The 9ine Blog

9ine helps thousands of school leaders and IT teams protect their stakeholders by publishing critical changes, updates and best practice blogs. 

Subscribe to 9ine's monthly newsletter, 9News to receive monthly blogs delivered right in to your inbox.



ICO Q4 Data Security Incident Report

After months of waiting, the GDPR is recognised into law across the EU. Within the UK this was through the Data Protection Act 2018 and in countries across the EU, through similar legislation. In countries outside the EU, the obligations of the GDPR are being transferred between organisations and business through updated contracts and data processing agreements. This means that no matter where you geographically located the GDPR will have an impact on you in some way.

For more information on how we can support your organisation see our DPO Essentials Service here.


Q4 data security incident report

Amongst other things, the GDPR with the associated data protection law puts in place obligations on organisations to reduce the risk of a personal data breach having a negative or otherwise impact on us as individuals. The ICO’s Q4 data security incident trend provides a useful snapshot on what organisations are at highest risk from (link at the end of this blog).


Education - in order of greatest number of identified breaches

  • Data sent by email to incorrect recipient
  • Loss/ theft of paperwork
  • Cyber incidents
  • Loss/ theft of unencrypted device
  • Data posted or faxed to incorrect recipient
  • Failure to redact data
  • Failure to use bcc when sending email
  • Data left in insecure location


Charitable and voluntary - in order of greatest number of identified breaches

  • Loss/ theft of paperwork
  • Data sent by email to incorrect recipient
  • Failure to redact data
  • Phishing
  • Cyber


During the quarter, the ICO saw an increase of 32% in reported incidents in the education and a 69% increase in the charitable and voluntary sector. This tells us there is greater awareness of what a data protection breach is and a motivation to report. This is all good news and a key success measure of evidencing compliance with data protection law.


The sector report tells us that user behaviour is the major source of breach - with hard copy documents more often than not responsible for the breach. The report evidences an increase in cyber incidents. Importantly the ICO have cyber as one of their top priorities for 2018/19 meaning organisations need to get to grips with cyber risks and vulnerabilities. Our expert in-house team of technical and cyber experts can help you in identifying where you are vulnerable to cyber attack, and when one occurs, be there to support you in minimising the damage.


In considering that personal data protection breaches are identifiable, and organisations have a greater responsibility to respond; what is your answer to the following questions?:

  • What is your level of readiness in being able to respond to a personal data breach?
  • How would you categorise the breach and what actions would you take?
  • What would happen if your organisation sent confidential information to the incorrect recipient?
  • What would you do in the event of a cyber security breach?
  • What would happen when a key member of IT becomes unavailable and the records of passwords to the systems are incorrect? [We had one such example last week and our cyber team were called upon to support]
  • How would you respond to an information rights breach when the DPO is on holiday, or the organisation closed for a period of time (E.g. school holidays)


Our data protection service desk provides organisations with a single point of contact in managing information rights requests and personal data protection breaches. If you don’t have the expertise in house, we certainly do.


Whether you’re looking for a long term partner to support audit and compliance, need emergency support to manage a breach, or advice and guidance on an information rights request, our data protection team are here to help.


To find out more about how we can support, see our page on DPO Essentials.


Or, if you have a data protection emergency, get in touch:

Want to know more? Please get in touch >>


Click here for more useful blogs


The full ICO Q4 report report can be read here