With the increased number of cyberattacks against Academic institutions, we would like to remind you all to remain vigilant and to understand your legal obligations around notifications in the event of your organisation being targeted.
Under the GDPR, we, like yourselves, are considered to be a data controller with regards to learner data. This means that jointly, we have the same legal obligations around reporting potential security breaches, and more importantly, possible data breaches. In the event that either your organisation or ours experiences a cyberattack, we are both responsible for not just notifying the necessary authorities (ICO, NCSC, police, Ofqual etc) but we are obligated to notify each other.
Our approach to notifications will be to ensure that any potential cyberattack or breach of data on our systems will be communicated to the relevant authorities and yourselves as one of our centres. The reporting will inform you within the legal 72 hour notification period of the incident, as well as containing details of the steps we are undertaking to determine the cause, nature and potential impact of the cyberattack or breach. The communication will also indicate the primary contact in our organisation who will be the primary contact throughout the duration of the incident. We will shortly be confirming with your centre who your primary contact would be for these communications so that these are received by the correct person responsible for GDPR compliance.
We will require the same communications from you in the future so the correct primary contacts are always aware of and able to respond to any future incidents.