Data Protection in Schools: If schools don’t pay, the children might

Educational backup, as we noted in a recent guide, is one of the most highly regulated areas of schools IT, with the Government’s Schools Financial Value Standard (SFVS) imposing strict daily backup requirements.

And there’s good reason for this stringency, as data loss from a UK schools database can seriously harm the school’s operational viability if it can’t be recovered.

But make the wrong choice of backup method and the school could end up not only struggling to access and restore its backed up data, but exposing personally identifiable information about its most vulnerable members – its pupils.

Here’s a flavour of the issues – and what’s at stake.

Schoolboy error, hardware failure, ransomware – and more

Simple user mistakes (“I blitzed the wrong folder!”) can wipe out swathes of school data. Hardware failure can take a machine down and the data with it. Fire or flood can take the school down and the machines and the data with it. And ransomware can imprison essential or sensitive data to force you to pay to get it back.

If you think it’ll never happen to your school database, think again.

The Academy in Selsey lost 80% of its data to a fire in August 2016. Sensitive student data was hacked and breached at the University of Greenwich in the same year.

In the US, Brigham Young University suffered a major hardware failure that prevented students from accessing data in its online learning platform.

And St Thomas à Becket School in Wakefield had to temporarily shut down in October 2019 after a ransomware attack “disabled all their systems.”

The fact of the matter is that school data is both a liability and a target – and the need to get it back quickly is no longer an if for schools, but a when.

Backup that must try harder!

What all the scenarios above have in common is that they can either be entirely catastrophic or entirely surmountable, depending on whether and how the data is backed up and recoverable.

But there’s a lesson to be learnt in that “how”. For example, it’s obvious that traditional tape backup is cumbersome, slow and unreliable, but the market is awash with free online backup solutions, so why not just opt for one of those?

In fact, there are serious question marks over these services’ suitability for the task, just a few of these being:

  • How secure is your data? Are the data centres used by the service fully encrypted and ISO 27001- / 9001-certified, enabling schools to comply with the latest legislation and guidelines? Explaining to the ICO how a cheap USA backup got hacked and let children’s personal data out onto the internet wouldn’t be fun.
  • Where do they originate? Is the support team even in your timezone? And can you trust a backup service-based, for example, in the US, to comply with UK and European security and data privacy laws, including GDPR?
  • How easy are they to use – really? The right balance between automation and ease of use is essential. Like any solution, if backup isn’t simple to use, people just won’t use it – and the school could then be deemed to have taken insufficient action to guarantee compliance with SFVS obligations.
  • How long does it take to get back what you’ve lost – and start using it again? Free online data backup services only make recovered data available to work on once the entire data set has downloaded – a period of hours or even days that can cause a mammoth knock-on delay to the school’s return to normality.


In short, whilst it’s perhaps understandable that budget-conscious school Heads and Governors, who are not IT or data specialists, like the sound of a cheap USA consumer backup over a business-grade UK service, it’s cheap for a reason – which is quite simply that it isn’t offering the critical protection that, in this day and age, data requires. In fact, it might as well not be there at all.

Would a school get away with not having (similarly critical) buildings and contents insurance, and simply hoping that there isn’t a fire or a flood? After all, they’d save a few pounds every month. Until, that is, the worst happens.

In fact, when it comes to data, at least, tightening the budget makes for a softer target, and renders the outcome of an attack even more damaging. Hackers are well aware that many schools are ill-equipped to deal with cyber incidents, and the sensitive data schools hold is particularly lucrative on the Dark Web.

And with Boris Johnson currently promising new powers and an extra £10 million to Ofsted at the time of writing, there will potentially be a lot more scope to take punitive action against schools whose poor backup causes them to, say, lose unencrypted data, or get hit by the estimated £8000 per machine ‘bounty’ typically demanded by a ransomware attacker!

Heads – and particularly Heads’ heads – could roll.

Data backup: essential learnings

Consider this: if your school were offered insurance for free, would you trust that insurance? If your school were offered public liability protection for free, would you trust it? If your school were offered professional indemnity for free, would you trust it?

Why, then, would you trust a freebie that purports to protect data for everything and everyone a school holds dear, always and forever? Would that be a credible position to have in a breach investigation, when that critical cover has in fact failed to do its job?

Answer to be handed in before the bell, please.