The DPOs will take steps to ensure that all staff members from both parties are made aware of, and understand, what constitutes a data breach as part of their training.

Where a breach is likely to result in a risk to the rights and freedoms of individuals, the relevant supervisory authority, e.g. ICO, will be informed by the data processor as soon as possible.

The data processor will also notify the data controller as soon as possible.

All notifiable breaches will be reported to the relevant supervisory authority within 72 hours of the school becoming aware of it.

Any breaches will be fully investigated by the DPOs from both parties and security measures will be assessed and reviewed in relation to the investigation.

In the event that a breach is likely to result in a high risk to the rights and freedoms of an individual, the data controller will notify those concerned directly.

If the data controller and data processor agree that a breach is sufficiently serious, the public will be notified without undue delay.

The data controller and data processor understand that failure to report a breach when required to do so may result in a fine, as well as a fine for the breach itself.