UK: Schools reported for hack attacks and data breaches avoid ICO punishment

From the get-of-jail-free dept., Freddie Whittaker reports:

Dozens of schools that breached data protection rules have walked away without punishment, despite being reported to the information watchdog.

New figures obtained exclusively by Schools Week show that during the past school year the Information Commissioner’s Office (ICO) dealt with 66 reports of breaches by schools of the Data Protection Act 1998.

Almost half the reports related to information accidentally revealed, with five of the cases occurring at special schools. Twenty-four related to the loss or theft of data.

Read more on Schools Week,

Of course, k-12 schools here in the U.S. often don’t have to report breaches to federal or state agencies at all, and they never get any punishment from the U.S. Education Department. So if Whittaker is shocked by the situation in the U.K., he should be grateful that at least there’s some reporting to a central regulator in the U.K.

Of note in Whittaker’s report, he mentions another small breach, big potential harm incident:

At the end of November, Greenland (sic) Primary School in east London accidentally revealed the name of seven pupils aged between nine and 11 believed to be at risk of radicalisation.

Can you imagine in the current political climate how that disclosure might impact those children and their families? I had missed that story, and it’s actually the Greenleaf Primary School. From media reports that I’ve now read, it seems that in response to a freedom of information request, Waltham Forest Council disclosed emails concerning  a survey children took with their names redacted, but the data was “manipulated by a third party” to reveal or determine the children’s names.

About the author: Dissent