REGULATORS ARE GETTING TOUGH
Reports from the Information Commissioners Office (ICO) have identified Education as one of the sectors with the most reported incidents in Q3 of 2016 (along with Health and general business) which saw a 40% increase of reported incidents in the education sector. this isn’t going unnoticed and schools now need to ensure they comply with tougher regulations and standards in cybersecurity for safeguarding and data protection.
Keeping Children Safe in Education
The new KCSIE guideline came into force on 5th September 2016 putting further emphasis on the need for all education professionals to understand that safeguarding is everyone’s responsibility. Each school needs to consider and review their safeguarding policies and procedures, particularly with respect to how they protect and maintain duty-of-care amidst the growing online threats to each student’s wellbeing. With the enhanced auditing requirements needed to meet KCSIE schools now have to look much deeper into internet and social media traffic to identify potential children at risk.
The Prevent Duty
In the summer of 2015, the UK government made Prevent (its full name is the Preventing Violent Extremism strand) a statutory duty for schools, childcare providers and further education establishments. Along with prisons, local authorities and NHS trusts, they are now under a legal obligation to “have due regard to the need to prevent people from being drawn into terrorism”. According to the government’s guidance, the day-to-day responsibilities of teachers and staff now include being able to spot children who might be vulnerable to radicalisation.
Schools are responsible for the security of credit card account data shared with them, entered through their online systems or wherever the data is received or stored. The standard to which they are held is known as the Payment Card Industry Data Security Standard (PCI-DSS). It is important to meet the PCI-DSS levels for your school to avoid credit card fraud, which could result in hefty fines for your school if the school is deemed out of compliance.
Under the terms of the UK Data Protection Act, all organisations that handling personal information about individuals have legal obligations to safeguard that data. All data kept on electronic media within educational institutions should be kept secure, encrypted and logged in order to keep track of any theft or loss. Where theft or loss does occur and encryption has not been imposed, enforcement action may follow which could be a fine of up to £500,000.
The GDPR is the European Commission’s latest attempt to strengthen data protection for EU citizens, including the export of their data outside of the EU. With the demise of ‘Safe Harbour’ companies that export and handle the personal data of European citizens will also need to comply with the new requirements put forth or risk being fined €20 Million EUR for a security breach or 4% of global turnover, whichever is higher.
ACHIEVE & MAINTAIN COMPLIANCE
Navigating the growing compliance requirements can be difficult without expert help. The right balance needs to be found between effective security, detailed monitoring and respecting the privacy and personal lives of students.
Infosec Partners have helped schools and universities achieve and maintain compliance with standards such as PCI and ISO 27001, and helped them to understand what needs to be done to meet statutory requirements such as Prevent, KCSIE and the Data Protection Act. Contact Infosec Partners today to find out more.