Data Breach Response Plans for Schools: Are You Prepared?

When it comes to preventing data breaches in schools, a proactive approach is ideal.

But even the best laid plans can be circumvented, so what happens if a breach does occur? If you asked your staff what steps should be taken to minimise the impact of a breach would they all give the same answer?

Without a Data Breach Response Plan, you may be missing a key component in an otherwise strong privacy and security policy.

Keep reading for information on what constitutes a data breach and how to develop an action plan in the event a breach occurs. 

How to identify a notifiable data breach?

A data breach, as covered by the Notifiable Data Breach (NDB) scheme, occurs when personal information is lost or subjected to unauthorised access or disclosure and extends to:

• when personal information is accessed by someone who is not permitted to access it. 

• when personal information becomes accessible or visible to those that are not permitted access to it, either intentionally or unintentionally. 

• when a person or entity loses information that might result in unauthorised access from another person or entity. 

Based on these definitions, we aren’t just talking about breaches to digital systems, but also physical breaches.

For a school, a data breach could be anything from giving out student information to an unauthorised person over the phone, to losing a student's permission slip with their details on it. Both instances give unauthorised access to personal information that could have the potential to cause harm to the individual. 

Because it is so easy to lose or disclose paper based files, many schools are digitising their filing systems and replacing paper-based workflows to mitigate the risk of a potential breach. 

Time is of the essence

When a data breach occurs it can escalate very quickly, so it’s important to act fast and minimise the time between when the potential breach is identified, when key stakeholders are notified and when action is taken.

Your school’s actions within the first 24 hours could be the difference between the school being perceived as negligent or diligent and be a determining factor in how well you can mitigate costs and disruptions resulting from a breach. 

Privacy is paramount

It’s not always going to be your school’s database or system administrator that identifies a potential breach. As a result, it’s important that all staff have clear guidelines on who should be notified in the event a breach does occur.

This relates back to responding to breaches in a timely manner, but also helps prevent further breaches or vulnerabilities. Discussing a potential breach with the wrong person or a third party could constitute a breach in itself.

When is a Data Breach Notifiable?

According to the Office of the Australian Information Commissioner (OAIC), a breach is notifiable once it satisfies three criteria:

• Unauthorised loss, access or disclosure of personal information has occurred
• It is likely to result in serious harm to one or more individuals
• The entity (your school) has not been able to prevent the likely risk of harm with remedial action.

For more detailed descriptions of the above three criteria, refer to the OAIC website.

Once a data breach has been identified, the individuals at risk and the Commissioner must be notified as soon as possible.

What should a Data Breach Response Plan cover?

It is important for your school to have its own Data Breach Response Plan.

There are some simple things that you can do right away to boost your school’s data breach and privacy management strategies:

• First, define who the members of your school's data breach response team are. 
• Then, decide what action should be taken if a breach or potential breach occurs. 
• Consider when it should be escalated and who it should be escalated to.
• Lastly, make sure that all staff are informed of what to do in the event of a data breach.

For a more detailed set of things to consider, we’ve compiled a downloadable list.