

This is relevant when the following information is compromised:

  • Information about a student’s special needs
  • Medical history of students or school staff
  • Child protection records
  • School payroll information
  • Information on students’ academic performance
  1. Identity theft or fraud

This is relevant when the following information is compromised:

  • Names, dates of birth and addresses
  • Complete student information records
  1. Economic losses

This is relevant when the following information is compromised:

  • Bank information, payroll data or recruitment forms
  • School payment software, billing information or bank accounts
  1. Moral damage

This is relevant when the following information is compromised:

  • Staff performance records
  • Student behavior records
  1. Loss of confidentiality

This is relevant when the following information is compromised:

  • Child protection records
  • Staff performance records
  1. Social disadvantages

This is relevant when the following information is compromised:

  • Payroll information
  • Information about students receiving scholarships or other support

Security incidents should also be reported whenever compromised information such as is:

  • Racial or ethnic origin
  • Political, religious or philosophical affiliation
  • Trade union affiliation
  • Genetic and health data
  • Criminal records

Sensitive information can be found throughout the school’s entire computer infrastructure, as reported by specialists in digital forensics. By considering as many scenarios as possible, the organizations will be closer to the full compliance with this strict regulation.