The ICO has recently published a reprimand for a multi academy trust.  The reprimand was issued in respect of Articles 5 (1) (f) and 32 (1) (b).  An unauthorised third party utilised compromised credentials to access and encrypt their systems.

1842 data subjects were affected by the incident and the ICO's investigation found the Trust did not have adequate account lockout or password policies in place.

Article 5(1)(f) which states:
“personal data shall be processed in a manner that ensures appropriate security of the personal data, including protection against unauthorised or unlawful processing and against accidental loss, destruction or damage, using appropriate technical or organisational measures (‘integrity and confidentiality’)”.

Article 32(1) which states:
“taking into account the state of the art, the costs of implementation and the nature, scope, context and purposes of
processing as well as the risk of varying likelihood and severity for the rights and freedoms of natural persons, the controller and the processor shall implement appropriate technical and organisational measures to ensure a level of security appropriate to the risk.”

The Trust did not have appropriate technical measures in place to ensure the confidentiality and integrity of their systems.

The Trust did not have multi-factor authentication in place.

The Trust did not ensure that its employees had sufficient knowledge and understanding around the re-use of passwords.

The full reprimand can be read: Finham Park Multi Academy Trust Reprimand

We advise reviewing the DfE Cyber security standards for schools and colleges to ensure your school/trust has the appropriate technical measures in place.