Category: Data

UK GDPR: Showing compliance

One of the few things which I felt was different between the old Data Protection Act 1998 and GDPR when it was introduced, was the need to be able to evidence compliance as part of the compliance process.   So, to be compliant you have to be able to provide evidence of compliance. 

So how to show compliance?

As we start a new academic year, I think it is therefore important to give some consideration as to how you can provide compliance with UK GDPR so I thought I would list some of the key evidence you should have.   

Data Record Summaries

One of the key things about GDPR and personal data is knowing where the person data is stored and/or processes so one of the key methods of showing compliance is to have records of which data is where, along with appropriate classification of the data, who has access to it, its purpose and how it is processed.  Now I know from personal experience this can be a very arduous job, however it is important to understand it can be carried out at different levels of details, from full details down to the individual data fields, which is likely to be too details and time-consuming, to higher-level records focussing more on record types.   It is therefore important to decide what level of detail how need.   It may be acceptable to have a high-level central record which individual departments then may keep more detailed records at a more local, department level.

Retention periods

We also need to be able to show we have considered our retention period of different record types.   Now the Department for Education provide minimum retention periods for some record types however for others’ schools will need to make this decision for themselves.    As such the evidence of compliance is then the retention policy or process plus the fact the current data stored matches this.

Policies

We can also evidence our compliance by having the appropriate policies in place, although really, it is less the policies that matter, and more that the school follows and complies with their own policies.  So, this can include a privacy policy, data protection policy, acceptable usage policy, data retention policy and information security policy.    I think, also there needs to be evidence in the form of policies or documented processes in relation to incident management and in relation to managing subject access requests or other data issues.

Is Data Protection and GDPR discussed

This to me is the most important evidence.   We can create our policies and other documents as a one-off task however data protection and compliance with UK GDPR is an ongoing process, as processes and systems change, as additional data is gathered, as the operating environment changes, etc.    As such one of the key pieces of evidence is that data protection is often discussed.   This can easily be seen in minutes of meetings, briefing documents, emails, incident and near miss logs, etc.    Simply asking random staff some basic data protection questions, such as who they would report a suspected breach to, or what to look out for in phishing emails, will help you easily identify is data protection is taken seriously and therefore, how likely that UK GDPR is complied with.

Conclusion

The above is not meant to be exhaustive detail as the reality of UK GDPR is that your approach should be appropriate for your organisation and for the data you store and process, and the methods you use to process such data.    As such I suspect no two schools will ever be the same, although they will certainly have many similarities.

If I was to make one suggestion it would be to ensure that you can show that data protection is part of the normal day to day processes.   There should be evidence of its general and regular discussion as if this is the case, if it is regularly raised and discussed, it is likely you are already well on your way to compliance.

GDPR; 2 Years on

Back in 2017 I wrote a post for UkEdChat in relation to GDPR (See the post here), prior to the introduction of the GDPR regulations in May 2018.   It is just over 3 years since that post, and almost 2 ½ years since GDPR came into force so I thought it would be a good time to revisit the post and share some of the things I have learned in relation to data protection and GDPR since then.

Subject Access Request

One of the key things I expected when I wrote my post in 2017 was a significant increase in Subject Access Requests.   For me this never really materialised.    What did materialise however, for the limited number of SARs received, was a more difficult and time-consuming process in trying to fully respond to requests.    Thankfully new tools such as the eDiscovery tools in Office 365 made this reasonably easy and convenient from an IT point of view but this didn’t alleviate the administrative challenges around the need to review and also redact data from that identified by the eDiscovery tool.

Evidencing compliance

One of the key things I have learned in relation to GDPR is the importance of evidencing compliance with the regulations.   Things will not always go to plan and when they don’t there is a need to prove that you have done all that is reasonably possible.   This means documenting processes, documenting incidents, even minor ones, and documenting discussions regarding the perceived risks and mitigation measures including the mitigation measures which have not been applied due to cost or operational impact.   You need to be able to prove that you have fully engaged with the legislation and made every reasonable attempt to comply.

Interpreting the rules

It is clear that the GDPR rules are not as clear as some people, and especially those selling GDPR goods and services, would make out;   There is a need for interpretation within the context of your own school and any such interpretation needs to be documented.    There is also an opportunity here to reach out to other schools similar to yours to see how they have dealt with certain situations, and how they have interpreted GDPR.   Again, a key issue is the need to document any decisions or conclusions reached in your interpretation of GDPR.

