if your school’s management information system server is infected with ransomware, you must notify the ico within…

If a school’s Management Information System server is infected with ransomware, the Information Commissioner's Office (ICO) must be notified within 72 hours of becoming aware of the breach. This is a legal requirement under data protection regulations such as the UK GDPR. The notification should be made without undue delay and must include details about the breach, the type of data affected, the number of individuals impacted, the likely consequences, and measures taken to address the breach. If it is unlikely that the breach poses a risk to individuals' rights and freedoms, notification may not be required, but a record of the breach and risk assessment must still be kept. Cooperation with law enforcement is also recommended in such cases.