School Data Breach Compensation Claims Guide – How Much Compensation Can I Claim? – Amounts For School Data Breach
How To Claim For Data Protection Breaches In Schools
By Mark Ainsdale. Last Updated 25th August 2021. Welcome to our guide to school data breach claims that spotlights a Brechin High School data breach. Schools and educational institutions handle a large amount of personal data. Some of this data may relate to staff and some to students, past and present. Some of this information is sensitive, especially when it relates to medical information, for example.
No matter how sensitive the personal data a school collects, stores and processes, it must abide by data protection law. Unfortunately, however, things can go wrong, and if you or your child has fallen victim to a school data breach, you could be eligible to claim compensation. We have created this guide to help you understand how to go about making a data breach compensation claim against a school, and how we could provide legal assistance to you.
In the sections below, we give some examples of data breaches in schools and explain what happens if a school breaches GDPR. We also take a look at when you should report a breach to the school’s data protection officer (DPO) and what kind of data breach compensation you could be eligible to claim.
Further to this, we offer insight into how a data breach lawyer from Legal Expert could help you. If you have any questions about a personal data breach claim, or you’re ready to get started and would like a lawyer to help you, please call our team on 0800 073 8804. We will be happy to help you and to advise you on how to claim. We could even check your eligibility to claim, free of charge.
Select A Section
- A Guide To School Data Breach Compensation Claims
- What Are Data Protection Breaches In Schools?
- Data Protection And GDPR Requirements For Schools
- What Is An Example Of A School Data Breach?
- Which Schools Have Been Impacted By Data Breaches?
- What Happens If A School Breaches GDPR?
- How Long Does A School Have To Decide If A Data Breach Needs To Be Referred To The ICO?
- Should I Report A School To The Information Commissioner?
- How To Sue For Data Protection Breaches In Schools
- What Compensation Could You Be Awarded For A School Data Breach?
- School Data Breach Compensation Calculator
- No Win No Fee School Data Breach Compensation Claims
- Start Your School Data Breach Claim
- Extra Resources On Education Data Protection Breaches
- Cyber Security Trends And Statistics
- Frequently Asked Questions
Whether you’re a parent whose child has been the victim of a school data breach or your personal data has been breached as an employee of a school, you may be wondering if you could claim data breach compensation. After all, a breach of your or your child’s data could have a number of unwelcome consequences.
This guide aims to inform you of your rights when it comes to data protection breaches in schools and will give you some insight into claiming the compensation you deserve.
The following sections offer a wealth of information on how a breach of the Data Protection Act 2018 in schools could happen, and how it could lead to a claim. We look at the effects such a breach could have on the person whose data has been breached and explain how the law allows for those person’s affected to claim compensation.
In addition, we offer some insight into what security measures schools could put in place to protect sensitive personal data and explain the risks they face.
Remember, if you have any questions, we’re on hand to help. Simply call us on the number at the top of this page to find out more.
As part of their educational provision, schools need to collect, process and store personal information. As a data controller, they are legally required to protect the personal data they process, whether this relates to a student or a staff member. They have legal obligations to do so under the Data Protection Act 2018, which enacts into UK law the General Data Protection Regulation (GDPR). But what is personal data? Let us explain.
The Information Commissioner’s Office (ICO) defines personal data as information that could be used to identify a natural living person, either on its own or combined with other information. Examples of personal data schools could collect and process could include:
- Student names, contact details, addresses, e-mail addresses and phone numbers
- Staff names, contact details, addresses, e-mail addresses and phone numbers
Sensitive Personal Data
Some information could be considered more sensitive than other data and should be afforded a higher level of protection. Sensitive data could include:
- Racial or ethnic origin
- Sexual orientation
- Political opinion
- Medical information
- Religious belief information
What Is A Data Breach?
The ICO defines a data breach as a security incident that affects the availability, integrity or confidentiality of personal data. It could involve data being subject to:
- Unauthorised/ unlawful access or destruction
- Loss of personal data or loss of availability of data
- The disclosure, transmission or alteration of personal data without permission
- Data theft
What Should A Data Breach Policy For Schools Consider?
There are several ways in which a school data breach could happen. Schools could be at risk of cyberattacks such as hacks, so they should ensure they have robust computer security and network security measures in place to protect against such threats.
However, not all data breaches involve cybersecurity issues. A school data breach policy should also consider how to prevent breaches of physical data held by the school. This could include data in filing cabinets, for example. They should ensure there is no chance of an unauthorised person accessing the data held in filing cabinets for example, by keeping them locked.
We mentioned that schools have legal responsibilities to protect personal information under GDPR and the Data Protection Act 2018. The UK Government has put together a toolkit for schools to use when putting in place policies and procedures to ensure GDPR compliance.
It involves raising awareness of data protection with all members of staff, and ensuring those that process personal data are educated in how to do so in accordance with GDPR. It also offers guidance for school leaders and those involved with data management in creating a secure data security system that reduces the risk of human error and other incidents leading to data breaches.
What Are The Principles Of GDPR?
