What Are My Rights After A School Data Breach?

I Suffered A Psychological Injury After A School Data Breach, What Are My Rights?

school data breach

Did you know that if you or your child suffer mental harm or financial loss because of a school data breach, you may be in a position to make a compensation claim? You would need to prove that a school’s positive wrongful conduct caused the breach and that your personal data (or your child’s) was involved.

That’s where this guide aims to help. We will equip you with a basic knowledge of the process of making a data breach claim. You will also learn about what justifies a valid claim. We’ll explore what a No Win No Fee claim involves too.

Your claim will be based on a unique set of circumstances. Because of this, you may find that this guide does not answer all of the questions you have. We can answer those questions for you. Just call 0800 073 8801 and speak to our advisors. Alternatively, use our live chat.

Our advisors give free legal advice. What’s more, if you have grounds for a solid claim, they could connect you with our solicitors. However, you won’t be under any obligation to proceed with these services. So why not get in touch?

Select A Section:

A Guide To Personal Data Breach Claims Against A School

This guide is aimed at equipping you with the knowledge that you will need to make proper decisions about your own claim. It covers data protection breaches in schools, but much of the guide will apply to any kind of data breach claim. You will learn about what a valid claim is, and how a data breach lawyer can help.

First, it’s important to note that not every school data breach will be a consequence of the school’s positive wrongful conduct. However, if it is, and you or your child’s personal data is affected, you could claim. You’d need to prove the financial losses or psychological damage that the data breach caused.

We refer to data subjects in this guide. A data subject is anyone whose personal information is collected or processed.

Personal information or personal data is any information that can be used to help identify a data subject. It can include names, addresses, photographs or phone numbers, for example.

We also refer to data protection laws in this guide. The GDPR is an EU law that was enacted into UK law via the Data Protection Act 2018. The Data Protection Act sits alongside the UK GDPR. As data protection laws, they aim to ensure you have more security and control in relation to your personal data.

Get More Free Legal Advice

Our advisors give free legal advice and are here for you 24/7. You can call us, send an instant message through our live chat or use a different contact method at the bottom of the page. If you have evidence of a justifiable claim, they could connect you with our solicitors.

Time Limits To Make A Claim

The time limits for making a data breach claims are:

  • Six years.
  • One year if your human rights are involved.

You can check with our advisors to learn which time limit could apply based on your own claim.

What Personal Data Could A School Hold About Me?

Schools hold a variety of personal data about employees, students and parents. For example:

  • Names, dates of birth, email addresses and telephone numbers.
  • Your bank details or credit card information if you have paid for school services in the past.
  • Information relating to a child’s relationship with social services if it’s appropriate for them to have that information.
  • Medical information such as known allergies or long-term medical conditions.
  • Logins for the school intranet.

If personal data is exposed, it could cause varying degrees of harm. For example, you or your child might suffer psychologically or you may lose out financially if banking information is accessed.

What Is A Personal Data Breach Claim Against A School?

A personal data breach begins with a breach of security. This then causes personal data to be lost, destroyed, accessed, disclosed or altered without a lawful basis. It can be accidental or deliberate.

Every educational establishment has to comply with all relevant rules and regulations pertaining to data privacy and security when they collect or process personal data. There could, for example, be a robust school data breach policy in place, ensuring that all personal data is adequately protected.

If the school fails in its legal obligation to protect personal data, this can expose the data to risk. And this risk could ultimately lead to you or your child becoming the victim of a data breach. In such cases where these failings and subsequent harm can be proven, you would potentially have a valid cause to make a compensation claim.

How Does A Data Breach Happen?

Accidental data breaches can be caused by error, oversight or omission, for example. Deliberate external intrusions, by cybercriminals, for example, can also result in a data breach.

It is important to note that data protection laws cover physical data and also digital data. Examples of how physical data could be compromised include:

  • Leaving a file containing personal information open on a desk where any unauthorised member of the public can access it.
  • Losing paperwork containing personal information while travelling to or from work.
  • Throwing away scans containing personal data without properly disposing of it.
  • Giving personal information held on files to a person who requests them, but doesn’t have a lawful reason to have them.

