The Information Commissioner’s Office (ICO) is the UK’s independent authority set up to uphold data privacy for individuals. The ICO has a range of powers to enforce breaches of the 7th principle of the Data Protection Act, which is: “Appropriate technical and organisational measures shall be taken against unauthorised or unlawful processing of personal data and against accidental loss or destruction of, or damage to, personal data”. Put more simply, it means that organisations must have appropriate security in place to prevent the personal data they hold being accidentally or deliberately compromised.The ICO’s enforcement powers include issuing undertakings for corrective actions to be displayed on their website, fixed monetary penalties up to a value of £500,000 or even criminal prosecutions.Over the past 2 years, the ICO has issued 12 such penalties for data security lapses to educational establishments. In addition to these, they’ve issued a number of warnings. Schools are particularly at risk due to the nature of the data they hold and the way in which teachers work.Teachers regularly take work home and the data that schools hold is often of a personal nature relating to the students and school staff. There are 3 ways in which schools can reduce the risk of them falling foul of the ICO. They can ensure devices containing personal data are safely encrypted,that data is regularly and safely backed up offsite in an encrypted format and they can ensure that their devices are regularly audited, patched and kept safely updated.