Winchester Vacancies

SPOTLIGHT

A zero sum game?

The number of SEND tribunal cases is rising and the proportion of appeals ‘lost’ by local authorities is at a record high. Lottie Winson talks to education lawyers to understand the reasons why, and sets out the results of Local Government Lawyer’s exclusive survey.

Information watchdog issues reprimand to multi academy trust over alleged infringements of UK GDPR

The Information Commissioner’s Office (ICO) has reprimanded a multi academy trust after an unauthorised third party utilised “compromised credentials” to access and encrypt its systems.

The ICO’s investigation found that Finham Park Multi Academy Trust “did not have adequate account lockout or password policies in place”, and 1,843 UK data subjects were affected by the incident.

The reprimand was issued in respect of the following alleged infringements of the UK GDPR:

  • Article 5(1)(f) which states: “personal data shall be processed in a manner that ensures appropriate security of the personal data, including protection against unauthorised or unlawful processing and against accidental loss, destruction or damage, using appropriate technical or organisational measures (‘integrity and confidentiality’)”.
  • Article 32(1) which states: “taking into account the state of the art, the costs of implementation and the nature, scope, context and purposes of processing as well as the risk of varying likelihood and severity for the rights and freedoms of natural persons, the controller and the processor shall implement appropriate technical and organisational measures to ensure a level of security appropriate to the risk.”

The ICO said that the trust “did not have appropriate technical measures in place to ensure the confidentiality and integrity of their systems”.

Further, Finham Park did not have multi-factor authentication in place. The ICO noted: “Additional means of authentication serve to make unauthorised access more difficult and help to protect particularly sensitive personal data”.

Lastly, the investigation found that Finham Park did not ensure that its employees had “sufficient” knowledge and understanding around the re-use of passwords.

The report noted: “Had Finham Park educated its employees on password management more effectively, it is possible that this incident could have been avoided.”

The Commissioner said it welcomed the remedial steps taken by Finham Park in light of the incident.

The report revealed that the trust has since “restored its systems from backups, implemented multi-factor authentication (MFA) across the trust, and signed off a digital transformation project plan, which included credential monitoring”.

Finham Park Multi Academy Trust has been approached for comment.

Lottie Winson