, ,

Head teacher fined for data protection breach after obtaining personal information about schoolchildren

personal details

A former headteacher has been fined. This comes after he took personal information about schoolchildren from his old school to his new one. The breach took place at two primary schools where he had worked previously. The violation revealed “large volumes of sensitive personal data” from his previous schools on his new school’s system.

What happened in this data protection breach?

A former headteacher downloaded personal information about his former pupils onto a USB stick. Next, he uploaded this data to servers at his new school. The information included:

  • Names
  • Unique pupil numbers
  • Pupil attainment and progress spreadsheets
  • Performance management data for staff.

The teacher (who was now a deputy head) was suspended from his role. This situation only came to light after an IT audit discovered the data protection breach.

What did the ICO decide?

The Information Commissioner’s Office (ICO), said that the teacher had no lawful reason to process the data. This means that he breached data protection legislation. Initially, the teacher had “no valid explanation” for how the data appeared on his school’s server. But he later admitted that he took the data for professional purposes.

Appearing before Ealing Magistrates’ Court, the teacher admitted two offences of unlawfully obtaining personal data. He was fined £700, ordered to pay costs of £364.08 and a victim surcharge of £35.

What did the ICO say about this breach of personal data?

Commenting on this data protection breach, Mike Shaw, manager of the ICO’s criminal investigation group, said:

“Children and their parents or guardians have the right to expect that their personal data is treated with respect and that their legal right to privacy is adhered to.

“A head teacher holds a position of standing in the community and with that position comes the added responsibility to carry out their role beyond reproach.

“The ICO will continue to take action against those who we find have abused their position of trust.”

Lessons learned following this personal data breach

This case should remind employees across all sectors of the risks data violations. Because if someone accesses or shares personal data without a valid reason, they could face criminal prosecution and fines.

Organisations also need to do more to protect personal data. This includes ensuring comprehensive data protection training is in place. And making sure employees understand the consequences of breaking the law.

Furthermore, organisations must ensure adequate and robust protections so that information is only accessed by those people who need it. There must also be a record of such access.

Helping to reduce the impact of educational personal data violations

The Data Protection Act exists to protect the privacy of individuals. In an educational context, this means students, their families, and staff.

However, many schools have struggled to keep up with changes in the rules covering the use of technology. And this could leave everyone vulnerable.

If an individual’s data is violated by an organisation they trusted to look after it, at Hayes Connor Solicitors, we help them to make a compensation claim.

If you or a member of your family has suffered damage or distress caused by a school, college or university breaching any part of the Data Protection Act, you have a right to claim compensation.

Not Just Hackers

There has been a worrying rise in reported data breaches across the UK education and childcare sector. Competing priorities and limited budgets make meeting data protection requirements challenging and this makes schools, universities and colleges an attractive target for hackers.

But, despite the threat posed by cybercriminals, human error remains the leading cause of data privacy violations.

At Hayes Connor, we want to reduce the number of data violations taking place across the UK. As such, we are sharing such real-life examples of data protection breaches.  In doing this, we hope to raise awareness of this issue. We also want to educate people to prevent similar instances from happening.

For more advice on how to keep your data safe, follow the Hayes Connor #NotJustHackers campaign on Twitter and Facebook.

Alternatively, if you have been the victim of a data breach, find out how we can help you to recover any losses. Or contact us to discuss your case in more depth.