Schools face hefty fines for data breaches under new EU laws


Schools face having to free up a teacher to work three days every week on EU data protection issues, say tech experts.

From May next year, schools must comply with the new General Data Protection Regulation (GDPR) or face financial penalties of up to 4 per cent of their turnover.

The new regulations are designed to beef-up the safety and security of data held by all organisations in the EU – and will still be binding in the UK despite Brexit.

Mark Orchison, managing director of 9ine Consulting, said schools faced a “significant amount of work” to become compliant.

A designated data protection officer could have to spend up to three days a week on data commitments and out-of-date IT equipment could have to be replaced. This is at a time when many are struggling to cope with stretched budgets.

It will be illegal for schools not to have a formal contract with a chosen data processor and if a chosen processor does not meet minimum industry accreditations.

“Lots of schools currently use IT equipment until it falls over and dies – with GDPR it’s a high-risk approach to continue using equipment that is out of warranty or doesn’t have up-to-date software,” Orchison said.

If schools used such software they could fall foul of the new stipulation to “ensure the ongoing confidentiality, integrity, availability and resilience of processing systems and services”.

Organisations found in breach of the rules could be fined either up to 4 per cent of their turnover, or £20 million – whichever was greatest.

Schools don’t need to fear GDPR, but they should be tracking very closely its implications

Malcolm Trobe, deputy general secretary at the Association of School and College Leaders, said many schools had yet to “clock on” to the impact of changes.

While many of the new rules were similar to those in the current Data Protection Act, there were “significant enhancements”.

He urged schools to add the changes to their work programme for next year and to use any annual data protection audits to ensure they met the new rules.

However, he warned against rash decisions as it was not clear how the regulations would apply specifically to schools yet. Currently only guidelines have been published.

Joshua Perry, director of Assembly, a schools data platform created by Ark, said there were still “open questions” about how to interpret GDPR in schools.

“Schools – and organisations working with schools – don’t need to fear GDPR, but they should be tracking very closely its implications.”

He suggested schools start “preparatory tasks”, such as designating a data protection officer, and document where personal data was processed, including the methods used and how consent had been managed.

“This should include any spreadsheets of pupil data created and shared by the school, since this is a common – and potentially insecure – form of data processing.”

Schools Week reported that 66 schools reported data breaches in 2015, including the accidental loss, theft or revealing of information. None faced action.

A growing number of high-profile cyber attacks also show the risk for public organisations. In May a virus infiltrated the NHS’s outdated XP Windows system, leaving many hospitals unable to access patients’ medical records.

Under GDPR, schools must alert the Information Commissioners Office (ICO) of any cyber security breaches within three days.

Orchison said it was “highly likely” the ICO would take action should the school be found not to be meeting the new rules.

The ICO has published a 12-step checklist to help prepare for the changes. For more information, click here.

Your thoughts

Leave a Reply

Your email address will not be published.


  1. An interesting article in many parts but there are some areas that really need clarification.

    No disrespect to colleagues in the teaching profession, but the idea that this means a “teacher” has to give up 3 days a week is not really correct. This role would be that of the DPO, a senior member of staff in the school who has no conflict of interests with taking the strategic oversight on this problematic area. For most schools, this could not be a teacher, and that is before you get onto whether this is considered an administrative task … but I’ll let my union-savvy friends discuss the merits or issues with that one. One thing that we do know … it cannot be the school’s Network Manager / IT Technician, MIS Manager or Personnel Officer.

    I’m also trying to find where there is a stipulation about Data Processors’ need to have a minimum accreditation? I’ve not seen anything on the ICO about that, in the GDPR itself I can see it now … all those companies selling ISO27001 training and systems trying to get vendors through in less 12 months. There were barely enough assessors to get companies across the world updated from ISO27001:2008 to ISO27001:2013, so I worry that *any* sort of accreditation is going to be an issue in rolling out. The ICO states “Signing up to a code of conduct or certification scheme is not obligatory. But if an approved code of conduct or certification scheme that covers your processing activity becomes available, you may wish to consider working towards it as a way of demonstrating that you comply.”

    I would also be interested in why Mark said that “it was “highly likely” the ICO would take action should the school be found not to be meeting the new rules”.
    As the article points out, schools have been notoriously lax over the years, but little action is ever taken. To date, schools have only ever signed Undertakings, and that has very little impact on the school. At one point Ofsted did clarify that it ‘could’ be seen as a failing on on laws regarding Safeguarding, but in a conversation with them in 2013 they came back and said that this was outside of their remit and unless brought to their attention for something that was going wrong whilst they were inspecting, it would have no weight.

    Personally, I am eager to see the DfE’s response to GDPR and any guidance they produce. There are areas of confusion … between the individual’s right to be forgotten but the school’s obligation to record and retain data.
    I feel that is a conversation for another day though.

    I’m glad that article is targeted at raising awareness … this is needed more and more with schools. The days of Becta contacting schools are gone, and even if people go back to Becta’s original 2009 materials on Data Protection, it would be a good start!

    • Owen Rees

      On whether a school needs a DPO, the DPO role can also be contracted out, so schools can share. In a MAT, it would be sensible for this to be carried out centrally given the specialism required. Nonetheless, it is hard to see how this role can sensibly be met by a teacher.

    • A useful comment from Tony.

      This whole issue would become even more complex if we were ever to implement any real form of edtech, which would require the storing, aggregation and sharing of student performance and profiling data. So (as the US example of InBloom and the UK NHS example of both suggest) uncertainty about data processing rules and the potential for adverse public reaction to data sharing remains a significant potential barrier to the implementation of effective edtech.

      The failure of the education sector to grapple with this problem, its attachment to ultra-decentralized organization (which suggests the allocation of 0.6 of a teacher in each school to deal with the problem) and a failure to specify objectives and rules precisely, reflects a wider problem in our approach to education – a problem for which a more technological approach is the solution.

      More systematic forms of edtech are the answer to these problems as well as one of the key reasons why the problems *need* to be answered. There is no reason why, when data processing and retention rules have been more precisely defined, there should not be centralised responses, automatically applied in most cases by compliant software, in a way that does not interfere with the ability of schools to share data (e.g. with the suppliers of online services) for legitimate purposes.