The GDPR principle of ‘accountability’ requires schools to demonstrate compliance with the regulation. Within this update we discuss what this means in practice.
The impact of the principle of 'accountability' is significant on the management of IT systems and services when taken together with the obligations of Article 32, Security of Processing. Article 32 requires all organisations (including schools) to ensure a level of security appropriate to the risk, taking appropriate technical and organisational measures to ensure the following:
- Ongoing confidentiality, integrity, availability and resilience of IT systems
- The ability to restore the availability and access to IT systems in the event of a physical or technical incident
- That regular testing, assessment and evaluation of the measures to manage and secure IT systems
In following the principle of ‘accountability’ your school needs to consider and document how the above requirements are evidenced. It is likely the supervisory authority will ask for your school to evidence how it was compliant with the above in the event of a Personal data breach.
In managing the IT services at your school there are a number of methods in which you can do this such as:
- Documenting the configuration and set-up of your IT systems
- Having policies, processes and procedures that define the operational management of your IT systems
- Regular independent and objective checks that gauge the degree to which you are compliant
- Cyber security penetration and simulated phishing tests
- Alignment with codes of conduct and certifications (such as Cyber Essentials)
- Independent and objective assurance on IT projects and development
The Article 29 Working Party (Article 29 WP) ‘Guidelines on Personal data breach notification’ reinforce the applicability of the above methods, stating ‘one requirement of the GDPR is that, by using appropriate technical and organisational measures, personal data shall be processed in a manner to ensure the appropriate security of the personal data’ and, ‘the GDPR requires all appropriate technological protection and organisational measures to be in place’. The guidance sets out the following examples of Personal data breaches:
- Where the schools [controllers] database has been lost or stolen
- Where the school has identified possible unauthorised intrusion into its network
- Where data has been encrypted by ransomware
- Where personal data has been lost and there are no backups
- Where there has been significant disruption to IT services, such as a power failure or denial of service attack
- Where there is a lack of access to data that can have a significant impact on the rights of freedoms of natural persons
- Where there has been a loss of an unencrypted USB key with personal data stored
- Where an email is sent to recipients in the ‘to’ or ‘cc’ fields
- Where paper documents have been lost or mislaid
In demonstrating the principle of ‘accountability’ the leadership team at your school needs to consider the risk of a breach given the Article 29 WP examples and have documented or put in place mitigating actions, such as the methods identified above.
When there is an instance of a possible Personal data breach the Article 29 WP make it clear that appropriate technological and organisations are used to establish the extent of the breach. Schools have a window of not more than 72 hours from breach identification to notifying the supervisory authority of the breach, unless the breach is unlikely to result in a risk to individuals' rights and freedoms. Included within the notification is an assessment of the extent of the breach and the plans to mitigate the impact of the breach. Access to IT technical, cyber security and data protection expertise is consequently time critical during the 72 hour window - and if you have a nominated DPO, something that is deemed 'necessary' for your school to provide. A key differentiator of 9ine's DPO Essentials service is the provision of a managed and coordinated response team to Personal data breaches, with in-house IT technical, cyber security, safeguarding and data protection consultants on hand. This provides our schools with expert, objective and independent support in evaluating the impact of and contingent actions required for Personal data breaches (which given the definitions, there could be a great many).
With the summer term on the horizon your school should be considering the extent to which external assurance and support is required in complying with the regulation. The summer of 2018 will see a significant volume of engineering, configuration and replacement of IT systems. Following the principle of accountability there is a requirement to ensure this work is completed following the requirements of the regulation, the principle of accountability, as well as that of Article 32 and also Article 25 - Data protection by design and by default. The regulation does not make these optional.
9ine support schools in the UK and Internationally on how they can evidence the principle of ‘accountability’ within IT services, providing independent and objective support in compliance with the GDPR. We are currently scheduling technical assurance support for the Summer and would be delighted to support the IT upgrade projects in your school for compliance with the GDPR.