Agenda item

To present the report of the Director of Education, Skills and Young People.

the report of the Director of Education, Skills and Young People which provided an overview of the Information Commissioner’s Office’s (ICO) investigation into the cyber incident at the Council’s secondary schools in 2021 was presented for the Committee’s consideration. The report also provided an overview of the actions taken by the Schools Data Protection Officer and the Council’s ICT Service by way of forming an internal work programme to address various technical and information governance elements that were found to be deficient.

Points of discussion by the Committee –

·      The percentage of headteachers, school staff and governors who have attended data protection training identified as an action in the internal work programme.

·      The constraint on schools as regards the deployment of applications/programmes and whether there should be a list of approved applications.

·      The effectiveness of Windows security and the challenges involved in upgrading systems in schools to new operating systems.

·       Some concern was expressed regarding the timelapse between reporting the incident to the ICO June 2021 and being informed of the outcome of the ICO’s investigation into the incident in August 2023, and consequently the value of the ICO’s report when the Council had identified what needed to be adopted and improved and had implemented a plan of action.

·      Not having identified the cause of the suspicious traffic on secondary school e-mail servers at the root of the incident, whether an assessment was subsequently made of the kind of data that was at risk or could have been compromised.

·      Whether there were any deficiencies in the audit process in not identifying the weaknesses, given the nature of the incident.

·      Whether it has to be recognised that seeking 100% protection can lead to over-complexity and that the focus should be on keeping key data safe.

In response to the points raised the Committee was advised as follows - 

·      That all schools have received data protection training and that a breakdown of attendance could be provided if required. Having supported schools to put in place data protection policies, the Schools Data Protection Officer’s annual visits to schools involve ensuring and overseeing compliance.

·      That following the incident an assessment of the security of programmes/applications was conducted and a list of assessed applications compiled resulting in a collection of common applications across schools. It is a compromise between assessing the security risk of software and educational/classroom needs and a piece of work is being undertaken to establish how that compromise can be modelled and risks identified.

·      That Windows security is considered sufficient as part of a broader package and programme of security features. The IT Team Manager explained the issues and options involved in upgrading operating systems and confirmed that corporately the transition to Windows 11 has begun and that the upgrade is taking place in schools as part of the Welsh Government HWB programme. Assurance was provided that there are plans to ensure that the Council is not in a position of not having planned for the upgrading and/or replacement of digital equipment/hardware/devices in schools when those are nearing the end of their operating life.

·       That the decision to report to the ICO was made on the basis of the sensitivity of the dataset and the likelihood of external threat activity. The ICO later advised the schools to report independently of the Council.

·      That however, the resulting remedial actions taken by the Council with regard to digital security and information governance were considered acceptable to the ICO and no further action was taken. The IT Team Manager referred to technical issues around data generation, configuration of systems, and verification of data on schools systems and how these fit in with the Welsh Government’s HWB programme at national level and discussion around the establishment of a Security Operation Centre.

·       That ongoing communication with schools had been a priority with schools sharing information with parents through their own channels at what was a challenging time given the imminence of the school summer holidays.

·      The Head of Audit and Risk advised that a vulnerability and patch management audit had been undertaken at around the time of the incident as part of programmed audit work. The Council’s IT auditors were able to confirm to the ICO that the recommendations of the audit had been implemented and the vulnerabilities and patch management programme had been addressed thereby providing independent assurance.

·      That there may be an opportunity to carry out an assessment of activity and type of data that are less sensitive and to adapt approaches accordingly having regard to the compromise between the risks involved and what is practical.

It was resolved to accept the following –

·      The report of the Schools Data Protection Officer providing an overview of the outcome of the ICO’s investigation into the incident.

·      The actions identified and completed via the internal work programme.