Third Party Management

I mentioned Third Party management in my 2017 post and I believe my concerns have been proven.   Third parties have shown themselves to be a source of cyber risk, with cyber criminals breaching third parties and then moving laterally into an associated school or other organisation.    Third parties have also shown themselves as a risk where they themselves are used to process or store your school data as a breach of the third party storing your data is your responsibility; you are the data controller.     The key here is the need for due diligence and a privacy impact assessment before engaging with a third party, plus the routine review of these assessments and of third parties’ approach to data protection and to cyber security.   We cant truly control the third parties we engage or the criminals who may seek to breach them, but we can try and ensure they are as prepared as possible, and can ensure we can evidence that we have taken all reasonable measures should something go wrong.

Risk Management

This is my biggest learning point from the last 3 years, since my post in 2017.     There are no 100% answers when it comes to cyber security and data protection.    It is all about managing risk.   Every action we take in terms of the setup of a system, the processes we use, the third parties, etc, all involve a business benefit or gain but also a risk.   Nothing is without risk.    As such we need to constantly be reviewing the risk and deciding what risk is acceptable and what is not.   We need to examine the available mitigation measures and decide which will be implemented and which we will not implement with this often due to potential operational efficiency loses or simply down to cost.   Above all, we need to document these considerations and the resulting decisions.

Conclusion

I am not sure GDPR changed things as much as I thought it might however it definitely did provide an opportunity to re-examine processes, systems, etc with a view to keeping data safe and secure.  This also provided a key opportunity to develop the all-important documentation in relation to processes and systems.    I think in 2017 I looked at GDPR as a piece of legislation and an end point in ensuring readiness for May 2018.    Looking back, I now see GDPR as more of an ongoing process which will never end.   GDPR is about ensuring we are doing all that is reasonably possible to safeguard the data trusted to our possession.

Cyber Security ROI

Investment in organisational cyber security is very much a preventative measure to hopefully prevent or reduce the likelihood of a cyber security incident.This investment in reducing a probability is problematic.

Investment in organisational cyber security is very much a preventative measure to hopefully prevent or reduce the likelihood of a cyber security incident.    This investment in reducing a probability is problematic.

The ideal is always that no cyber incidents, where a threat succeeds on having an impact on a organisation, occur however as we project off into the future the likelihood of an incident can only increase in line with the unpredictability of future events.   Entropy is clearly at play.

In the worst-case scenario, an incident happens and there is an impact on the organisation.  In this case we know that our current solutions and the related investment have been insufficient.  I note this is not to say that we need to spend more following an incident, although I suspect this will be the trend, more that what has been spent has not delivered the outcomes we wish and helped in preventing a incident.   It may be that we need to spend on different things going forward, but the expenditure to date has been ineffective.

The issue with all of this is that our current setup is fine until it isn’t.   We can be happy with our current investment until it is revealed that it is ineffective by an incident, but we don’t want this to occur.    How do we therefore decide on an investment which is appropriate to the organisation, without waiting for incidents to prove what we have is ineffective?     And at the same time how can we avoid spending excessive amounts on cyber security, which would therefore be drawing funds away from the organisations core business, assuming the core business isnt cyber security itself?

I have always believed in taking a risk-based view.   We need to first identify the risks which we believe exist, the likelihood they will occur and the impact they would have on the organisation should they happen.   From this we can start to consider the amount of investment we might apply to mitigate measures, to cyber security, in relation to the risk.   So, a risk with a potential impact of £500,000 which is considered low likelihood might merit a £10,000 investment annually but is unlikely to merit £400,000.  If the risk impacts a business-critical system, it might merit more investment than a risk impacting on a low business value system.

The above isnt a science sadly; There is no magic Return on Investment (ROI) formula.   It is all based on subjective judgements hopefully based on experience and hopefully backed up by a third party to provide some level of assurance.    It also isnt easy.   Whatever amount you invest there will always be a probability that in the future it will be proven to have been ineffective by a single breach.   Those overseeing the cyber security must get it right all the time while the cyber criminals only need to get it right once.   This is why I continue to believe in a “healthy paranoia”.

We need to be concerned, to be paranoid, and to be constantly reviewing the risks, our organisation, the available technologies and threat trends.    We also need to be concious that we cannot know the future with any certainty and can only predict based on what we know now.   We need to communicate the decision-making processes and ensure these are understood.   In the future our decisions from today may be proved to be wrong; That’s always easy to do in hindsight but at the moment of decision making and with the information available, a decision which seemed appropriate at the time was made.   We need to balance our paranoia in the interest of our sanity and wellbeing.   We need to accept that we won’t always get it right!

