April 07 2020

Cyber Security Requirements for 2020-2021 Funding Year

Cyber Security Requirements for 2020-2021 Funding Year

LRS data breach prompts update to security requirements!

Earlier this year the Learner Records Service (LRS) had a serious data breach via a training provider contracted through the ESFA, who allowed access to the data of 28 million children.

This was widely reported in the media including the Times and FE Week, the ICO is said to be investigating further.

On the back of this the ESFA “…have reviewed the requirements for data security in the Education and Skills Funding Agreements and will update them to support a progression route to the more robust controls.”as announced in the update on January 29 2020.

"For the 2020 to 2021 funding year, the requirement will be to meet the requirements for Cyber Essentials, with progression to Cyber Essentials Plus from the 2021 to 2022 funding year. The requirement for preparatory work towards ISO27001 will be introduced later and so does not need to be considered now."

I would expect the ESFA will now start to police this more effectively and run checks to ascertain that training providers have indeed Cyber Essentials certification as a minimum even though it’s been policy of direct government contracts for years.

What is Cyber Essentials?

"Cyber Essentials is a simple but effective, Government backed scheme that will help you to protect your organisation, whatever its size, against a whole range of the most common cyber attacks."

As from 1st April 2020 IASME Consortium takes over the delivery of the National Cyber Security Centre’s (NCSC) Cyber Essentials scheme so you will need to make sure your certification body is part of the IASME Consortium.

There are two levels of certification, Cyber Essentials and Cyber Essentials Plus.

Cyber Essentials costs £300 +VAT, is a self assessment and is required for the 2020-2021 funding year.

Cyber Essentials Plus has additional costs to cover the technical audit of your systems to verify the Cyber Essentials controls are in place, "As a rough estimate a Cyber Essentials Plus assessment for a small, simple company will cost in the region of £1,400" and this is required for the 2021-2022 funding year.

Why Cyber Security Credentials?

Making sure your organisation is Cyber Essentials certified goes a long way to prove that you're serious about cyber security and have controls in place to protect your staff and learner data.

If you check your contracts you'll probably find this has already been a requirement or many years, so if you're not certified yet I'd make it a priority before the start of the new funding year!

Having Cyber Essentials certification will set you up in a good mindset if and when ISO 27001 becomes mandatory, there's been discussions around this for a while and even if you're a micro organisation the costs involved are prohibitive for many as prices just for the audit itself start from around £4,000!

However, there's also the IASME Governance to consider which covers both Cyber Essentials and GDPR also with self assessment and audited options. 

 

 

Get Our Updates!

* Indicates required
 
 
 
    

Cleverclogs Multimedia LTD will use the information you provide on this form to be in touch with you regarding new blog posts and updates to existing posts on cleverblogs. We will NEVER share your personal details and will only make contact with you via email for this specified purpose. Please see our GDPR compliant privacy notice for further information.

 

May 08 2018

What Does GDPR Mean for Training Providers? - July Update!

What Does GDPR Mean for Training Providers? - July Update!

Regardless of how small your company is, if you collect and store personal data you are in scope for GDPR compliance!

General Data Protection Regulation (GDPR)

Basically personal data about your staff and your learners needs protecting and to comply with the GDPR you must have a whole host of new policies and procedures in place.

GDPR has been ratified by the UK government, so as it stands it will be enforced regardless of Brexit.

If you haven't made a start by now there's no way you will become GDPR compliant by May 25th, but as the Information Commissioner says, don't panic!

 "To small and micro businesses, clubs and associations who are not quite there, I say … don’t panic! As the new ICO Regulatory Action Policy, out for consultation very shortly, sets out, we pride ourselves on being a fair and proportionate regulator. That will continue under the GDPR. 25 May is not the end of anything, it is the beginning, and the important thing is to take concrete steps to implement your new responsibilities — to better protect customer data."

