ICO publish data security trends

The ICO regularly publishes key insights into data security incident trends and these findings can support organisations with their data protection and handling, ensuring that they are aware of what to look for and can take the correct action where necessary. When organisations do not have “appropriate technical or organisational measures” to protect personal data, a data security incident can occur.

Data security trends for Q4 2022

In Q4 2022 the ICO received 2,265 reported data security incidents which was a decrease of 5% compared to Q4 2021, which saw 2,395 incidents being reported.

Surprisingly 75% of these incidents were non-cyber related incidents. A non-cyber breach is defined by the ICO as a type of breach that does not have a clear online or technological element which involves a third party with malicious intent. For example, incidents involving paper filing systems or information accidentally emailed to the wrong recipient.

According to the report the most common type of data breach being reported was accidentally sending an email to the wrong recipient. This type of data breach made up 19% of incidents reported in Q4 2022.

The largest incident increases reported between Q4 2021 and Q4 2022 were:

• Denial of service, which saw a 200% increase in incidents reported. Denial of service occurs when a network or server, such as a website, is maliciously flooded with manufactured traffic – to either cause it to fail or flood it with so much traffic that legitimate users can’t access it.
• Malware, which saw a 100% increase in incidents reported. ‘Malware’ or ‘malicious software’ incidents can take a variety of forms including hostile or intrusive software including computer viruses, Trojan horses, spyware, etc.

What can schools do to avoid a data breach occurring?

In Q4 2022 the education and childcare sector made up 15% of all reported data breaches – a total of 1,323 reports. It is therefore important that schools have sufficient technical and organisational measures in place to ensure that they process personal data securely. Schools should consider such measures as:

• Encryption (only authorised users can access it)
• Password protection
• Multi-factor authentication
• Installation of anti-virus and malware protection
• Secure Wi-Fi connection.

That said, although these measures can protect schools against cyber related attacks non-cyber related incidents made up the significant majority of the reported incidents (84%) within the education and childcare sector. When considering the types of incidents reported it’s clear that many of the breaches can be attributed to human error.

• Emailing data to the incorrect recipient 20%
• Faxing or posting data to incorrect recipient 5%
• Failure to redact 4%
• Loss/theft of paperwork or data left in insecure location 7%.

The ICO’s top tips to avoid common data breaches include double checking email addresses before sending, disabling autofill in email settings, sending passwords to protected documents in separate emails and using strong passwords (amongst others).

It’s important that schools have appropriate training in place so that staff are able to recognise a security incident or personal data breach and that all staff know how to escalate an incident promptly and to the appropriate person to determine whether a breach has occurred. This should be covered in a school’s data protection policy which should clearly set out the procedure for promptly reporting a data security breach both internally within the school and externally to the ICO where required.

Lessons should be learned from personal data breaches and actions should be taken and documented in this regard. This is usually found in a school’s personal data breach log which should include actual personal data breaches as well as near misses.