Return on investment on cyber security spends, in my view, will always be difficult.    If all goes well then everything runs smoothly and no cyber incident occurs but this doesn’t prove your investment.   The future incident may have been brilliantly prevented or more likely it just hasn’t happened yet.   Sadly, the only definitive proof is when things go wrong, when an incident proves that your spend on cyber security was ineffective.    This is the kind of proof you just don’t want to see.

So, for now I will continue with the difficult decision process in relation to cyber security investment.  That fine balance between cyber security and business operations/cost.

Availability Bias and the news

Watching the BBC news this morning and I saw a perfect example of the availability bias.   A news anchor pinning down a government representative as to Covid testing stating that people had contacted the programme following issues they had booking a Covid test.   The news anchor used these individual reports as proof of the problems related to getting a Covid test, even citing the specific details of one or two people.

Now I am not pretending that Covid testing is perfect or not in need of improvement but to use the available reports as proof of the failings of Covid testing seems to be a perfect example of availability bias.    The raised issues, being readily available and readily coming to mind, become the proof without considering evidence which isnt as readily available.   Take for example those people who quickly and easily got a test; These people are unlikely to contact a news programme to report their satisfaction.   Or maybe the number of people dissatisfied as a percentage of the number of tests, or the increasing volume of tests, or the testing regimes in Covid hotspot areas versus those on areas not so badly impacted. This data may be possible to gather, however isnt as readily available as a number of reported complaints.

This all reminds me of the story relating to WWII; Originally when looking at bomber planes they would reinforce the areas of planes which were regularly showing as damaged by anti-aircraft (AA) fire as these seemed to be the areas suffering regular hits.    The idea was that by reinforcing these areas the chances of bombers returning would increase, however this didn’t happen.  It was only when someone suggested they look at the areas which returning bombers never showed damage on that they made progress.  The logic here being that the areas which bombers never showed damage on was often due to the fact when these areas were hit by AA fire the bombers simply never returned; The damage was critical.    These were the areas to focus on reinforcing. In this case, the easily available data, damage to aircraft, wasnt as helpful as it at first appeared.

The issue for me with the BBC falling into the availability bias trap is that the BBC are meant to be the bastion of truth, and currently I believe more people than ever are regularly watching the morning or evening news.    That they would report in such a biased way, and therefore potentially propagate a biased viewpoint is concerning.   

As we often focus on social media bias and what Facebook, etc are doing, we maybe need to be careful not to take our eyes of what the old conventional news are doing.

Time to stop adjusting grades/grade boundaries?

If using an algorithm to adjust marks is unfair, as it has been deemed to be this year, then surely this practice must cease going forward.

The last few weeks have been filled with issues surrounding exam results.   One of these was being how the A-Level results were adjusted from centre assessed grades based on a statistical algorithm.   This was deemed to be unfair as it penalised some students or groups of students more than others.    The lack of equity was clearly evident due to the ability for schools to compare their centre assessed grades with the finally awarded grades.   It was therefore evident how the statistical adjustment, carried out in the interests of keeping results generally in line with previous year’s results, impacted on individual students.  The faces and lives of individual students could be attached to the grade adjustments.  This was deemed unacceptable.

My worry here is that this statistical adjustment has always gone on.   Normally students would sit exams with their resulting score undergoing adjustment in the form of changes in the grade boundaries.   Again, this was done in the interests of keeping results generally in line with previous years results and again some groups of students would likely be penalised more than others.    The grade boundaries changed due to the exam being deemed generally easier/harder.   The focus on the difficulty of the exam meant that seldom did we associate resulting grade changes with individual students; we don’t generally attach faces to this change, yet some students would have received lesser grades than had the adjustment not been carried out, the same as happened this year.    This seemed acceptable, and has been the way things have been done for decades, but I don’t see how this is any fairer that what happened this year.  

Maybe following this years issues, we need to take another look at how we assess/measure students learning and achievement including the associated processes.

PowerBI and percentages

Was playing around with PowerBi the other day and found myself with a challenging situation.   Basically, I had a number of records for events, however wanted to know what percentage of available slots were booked and which were free, plus wanted this to be displayed in a pie chart.

