France's CNIL Unveils Data Breach Guides for Schools
French privacy authority CNIL published two practical guides on data breaches for the education sector. One is aimed at school principals and administrative staff, the other at data protection officers.
Sign up for a free preview to unlock the rest of this article
Privacy Daily provides accurate coverage of newsworthy developments in data protection legislation, regulation, litigation, and enforcement for privacy professionals responsible for ensuring effective organizational data privacy compliance.
First- and second-level schools process a great amount of personal data, CNIL noted. That data can be the subject of breaches, and recent news shows that schools aren't immune from such incidents. First-level schools are defined as the first level of secondary education (ages 11-15); second-level schools are for pupils 15-18.
Over the past five years, however, CNIL said, it has been notified about some 30 data breaches annually in the first and second grades. That figure, however, doesn't reflect reality in educational institutions, it said.
Data breaches are underreported because it's not always clear what constitutes a breach, CNIL said. In addition, staff in schools sometimes ignore the approach they must take to data breaches; and the mitigation framework in the national education sector is complex.
The guides help define a personal data breach, what's required under the General Data Protection Regulation, and what schools should do based on the potential impact on data subjects and the volume and nature of the data processed.
The guides focus on five typical situations: theft or loss of hardware, such as computers and USB sticks; information sent to the wrong person; user manipulation errors; theft of passwords or identifiers; and cyberattacks or computer intrusions.
The guides offer concrete examples along with keys for analyzing the situation, CNIL said. They also detail actions that should be taken quickly and good practices to prevent recurrences.