Schools, colleges, and universities handle lots of sensitive personal data which must be kept safe. Indeed, data protection is of vital importance where children are involved. However, all too often, educational organisations are either not aware of their obligations or have not done enough to ensure that they meet them.
Today, competing priorities and limited budgets mean that data protection is often being overlooked. So it is no wonder that schools, universities, and colleges have become an attractive target for hackers. At the same time, a failure to invest in adequate staff data protection training means that human error is still the leading cause of data privacy violations in the education sector.
Nobody wants to sue their child’s school, but sometimes, making a claim is the only way to force security improvements. So, if you or a member of your family has experienced a school, college, or university data protection breach, you have the right to claim compensation.
Has your child's school failed to keep your data safe?
Where schools do not keep personal information secure and prevent breaches, the Information Commissioner’s Office (ICO) can issue a fine and you might have a compensation claim.
For example, photos and videos of your child taken by the school may be covered by data protection legislation and you should be told why they are needed and where the school will use them. You should also be asked to provide your consent for these to be used.
Sending information to separated/divorced parents who do not live together without the appropriate permissions could result in a data breach. Likewise, schools and universities are banned from making exam results public without the consent of students.
Mary and Ben's* adoption records data breach
At Keller Lenkner UK, our solicitors deal with a range of educational privacy violations on behalf of our clients. For example, Mary and Ben adopted Sarah when she was a baby. They planned to tell Sarah about her adoption when she was older. However, her school sent documents referencing Sarah’s adoption to the wrong address. The information ended up with a neighbour who opened and read the documents before sharing Sarah’s adoption status with other people in the local community.
Sarah subsequently found out that she was adopted, leading to considerable distress for her and her family. We are helping Mary and Ben to claim compensation for this shocking privacy violation.
*Names have been changed to protect client confidentiality.
Data protection is about more than breaches
When it comes to GDPR failures and abuses, it is not just about data breaches. Today, schools are failing to uphold our individual data rights in other ways. For example:
Has your child's school collected or used your data without your consent?
Schools must comply with fair processing/privacy notices. This means that they must tell you the data they require, tell you why they need it, explain how it will be used, and obtain your consent to collect and use this data. And, under the GDPR, your consent must be “freely given” with separate approvals provided for different purposes. Your consent can not be assumed from silence, inactivity, or pre-ticked boxes. Also, you can withdraw your consent at any time.
Has your child's school shared personal data with a third party?
If personal data is being passed on to a third party (e.g. other parents, schools, social services, etc.), you also must be told why and give your consent, even if a public body has requested the information (e.g. the police). If a school fails to do this, it could be guilty of a data protection breach. An exception to this is where a failure to share information could place a child at risk.
Has your child's school refused or ignored an information access request?
Pupils have a right to see their personal information if they ask for it. However, parents and guardians don’t have to be granted access to their children’s personal data (apart from educational records) unless they have consent from the child, or the child cannot act on their own behalf.
Is the data held on you and your child out of date?
Schools must ensure the personal data they hold is up to date. This means carrying out regular information audits and asking you to check that your details are correct. If a school keeps data for longer than needed, it could violate the Data Protection Act.
Has your school told you about a data breach?
Your school must have robust processes in place for detecting, reporting, and investigating data breaches. If a breach occurs, they must tell the ICO without “undue delay.”
Where a school fails in its data protection obligations, you could have a data breach claim. With strict time limits for making a data breach claim against an educational body (currently, all breaches going back six years could be subject to a claim), it is vital to act now.