The issue I had is the only records I had for each day were for booked slots, and I didn’t want to try and pre-process the data to add in records for un-booked slots, although this would have been one method I could have used to solve the issue.

I needed a way to get to the percentage of a fixed number of slots booked.     The answer it turns out was to create a New Measure in PowerBI (Right click in the Fields window and select New Measure or use the Modelling menu and then select New Measure) and to use a little bit of DAX, something I hadn’t really used before, to calculate the required data.

So, the measure I used is shown below:

Booked = COUNTROWS(Data)/(DISTINCTCOUNT(data[Resource])*50)

Data is the name of the table from which the info is coming from while Resource is the attribute/field listing the various bookable resources.   CountRows(Data) gives me a count of the number of records subject to any filtering which might be applied by the user of visual/page.   By using DistinctCount(Data[Resource]) I am only counting resources which have at least 1 booking.    Each resource has 50 possible slots which can be booked hence multiply by 50.   This returns a value between 0 and 1 representing the percentage of slots booked.

In order to create my PieChart I also need to know the percentage of a resource, which hasn’t been booked.   This is easy as it is simply 1 minus the booked value so could be calculated as below:

NotBooked = 1 – (COUNTROWS(Data)/(DISTINCTCOUNT(data[Resource])*50))

Now I can easily add the Booked and NotBooked measures to a pie chart and get my required chart like below:

I suspect this is me only starting to scratch the surface of what DAX might be capable of so I look forward to experimenting a little more with it in the coming months.

 

 

 

 

 

GDPR and third party solutions

I have previously written about third party related cyber risk in relation to data protection and GDPR but I think it warrants a little bit of a further discussion.    To start I will state what I believe is the key message:

A third-party system in use by your school, such as a cloud hosted MIS or Learning Platform doesn’t mean that data security and data protection isn’t your problem.   Its still your data and although the third party might be processing it for you, you are still the controller.   You are still responsible for the data and for ensuring that adequate security measures are in place, and that you can prove that they are in place, or at least have received reasonable assurances to the fact they are in place.

There is also a second key point which I feel needs making in that cyber security and data protection decisions should always use a risk-based approach.    The approach and level of detail required in impact assessment for a learning tool where student emails are the only personal info and for a school management system containing name, address, medical, academic, pastoral and other personal data, are totally different.    The greater the risk the greater the time and effort required to ensure that an appropriate assessment and appropriate decision making has taken place.

So, let’s take two different scenarios and look at them.   The first scenario is a good old cloud hosted solution while the second is the one which is often overlooked, being a locally hosted solution using a third-party product.

A cloud hosted solution

I feel this is the more accepted and therefore easier of the two scenarios.   Here we have a school using a cloud hosted MIS for example.   The data is held on hardware outside the school on a third-party platform.    The school must therefore ask a number of questions relating to how the third party keeps data secure, how they will provide the data in the event the school requests it and how the data will be deleted should the school cease using the service, to list just a few.     Most of this info will be outlined in the terms and conditions or any contract which was signed so it is relatively easy to get the information.   There will also be questions related to how the third party tests its security through penetration and/or vulnerability testing as well as what their process is should a data breach occur.      I often ask vendors to confirm when their last penetration test took place and, in higher risk systems, ask them to provide a summary of findings.    The answers to the above questions will help the school to establish a view on the risk associated with the platform plus to document that appropriate consideration of cyber security and data protection has taken place.

A locally hosted solution

This is, I feel, the more difficult scenario.   The third-party platform is hosted on the schools own network and hardware and therefore the security of the platform can be directly impacted by configuration decisions of the school itself.   The school therefore should ideally be conducting regular penetration testing to check the security of the infrastructure on which the third-party solution sits.   The issue here is that some third parties at this point believe that the security of the data is therefore down to the school as they control the network and network setup.   This is the kind of response I have received from a number of solutions vendors only recent.   To a point they are correct but only to a point.   The network should be constructed with “privacy by design” in mind such that it is developed with security always in mind, but the network infrastructure is only half the solution.    The other half is the third-party software.   It too should have been developed with “privacy by design” at the forefront of thinking and it is for schools to question whether this is the case.    For me, this means asking questions in relation to how the company approaches checking their application for vulnerabilities.    This ideally should involve a proactive search for vulnerabilities including the use of vulnerability assessment or through bug bounty programmes.    There is also the acceptance that the finding of vulnerabilities should be treated as a “when” as opposed to an “if”.    As such companies should be able to demonstrate that they have a plan in place for when a vulnerability is identified in their platform.   This plan should involve notifying clients in a timely fashion.   In relation to being timely I think it is important to consider the ICOs requirement to potential report data breaches within a 72 hour period, so it would be preferable that disclosure happens sooner, and ideally within 24hrs, rather than later.   It is this vulnerability notification process which I seem to often find to be particularly lacking in third party vendors supplying solutions to schools.

