Author: Matt McConville

GDPR Team

Ian Kyle

Director

Matt McConville

Senior Associate

Lee Wall

Associate

Damien Gill

Senior Associate

Joseph Waters

Solicitor

Data Breaches by Schools and Academies

Prime targets

Schools and Academies are unfortunately regularly responsible for the breach of personal information. By their very nature Schools and Academies hold a lot of personal information relating to their students, parents of their students, teachers and other staff members.

Schools and Academies can suffer cyber-attacks just like other organisations, tech savvy students themselves try (and often succeed) in assessing the personal information for other students i.e. student information is not kept on a separate secured drive which students cannot access and instead it is just stored on a general drive in a sub folder where anyone can access it. They can also send the wrong information to the wrong people/address.

Recent cases

Aspire Schools (an academy trust) in Buckinghamshire has recently been in the news in regards to a data breach incident. In July 2019 the academy trust sent two student assessment reports to the wrong parents. Whilst the trust advised the matter was dealt with at the time, at least one of the parents began a data breach claim against the trust. The current status/outcome of this claim is unknown.

Other data breaches by Schools and Academies include:

  • In February 2019 Raynsford Church of England Academy misplaced a class registers at the O2 in London. Thankfully on that occasion it appears O2 staff found and returned the register without any further data breach of pupil’s personal information.
  • Staff at Pioneer Academy inadvertently left personal information relating to pupils and staff (on a school trip) at the London Transport Museum.
  • A laptop and physical documents were stolen from the car of staff working for Estuaries Multi-Academy Trust.
  • Mayflower High School confirmed to another school that an employee was attending a job interview.
  • In December 2018, Chelsea Academy sent permanent exclusion packs to the wrong parents.
  • St Christopher’s C of E Primary Multi Academy Trust circulated the personal information of a pupil to all persons involved in a complaint.
  • At the 5 Dimensions Trust a student obtained the log-in details for a teachers Go4Schools account and published them of social media.

What can be done?

Is there anything Schools and Academies can do to stop breaches? Due to the sheer amount of personal information Schools and Academies hold and the various times they need to use or send this to parents and other authorities, they were never be able to completing stop data breaches occurring but like any other organisation there are steps they can take to reduce the risk of data breaches occurring.

Some of these include:

  • Staff Training on their personal data obligations
  • Use of electronic systems when away from the school or academy. E.g. using an electronic register instead of a paper copy.
  • Having another secretary or staff member checking reports/information sent out to parents. Another set of eyes checking the right report is going to the right parents/address always helps.
  • Password protected systems and devices – ensuring only the people who need to access certain information can access this information.

Been a victim?

Has a School or Academy breached your personal information or the personal information of your son or daughter? If you want to discuss any data breach incident further, please do not hesitate to contact one of our team.

Go back to all news

Can I claim?

This is a question you may be asking yourself if you feel that you are entitled to some form of compensation. Why not ask us the question instead?

We offer free initial advice with absolutely no financial risk for you with our no-win-no-fee promise.

Please fill in the form with some basic details and one of our staff will be in touch to follow up your enquiry.