A recent cyberattack on a software supplier used by Online SCR has resulted in a data breach affecting staff personal data at some schools and trusts.

If your setting uses Online SCR, you must act immediately to determine whether you are affected and to meet your legal obligations as a data controller.

What is Online SCR and who is affected?

• Online SCR provides Single Central Record services and recruitment checks (eg DBS) to schools and trusts.
• The breach occurred via a third‑party data processor used by Online SCR.
• Compromised data may include: names, addresses, QTS numbers, passport numbers and National Insurance numbers (higher‑risk data).
• Online SCR has been emailing affected clients with details of the breach.
• The email may have gone to your main contact, not your data protection officer (DPO), and may have been sent to individual schools within a trust.

Immediate actions for school and trust leaders

• Check if you use Online SCR:

- if not, you are not affected
- if yes, locate the email from Online SCR urgently.

• Identify the extent of the breach.
• Review the email carefully to see if your staff data is affected and to what extent.
• Pass the information to your DPO immediately. If you are a maintained school, your DPO will usually be the DPO for the local authority, and most trusts have appointed their own DPO to act across the trust. If you are in a multi-academy trust (MAT), line this up internally to check with all schools in the MAT to ensure nothing is missed.

Consider ICO reporting

• If staff personal data has been compromised, it is highly likely you must report to the Information Commissioner’s Office (ICO). You can seek advice from your DPO about this if you’re unsure.
• The statutory deadline is 72 hours from when you received the breach notification.

Communicate with affected staff

• Decide what to tell them, when and what advice to give to reduce risk (eg monitoring accounts; being alert to identity theft).

• Tailor communications if different staff have been affected to different extents.

• Provide reassurance and outline steps being taken.

Guidance for individuals affected by the breach

If you have been told your personal data was compromised:

1. Confirm the details

• Check the official notification from your employer or Online SCR to understand:

- What data was involved (eg name, address, NI number, passport details)
- When the breach occurred
- What steps the organisation is taking.

2. Be alert to scams and phishing

• Treat unexpected emails, texts or calls with caution – especially if they reference the breach.
• Do not click on links or give out personal information unless you are certain of the source.
• If in doubt, contact the organisation directly using official contact details, not those in the message.

3. Monitor your accounts

• Check bank statements, credit card bills, and online accounts for unusual activity.
• Consider signing up for a credit reference agency’s alert service.

4. Protect your identity

• If passport or driving licence details were involved, consider contacting the issuing authority for advice.
• If your National Insurance number was compromised, report it to HMRC if you suspect misuse.

5. Change and strengthen passwords

• Update passwords for any accounts that may be linked to the breached data.
• Use strong, unique passwords and enable multi‑factor authentication where possible.

6. Report suspicious activity

• Forward suspicious emails to report@phishing.gov.uk.
• Report suspected identity theft to Action Fraud (0300 123 2040 or go to www.actionfraud.police.uk).