From the desk of Richard Lewis-Ogden –  Data Protection Officer – Bywater Kent Support Services  Ltd.

Date: 9^th September 2025

What’s happened?

Online SCR – a system used by many schools and trusts to manage Single Central Records and recruitment checks – has suffered a cyberattack via one of its contracted suppliers.

As a result, personal staff data has been compromised at several schools and trusts. The type of data varies, but may include:

• Names and addresses
• QTS numbers
• National Insurance numbers
• Passport numbers

Why this matters

• Online SCR has been emailing affected schools – but with the holiday period and DPOs on leave, some emails may not yet have been read.
• As the Data Controller, your school or trust is responsible for ICO reporting and staff communication.

What you need to do this week

✅ Check your inboxes (including headteacher, admin and HR contacts) for an email from Online SCR.
✅ Confirm whether your staff data has been compromised.
✅ Inform your DPO immediately.
✅ If affected, prepare to report to the ICO within 72 hours of receiving the notification.
✅ Plan communications with affected staff – content may need to vary depending on which data has been exposed.

Support from BK Ltd.

We are:

• Assisting schools with ICO reports.
• Helping draft communications to staff.
• Liaising with Online SCR on behalf of clients.

Next steps for all schools (affected or not)

• Review your Data Protection Impact Assessment (DPIA) for Online SCR or similar providers.
• Ensure contracts with third-party processors cover cybersecurity, indemnities, and liability.
• If no DPIA was carried out at the time of purchase, schedule one after managing this breach.

📞 Contact us immediately if you think you may be affected.
Bywater Kent Support Services Ltd. Data Protection Officer DPO@bywaterkent.co.uk