The principles of GDPR that schools must abide by include:
- Data minimisation
- Integrity and confidentiality (security)
- Lawfulness, fairness and transparency
- Purpose limitation
- Storage limitation
These principles should be at the forefront of any organisation that processes personal data. A failure to adhere to these 7 principles of GDPR, leading to a breach of personal data, could result in a school facing fines.
Not only this, but it could lead to victims of data breaches claiming compensation for identity theft, financial loss, privacy violation, reputational damage and psychological harm.
There are several ways in which a school data breach could happen. A breach could be the result of negligence, human error or malicious behaviour. Let’s look at some examples.
What Is An Example Of A Data Breach At A School?
Several examples are listed below:
- Sending personal data to the wrong person via e-mail or letter
- Disclosing social security information to wider members of a child’s family, causing serious damage to relationships
- Exposure of sensitive medical information of a child to other class members. Such exposed data could lead to discrimination or bullying
- A cybersecurity incident where there is a breach of payroll information. This could result in identity fraud or financial loss.
- The access of unlocked filing cabinets by an unauthorised staff member, leading to a loss of confidentiality.
If you’re unsure as to whether a data protection breach could lead to a claim, please contact our team. We’d be happy to assess your case for free to see if you could be eligible for compensation. We could also provide you with a data breach solicitor to help you get the compensation you deserve.
There have been numerous school data breaches in the media beyond merely a Brechin High School data breach. One case refers to an unauthorised person accessing the data of other members of staff within a school. The Aldingbourne school data breach incident occurred between December 2018 and January 2019. The teacher who accessed the data without authorisation faced charges of contravening section 1 of the Computer Misuse Act 1990 for accessing the e-mail accounts of 4 other staff members.
Another data breach involved the details of approximately 52 pupils during a slideshow presentation at Brechin High School in Scotland. During the course of the presentation, a list of students with Autistic Spectrum Disorder and other medical conditions appeared on a slide.
Angus Council reported the breach to the Information Commissioner’s Office. One of the parents of the children’s data that was exposed was reported to have been worried about their child facing bullying as a result of the breach.
A school should have robust procedures to act when data breaches occur. Under GDPR, any breach of personal data that affects the freedoms and rights of individuals should be reported to the Information Commissioner’s Office (ICO). This means that any breach that could risk harm to an individual in any of the following ways should be reported:
- Discrimination, including harassment
- Identity theft or fraud
- Financial loss
- Reputational damage
- Loss of confidentiality of personal data under protection by professional secrecy
- They must also ensure that they report any data breaches where sensitive personal information is compromised.
Schools must also inform individuals whose data has been breached about the incident.
Schools must disclose data breaches that cause risk to the rights and freedoms of individuals to the ICO within 72 hours of their discovery. If a data breach doesn’t risk the rights or freedoms of individuals, schools should still record the breach in their records.
If there is a delay in reporting a breach to the ICO beyond 72 hours, there must be a reasonable excuse for this delay.
The data breach notification must include:
- Categories of data and the number of people affected
- Approximate numbers of records and categories affected
- Details of the data protection officer
- Information regarding the potential consequences of the breach
- Description of measures taken or planned to rectify the breach and mitigate the effects
If you or your child has been the victim of a privacy breach by a school, you should, according to ICO advice, attempt to take it up with the school first. You should inform them of the breach, how it has affected you and ask them to launch an investigation. It would be wise to put a timescale on how quickly you would like them to respond. If the school does not respond satisfactorily or at all, you could raise your concerns with the ICO.
You should not leave it too long to inform the ICO of a breach if you would like them to investigate. Undue delays in reporting a breach may mean they do not investigate it.
Whether you’re considering reporting a school data breach to the ICO or not, if 3 months have gone by without meaningful contact from the school about the breach, you could seek legal advice. We could provide you with advice and support. In addition, we could provide you with a data breach solicitor to assist with your claim. All you need to do is call us.
You don’t necessarily need to use a data breach lawyer when claiming compensation. You could go it alone, reporting the breach to the school and asking for compensation. However, putting together the legal paperwork could be complicated. In addition, you might not know how much compensation to ask for, and what evidence would be appropriate to prove your claim.
This is where a data breach solicitor could help. Not only could they take on all the legal paperwork with proving a claim and help you through the data breach claims process, but they could ensure you don’t miss out on any compensation you are eligible for. As we describe in the next section, there are several damages you could claim for.
When awarding compensation for a school data breach, courts and lawyers would look at how the breach has affected the claimant. According to GDPR, those who suffer financial or non-financial damage could claim compensation. But what does this mean?
These could include financial losses and costs caused by the breach. You would usually evidence these via documentation such as bank statements, credit card bills and the like.
You could also claim non-material damages if you’ve suffered harm in a way that is not financial. Non-material damages could be payable if you’ve experienced psychological harm because of a school data breach, such as a Brechin High School data breach.
The reason this could be possible is that a legal precedent was set in Vidal-Hall and others v Google Inc  where the Court of Appeal discussed compensation for psychiatric injury caused by breaches of data. He said such awards should be considered, and the value of such claims should be determined with reference to personal injury law.