Examples of a digital school data breach could include:

  • A hacker manages to gain access to a school’s systems and steals personal information due to vulnerabilities in online security.
  • Storage devices, such as USBs, are improperly thrown away without the personal data held on them being destroyed first. The USB is then obtained by someone who doesn’t have a lawful basis to access the information on it.
  • A member of staff emails your child’s personal data to the wrong person, who isn’t authorised to access it but does anyway.

These are just some examples of how physical and digital data breaches can happen. There are, of course, many more.

The Damage That A Data Breach Can Do

We have already shown that a school stores a significant amount of personal data. If a person with malicious intent accesses it then, depending on what kind of data they steal, they could potentially steal your identity. They could, for example, take out new loans. There may be long-term ramifications in this instance.

If financial information is accessed, someone could steal from your bank account.

You may also suffer psychological harm because of the distress of having your personal information exposed or that of your child.

If you make a successful data breach claim, you could recover the financial losses and be compensated for any psychiatric harm the data breach causes too.

Examples Of What Should Schools Do If They Breach Your Data Privacy

If school security measures have been ineffective and a third party has gained access to your personal data, the school should take specific steps. These can include:

  1. Define the scope of the breach and the risk attached to it.
  2. Fix the breach to stop more personal data from being exposed.
  3. Report the breach to the Information Commissioner’s Office within 72 hours if it risks the rights and freedoms of data subjects.
  4. Inform the data subjects without undue delay if their rights and freedoms are at risk.

Even when a school takes these measures, it does not mean the breach has been mitigated. You could still be in a position to make a claim if the breach was caused by their failings and you suffered financial loss or mental harm. Call and talk to our advisors to learn how.

Examples Of Action Taken By The ICO Against Schools

Does the Information Commissioner’s Office (ICO) enforce the UK GDPR? Yes, it does. The ICO is responsible for enforcing multiple data protection laws. It can investigate reported data beaches. In addition, it can take punitive action against organisations that have not met their legal obligations to protect personal data. The ICO publishes a list of all of the actions they have taken against organisations in the UK.

The ICO took action against a school in Cheshire in 2020. It was found that, despite the parents’ refusal to consent to their children’s images being shared via any media, two pupils’ images were published in a local newspaper alongside the school’s name. They’d appeared as part of a class photograph. Because the school had allowed this, they received a reprimand from the ICO.

However, whether or not the ICO has taken action against the school that exposed your personal data or your child’s, you could still attempt to make a compensation claim. You can call and talk to our advisors to learn more about this.

When Could You Claim For A Breach Of The GDPR?

There are different reasons why you might want to make a compensation claim for a school data breach. For example:

  • A representative of the school, such as a member of staff, accidentally exposed your personal data or your child’s personal data.
  • An unauthorised third party gained access to your personal data through nefarious means.
  • The school used your personal data in a way that it did not have a lawful reason for.

However, in order to claim, you would need to be able to prove that the school’s positive wrongful conduct caused the data breach. Not every school data breach is caused by the school’s failings.

You’d also need to ensure you have evidence that your personal information was involved in the data breach and that it caused you financial loss or mental harm (or both).

If you need help making a claim, you can call and speak to our advisors. An advisor can help you to get your claim started.

GDPR And Your Rights

Data protection legislation in the UK gives you a number of rights. These help you to control how your personal data is being used. Under the UK GDPR, your rights are:

  1. You have a right to be informed about why your personal data is being collected and what it’ll be used for.
  2. You have a right to access your personal information and receive copies of it.
  3. Any errors in the data that the school has about you should be corrected if you request it (right to rectification).
  4. You can ask the school to delete the personal data it has about you (right to erasure).
  5. In certain circumstances, it should be possible for you to tell the school that you don’t want your data being used in specific ways (right to restrict processing).
  6. You might ask that you are given a copy of the personal data that the school has about you. If you do, this data should be given to you in easily transferrable format (right to data portability).
  7. You have the right to object to your personal information being processed in certain instances.
  8. You have rights in relation to automated decision making and profiling.

If you have any concerns about how your personal information was involved in a data breach and whether you can claim, why not get in touch?

Evidence That Could Support A Data Breach Claim

When making a data breach claim against schools and colleges, you should be able to gather some evidence that will add weight to your claim. Our claims team can tell you more about this, but typical evidence might include:

  • Information about how you discovered your data had been exposed.
  • Copies of any communication between you and the school regarding the breach.
  • Details of any complaint you made to the ICO.
  • Documented proof of financial loss caused by the data breach.
  • A medical report showing how you suffered psychological harm due to the data breach.

