In her ongoing series on data, Helen Burge turns her attention to one of the most pressing risks facing schools today: data breaches
In 2025 there have been several high-profile data breaches due to cyber ransomware attacks. These breaches have resulted in the theft of customer data including names, email and postal addresses from Marks & Spencer, Co-Op and Pandora. It’s alarming that such companies, which likely have significant resources to protect themselves, have been affected on such a scale. You might think, “It won’t happen at my school, why would a hacker target us?”
However, the DfE’s Cyber Security Breaches Survey 2025 shows that 44% of primary schools and 60% of secondary schools have identified breaches or attacks in the last 12 months. There are likely hidden attacks and others that go unidentified, so these figures may be underestimated.
If you identify a data breach, whether it’s a misdirected email, a compromised system, or a lost device, how your school responds in the first 24 to 48 hours can make the difference between swift recovery within your data estate and reputational damage. For school business leaders, the responsibility is clear: act fast, act smart, and act in line with the law. This article outlines a practical, time-sensitive response plan to help you navigate the critical early hours of a data breach with confidence and control.
First 24 Hours: Contain, Assess and Escalate
Step 1. Identify and contain the breach
The moment a breach is suspected, containment is the priority. This means:
Isolating affected systems or accounts
Revoking access or resetting credentials
Securing physical assets (e.g. lost laptops or ipads)
Containment prevents further data loss and buys time for investigation.
Step 2. Notify the Data Protection Officer (DPO)
Your DPO should be informed as soon as possible. They will:
Advise on legal obligations
Support the investigation
Liaise with external bodies if needed
If your DPO is external, ensure contact details are readily available, and response times are agreed in advance.
Step 3. Activate your Incident Response Plan
If your school has a data breach protocol, now’s the time to use it. This should include:
A clear chain of command
Roles and responsibilities for key staff
Communication procedures (internal and external)
If no formal plan exists, designate a lead (usually the Data Protection Officer or SBM) and convene a response team immediately.
Step 4. Assess the nature and scope
Gather facts quickly:
What type of data was involved? (e.g. pupil records, staff payroll, safeguarding notes)
How many individuals are affected?
Was the data encrypted or otherwise protected?
Is the breach ongoing?
Document everything. This initial assessment will inform your next steps and any reporting obligations.
Step 5. Decide whether to report to the ICO
Under UK GDPR, you must report a breach to the Information Commissioner’s Office (ICO) within 72 hours if it’s likely to result in a risk to individuals’ rights and freedoms. This includes:
Identity theft
Financial loss
Emotional distress
If you’re unsure, err on the side of caution and seek advice from your DPO or legal counsel.
24 – 48 Hours: Communicate, Mitigate and Document
Step 6. Notify Affected Individuals (If required)
If the breach poses a high risk to individuals, you must inform them without undue delay. Your notification should include:
A description of the breach
The type of data involved
Steps they can take to protect themselves
What the school is doing to mitigate the impact
Use clear, empathetic language and offer support channels (e.g. helpline, designated contact).
Step 7. Engage IT and cybersecurity support
Technical remediation may be needed to:
Patch vulnerabilities
Restore systems
Monitor for further threats
If you use external IT providers, ensure they are part of your breach response team and understand their contractual obligations.
Step 8. Update Governors and Trustees
Transparency is key. Provide a factual briefing to your governing body, covering:
Nature and scope of the breach
Immediate actions taken
Potential risks and mitigation
Next steps and timelines
This builds trust and ensures strategic oversight.
Step 9. Begin root cause analysis
Understanding how the breach occurred is essential for preventing recurrence. Consider:
Human error (e.g. misaddressed email, weak passwords)
System failure (e.g. outdated software, misconfigured access)
External attack (e.g. phishing, malware)
Document findings and begin drafting an internal report.
Beyond 48 Hours: Learn, Improve and Report
Step 10. Submit ICO Report (If applicable)
If the breach is reportable, submit your notification via the ICO’s online portal within 72 hours. Include:
A description of the breach
Categories and approximate number of individuals affected
Likely consequences
Measures taken or planned
If you miss the deadline, explain why and submit as soon as possible.
Step 11. Review Policies and Training
Use the breach as a learning opportunity:
Update data protection policies and procedures
Deliver refresher training to staff
Review access controls and retention schedules
Consider a post-incident debrief with staff to reinforce good practice.
Step 12. Log and Monitor
Maintain a breach log, even for non-reportable incidents. This should include:
Date and time of breach
Description and cause
Actions taken
Outcome and lessons learned
Regularly review the log to identify patterns and inform training.
A data breach is a test of your school’s resilience, governance and culture. While the first 48 hours are critical, the real value lies in how you respond over time – learning from the incident, strengthening controls and building a culture of accountability. School business leaders are uniquely positioned to lead this response. With the right preparation, clear protocols and a calm, coordinated approach, you can turn a crisis into a catalyst for improvement.
Be the first to comment