Question
To ask the Secretary of State for Education, whether schools are required to inform her Department if their websites and servers are hacked.
Answered on
1 February 2017
Through the Edubase register, the Department for Education is aware of 19,885 schools with websites.
All schools, as independent public bodies, are directly responsible under the Data Protection Act 1998 for the collation, retention, storage and security of all information they produce and hold.
The Department provides guidance to schools on how to protect data including the key principles, obligations and duties in relation to the Data Protection Act. Schools are not required to notify the Department if their website or servers are hacked, but in the event of a suspected serious breach or loss of personal or private information, schools should report the incident to the Information Commissioner’s Office.