Speak to our advisors for some more advice on the types of evidence to gather and how.

Educational And School Data Breach Compensation Calculator

Compensation differs for each claimant. If you’re claiming for psychological harm caused by a data breach, the amount you receive would be assessed by factors such as how long you suffered for and how you suffered.

The compensation table below demonstrates this. The Judicial College produces guidelines that we based the figures in this table on. Solicitors use these guidelines to help them when valuing injuries.

Health problems Level of Harm Range of Damages Additional Notes
Psychiatric damage Less severe Up to £5,500 This award would be calculated based on how long the claimant suffered for and how much everyday activities and sleep were impacted.
Psychiatric damage Moderately severe £17,900 – £51,460 The claimant would struggle with work and other aspects of life. However, the prognosis would be better than for a person suffering severe psychiatric damage.
Psychiatric damage Severe £51,460 – £108,620 The claimant would suffer with various aspects of life and the prognosis would be poor.
Psychiatric damage Moderate £5,500 – £17,900 There would be a significant improvement by trial. The prognosis would be optimistic.

If you’d like a free estimate of what you could claim, why not reach out? Our advisors are available 24/7 and you won’t be obligated to proceed with the services of our panel of solicitors.

How Material And Non-Material Damages Could Compensate You

In 2015, the case Vidal-Hall and others v Google Inc set a precedent. The Court of Appeal held that you could be awarded damages for psychological harm caused by a data breach, despite not also suffering financial loss because of it. Before this case, you would need to prove financial losses if you were to also claim for mental harm.

Compensation for psychological harm is otherwise known as non-material damages. It’s calculated as it would be in personal injury cases: you’d attend a medical assessment.

An independent medical professional would assess your injuries and create a report. The report would show:

  • How severe the injuries are.
  • Whether the data breach caused or worsened your injuries or whether there was no link at all. (If there’s no link between the breach and your injuries, you may find it difficult to claim non-material damages.)

You may also be able to claim for financial loss caused by the data breach. This is known as material damages. For example, it could include financial loss caused by the breach such as money spent from your bank account if this can’t be recovered, and also loss caused by costs, such as having your passport replaced.

You can prove non-material damages by providing documents such as bank statements and credit scores.

For some advice on what types of damages to claim for, you can call and talk to our claims team any time of the day or night.

No Win No Fee Claims For A School Data Breach

You could use the services of a solicitor working under a No Win No Fee agreement to make a claim.

Under a No Win No Fee agreement, you would have no upfront solicitor fees, nor any solicitor fees at all until the claim is won. If it is lost, you don’t pay your solicitor any legal fees.

If you win your claim, you would pay your solicitor a success fee. This is a small percentage of the compensation and it’s capped by law. What’s more, you’ll know the percentage before you agree to have your solicitor work for you. In addition, the fee would only be retrieved after the compensation has come through.

Our panel of solicitors works on a No Win No Fee basis. You can find out more about it by getting in touch through any of the methods below.

Talk To An Advisor

Has your personal data been involved in a school data breach? Do you need a good data breach solicitor to process a claim for you? Please use the contact details below and get in touch, so we can help you. An advisor will go through your claim with you, and let you know what your legal options could be.

Our advisors are available 24/7. What’s more, they can connect you with our No Win No Fee solicitors if you have a favourable claim. Why not find out if you could claim today?

FAQs On Claims For A Breach Of The GDPR Or DPA

Below are a few answers to common questions about data protection.

What is the GDPR?

The GDPR is the General Data Protection Regulation that applies to personal data security and privacy.

What is the Data Protection Act?

The Data Protection Act is the EU GDPR enacted into UK law. It sits alongside the UK GDPR.

How long do I have to start a claim?

You should claim within 1 year if a data breach involved a human rights breach or, alternatively, 6 years. Speak to our advisors to learn more.

Related Guides

All of the guides below could be worth reading if you’d like more insight into claiming.

What Is A No Win No Fee Claim?

Claiming For A Credit Card Data Breach

Psychological Injury After A Data Breach

Visiting these external links could provide you with some useful background information:

Guide To The GDPR

Data Protection

The ICO: Monitoring Compliance

Thanks for reading our guide on what a school data breach could look like and how you could claim. 

Guide by MW

Edited by RV