Therefore, you could consider claiming for post-traumatic stress disorder, anxiety and stress if you’ve suffered in these ways due to a breach of your data.
There is no data breach claims calculator that could tell you how much your case would bring you. Solicitors and courts assess every case on its own specifics, so no two cases are precisely the same.
The amount of compensation you could receive for psychological distress in a data breach claim would depend on the severity. You would need, therefore, to go and see a medical expert as part of the claim so that they could write an independent report detailing your condition and prognosis.
Courts and data breach lawyers could use this, along with a legal publication called the Judicial College Guidelines, to determine an appropriate level of compensation. We have produced a table below with guideline compensation brackets from the Judicial College Guidelines to give you a rough idea of what payouts could be appropriate for psychological injuries.
|Name of Injury||Severity||Guideline Bracket for Compensation|
|General Psychological injury||Less severe||£1,440 to £5,500|
|PTSD/Post-traumatic stress disorders||Less severe||£3,710 to £7,680|
|General Psychological injury||Moderate||£5,500 to £17,900|
|PTSD/Post-traumatic stress disorders||Moderate||£7,680 to £21,730|
|General Psychological injury||Moderately severe||£17,900 to £51,460|
|PTSD/Post-traumatic stress disorders||Moderately severe||£21,730 to £56,180|
|General Psychological injury||Severe||£51,460 to £108,620|
|PTSD/Post-traumatic stress disorders||Severe||£56,180 to £94,470|
For a more specific estimate, simply get in touch on the number at the top of this page.
Here at Legal Expert, we know legal fees might be a pressing concern when deciding whether to get a data breach solicitor to help with your claim. With No Win No Fee claims, you could use the services of a legal professional without paying them until your compensation is received. You would only pay them a small percentage, known as a success fee, if they obtain a compensation payout for you.
How Does The Process Work?
In general terms, the process of claiming on a No Win No Fee basis would work as follows:
- You’d sign a No Win No Fee Agreement prior to your lawyer starting work on your claim. This agreement would specify a small success fee that the lawyer would deduct from your payout if your claim is successful. There is a legal cap on the fee.
- Your lawyer, on receiving the signed agreement, would work on your claim and negotiate a payout for you. When it comes through, they’d deduct the fee and the balance would be for your benefit.
- If there was no compensation payout, you would not pay the success fee to your lawyer. Nor would you cover your lawyer’s costs.
For more detail on how such claims work, why not check out our guide? Or you could call our team if you have any questions on making a No Win No Fee claim.
Whether you’d like us to offer you a free eligibility check on your case, or you’re ready to talk to a data breach solicitor about your claim, we could help. Our expert advisors can answer your questions and check your eligibility to claim. We could then provide you with a No Win No Fee data breach lawyer who could help you fight for the maximum payout for your claim. To get in touch about the likes of a Brechin High School data breach, all you need to do is:
In this section of our guide to school data breach claims, we’ve included some extra resources you may find useful.
Data Breach Claim Examples – The ICO has produced some guidance on how to make a data breach claim here, along with giving you examples of what could happen during the process.
School Data Breach Guidance – Unison has produced advice for schools and teachers about data protection. You can find their guide here.
Photographs In Schools – Here, you can find ICO guidance on taking photos in school when it comes to data protection.
Loss Of Personal Data – Can I Make A Claim? – You can learn more about making a claim for data loss here.
GDPR Breach Psychological Injury Claims – This guide offers further insight into claiming for psychological injury.
Data Breached As An Employee?– You can learn about claiming against your employer for a data breach here.
According to the ICO’s Q2 2020/2021 report, during this period:
- There were 336 data breach reports by educational establishments
- 250 of these breaches were not cybersecurity incidents and relate to incidents such as e-mailing data to the wrong recipient, and loss/theft of paperwork, or paperwork left in an insecure location, for example.
- Only 86 incidents related to cybersecurity, with reports of 24 phishing attacks as well as 29 ransomware incidents
I Have Contacted The ICO, Could I Still Make A Claim?
Yes, if three months have passed since there has been meaningful contact with the school. Our team would be happy to talk to you about your claim.
Is There A Time Limit For Making A Data Breach Claim?
The time limit for making a school data breach claim would be 1 year if there is a breach of human rights and 6 years in other cases. If you’re unsure as to how long you would have to file your claim, please don’t hesitate to call us.
What is a data breach in a school?
This is any situation where personal information relating to a school is stolen or revealed to people without authorisation.
How long does a school have to report a data breach?
The maximum time limit to report a breach after becoming aware of it is 72 hours.
What is the biggest cause of data breaches in schools?
Ransomware tends to be the most frequent cause of school data breaches.
How do you respond to a data breach?
You should remain calm, put a response plan out, contact your customers and call your security experts.
How long does a school have to decide if a data breach needs to be referred to the ICO?
They need to make the decision ASAP due to the three-day time limit to report it.
What is the largest data breach in history?
This was the Yahoo data breach of August 2013, with 3 billion accounts suffering a compromise.
Thank you for reading our guide to school data breach claims. But please get in touch if you suffer from the likes of a Brechin High School data breach.
Guide by Jeffries
Edited by Billing