It's not going away, If you're yet to make a start check out the 12 Steps to Take Now document to see what's in store.

Download the full General Data Protection Regulation (GDPR) to see just what changes are on the cards.

GDPR & ILR's

You should all be GDPR compliant, or at least working towards compliance as the ESFA are checking up!

As of 25th May 2018 your application/enrollment forms should now include the updated contact preferences fields, as set out in the ESFA's Appendix F - Privacy Notice.

The Learner Contact Preference Entity Definition is explained on pages 61 - 64 of the Specification of the Individualised Learner Record for 2018 to 2019 Version 3 documentation.

You should also check out the Education and Skills Funding Agency privacy notice: May 2018 page if you haven't done so already.

Questions You Should Be Asking!
 
•    What data am I collecting?
 
•    What is the lawful basis for me storing and processing this information?
 
•    Where does it go and what happens to it?
 
•    Do I share this information with anyone – are they GDPR compliant?
 
•    Do I share the information with anyone outside the UK? Does the country it goes to have legal rules in place to comply?
 
•    What's the information going to be used for?
 
•    What do I tell the person when I collect the information?
 
•    How have they actively shown that they agree to this?
 
•    How long do I need to keep the information for?
 
•    Why do I need to keep it as long as I do?
 
•    Do I need to do anything to comply in these instances?

Six Core Principles

These are the six core principles of the GDPR, are the basic foundations on which the regulation was constructed and what you need to deliver in order to comply.

1. Personal information shall be processed lawfully, fairly and in a transparent manner

Principle one in a nutshell is the concept of clear consent. In any situation where personal information is collected, it should have clear consent of the data subject. Opt-in tick boxes are still allowed, but the regulation explicitly prohibits consent by non-action or opt-out boxes. You are non compliant if you still offer an opt out!

2. Personal information shall be collected for specified, explicit and legitimate purposes.

When you collect personal information, it must be explained to the data subject the purpose for its collection and why it's being processed. Organisations will to need to become much clearer with data subjects about what their personal information is going to be used for.

3. Personal information shall be adequate, relevant, and limited to what is necessary.

When collecting personal information, the data controller must only collect personal information that is absolutely required for the specified purpose. For example, collecting personal information to send to the ESFA in an ILR, there's no basis for the requirement of my marital status.

4. Personal information shall be accurate and, where necessary, kept up-to-date.

As data controller you are obligated to ensure – to the best of your abilities – that the information collected is correct. The regulation is trying to address situations where processing incorrect personal information may cause distress or harm to data subjects.

5. Personal information shall be retained only for as long as necessary.

All personal information must now have an expiration date applied appropriate to its collected purpose. Indefinite retention isn't an option and will probably seriously upset the ICO!

6. Personal information shall be processed in an appropriate manner to maintain security.

This is the principle that has had a huge impact, as it requires data controllers and processors to ensure that their systems maintain the confidentiality, integrity and availability of data processing systems.

New ICO Fees for GDPR

The ICO's new fee structure takes affect on 25th May 2018, if you are already registered the new fee will be required on renewal.

"The new structure was laid before Parliament on Tuesday 20 February as a Statutory Instrument and will come into effect on 25 May 2018, to coincide with the General Data Protection Regulation."
March's e-newsletter

ESFA Privacy Notice

The ESFA will have to make updates to their privacy, consent and data protection policies as of 25th May.

The current ESFA privacy notice which contains the following:

"Changes to this Privacy Notice

The ESFA may amend this Privacy Notice from time to time. If we make any substantial changes in the way we use your personal information we will make that information avai lable by amending this notice."

 

 

Get Our Updates!

* Indicates required
 
 
 


Cleverclogs Multimedia LTD will use the information you provide on this form to be in touch with you regarding new blog posts and updates to existing posts on cleverblogs. We will NEVER share your personal details and will only make contact with you via email for this specified purpose. Please see our GDPR compliant privacy notice for further information.