As schools take on more and more third-party solutions, and as more and more of these solutions are integrated and communicate with each other, the cyber security and data protection risk related to third parties only increases.    Schools therefore need to ensure that this is carefully considered and that they have taken all reasonable measures to ensure that their data and that of the students, staff and parents related to the school remain secure.    An easy starting point is therefore contacting third parties and asking some of the questions listed in this post.

Banning Office 365 in schools?

A German state have announced that they are banning the use of Office 365 in their schools citing GDPR reasons (read article here).   The issue arose, according to the article in the Verge, following Microsoft closing their German data centre resulting in a potential risk where German personal data may be accessed by US Authorities.

My view on this is that there has been a certain amount of overreaction on the part of the German state where viewed as a GDPR related action.   I can understand their concerns in relation to unauthorised access to data by US authorities.  This would represent a GDPR risk however it takes a very narrow view of the situation.

A broader view would include the implications for not using Office 365 to store data.   This means that schools are now storing their data locally on servers most likely within individual schools.   I would suggest that the ability of individual schools, school groups or local authorities to secure their local data including appropriate monitoring and patching of servers, etc is likely to be far short of what Microsoft provide in their data centres.  They are unlikely to have the resources, both technology and staffing, or the skills and experience.    As such removing one GDPR risk in relation to potential unauthorised access by US authorities has simply replaced it with another risk being a reduced level of security for data in each school.    I would suggest that the new risk is higher than the risk they have mitigated in banning Office 365.

In all this discussion there is a wider, more important, question;  who has my data including any telemetry data resulting from system usage?     The answer is sadly that this is very difficult to identify.   Every time we use an Android phone, do a google search, order from Amazon, access Office 365 or do any manner of other things using Internet connected technologies data is being generated and stored.   It is also often shared and then combined with other datasets to create totally new datasets.   Consent for data gathering is clear in very few sites/services.   In most it is buried in detailed terms and conditions written in complex legal’eese.    In some cases the terms and conditions are clearly excessive such as in the recently trending FaceApp where use of the app grants the company a perpetual license to display “user content and any name, username or likeness providing in connection with your user content” (see a related tweet here).   Basically when you provide your photo to the app they can keep it and use it as they see fit from now until the end of time.  There is also the use of tracking cookies as well, where I have large number of websites seeking permission to use cookies but without any real details as to what data is being stored or why the data is needed.

It is the wider question for which I applaud the German state as they are helping to raise the question of data, how it is gathered, used and shared.   The waters are incredibly murky when it comes to how the big IT companies, such as Google, Facebook and Microsoft, manage data.  We all need to stop and examine this situation however not as individual states or countries but on a global and societal level.    As to Office 365 being a GDPR risk;  I suppose it is but then again there are very few, if any systems which do not represent some sort of risk and I doubt we are going to put down our phones, stop searching google, buying for amazon, etc.

GDPR Teddy bear?

GDPR discussions once again have hit the news, complete with the usual worry and panic. But what about GDPR in relation to Teddy Bears? Has anyone thought of that?

The recent announcement of the proposed fine of British airways has once again re-ignited the GDPR related discussion.  The fact that it was followed promptly by a further fine for the Marriot hotel chain just added fuel to the fire.    I have once again seen a number of emails and posts on social media regarding GDPR support and consultation services and also GDPR “solutions”.     This continues to worry me as the security and protection of organisational data is an ongoing process and not simply a task to be done and then revisited yearly or a product/service to be purchased.     It also worries me that some schools or even other organisations may sign up to services seeking an answer however will find that their purchase adds little value but at significant cost.

In relation to the lack of clarity and need for advice around GDPR a couple of school based queries I have recently observed stick in my mind.   One related to a teddy bear and diary which was passed around in class with young children taking it home and adding a note or drawing to the diary as to their time with the bear.   The children were all around the 4-6 year old range.   The bear would then be passed on, along with the diary, to the next child and so on as it circulated the class.  The concern here was that each students drawings, comments or even photos were being passed on so did this mean that GDPR prevented the activity or required parental consent from each parent or similar.

Another query related to a class year book within a Year 4 class which would be produced from input from students and from photos gathered throughout the year.   The yearbook would then be shared with all students.   The concern here related to the use of names and photos in the yearbook and whether GDPR requirements prevented the activity or put specific requirements around the data which was allowed and/or permissions and consents which were needed.

In both cases I think the concerns around GDPR in relation to the planned activities are disproportionate.   That said I think having the concerns and raising them and then recording decisions is excellent as it evidences that GDPR is taken seriously by the school and considered where there may be personal data involved.    It is also important to note that I do not profess to be a GDPR expert and certainly couldn’t attest to how things might go in court of law.   I however doubt that lots of the so called “experts” to be found sharing their services could reliably predict the outcomes should such issues progress to their eventual final resolution in the courtroom.

In the case of the teddy bear, in my view, it would be anticipated that the parents already know the parents of other children in the class and their children.   It is also reasonable to expect that it is unlikely that much of what is written or drawn by a 6 year old will constitute personal data.  In addition parents will have control over any photos which they may work with their child to add to the diary.   As such, having at least thought about GDPR, it is reasonable to assume little personal data if any is involved plus, where it is, parents will be providing content through choice and will be aware of how the diary will be shared, etc.   To be totally clear and transparent it may however be worth outline in a letter to parents the activity and how the diary will be shared, plus how parents can choose to contribute or not.

Where the year book is concerned there is likely to be a bit more personal data in that it will most likely contain the names of children.    Again, like the teddy bear, you would expect students to know the other students in the class and therefore you would also anticipate parents of a pupil to know students and names through their own child.    As an element of caution you might decide to only list forenames rather than full names thereby minimising the data being shared.     As a year book it is clear the purpose of data gathering and how it will be shared.    Once again a letter outlining the activity could be shared with parents allowing them to exempt their child from inclusion however other than this I believe the act of at least considering potential GDPR implications would suffice.

For me one of the key aspects of GDPR which isn’t discussed as often as it should be is the actual act of stopping and considering data protection.    To actually stop and consider what data is being processed, what the risk level is in relation to if this data is leaked or otherwise breached, how permission or another lawful basis for processing was arrived at, etc, is a key part of GDPR.   This is the part in relation to demonstrating compliance in that GDPR has been thought about and decisions taken.  From here, in my view, it is a risk based decision.

In both the two examples I cited, the teddy bear and the year book, the anticipated risk is low so the act of giving it thought and taking a decision should suffice.   There is no need in these cases to get hugely concerned and spend massive amounts of time and effort.   This would be disproportionate to the risk level.   I would suggest that simple common sense in these cases should suffice.

Where however the data involved is more extensive, where the data is shared with third parties and where the risk of harm or distress is greater a more extensive level of consideration is required.

So, in conclusion, don’t panic!   In most cases, where risk is low, make sure you have stopped and considered GDPR and data protection, and make sure that such consideration is documented even if only in an email or in minutes of meetings.   If however the risk of harm or distress is high then make sure more comprehensive consideration has been given.

 

 

 

 

Stream Transcripts (Updated)

It was recently brought to my attention that the transcript files in Steam had changed and therefore the code I previously created for extracting the text from these files no longer works (You can read my original posting and code here).     As such I had another look and updated the code so that it would work with the new format.

The issue was that the new format includes additional lines of data which I needed to strip out plus also supports double and single line groups of text.    It didn’t take too long to write a new macro which would support this new format.

You can see the new Macro code below:

Sub Macro1()

Dim introw As Integer
Dim intcount As Integer

‘Delete first 10 rows
For intcount = 1 To 5
Rows(1).EntireRow.Delete
Next

introw = 1
Do While Cells(introw + 1, 1).Value <> “”

‘ delete the five rows preceeding text
For intcount = 1 To 5
Rows(introw).EntireRow.Delete
Next

‘ deal with blocks of 2 or 1 line of text
If Cells(introw + 3, 1).Value <> “” Then
introw = introw + 2
Else
introw = introw + 1
End If

Loop

End Sub

If using the above take care in the way that WordPress converts the minus ( – ) character in my code to a similar looking character in the above.   As such you may get a syntax error if copying and pasting.  If so just delete and replace the minus with the correct character in your code.  If you have any other issues with the above please let me know.