0370 270 6000

already registered?

Please sign in with your existing account details.

need to register?

Register to access exclusive content, sign up to receive our updates and personalise your experience on brownejacobson.com.

Privacy statement - Terms and conditions

Forgotten your password?

British Airways £183m data breach fine – should schools be worried?

17 July 2019

In a word (or three) no, not really. Before we get overexcited about BA’s hefty fine, let’s put it in perspective and remember that for the moment it is the Information Commissioner’s Office intention to levy this fine – BA will now make representations about it.

Under the old rules the ICO could fine organisations up to £500k. You may remember that Facebook and Equifax got stung with £500k fines in late 2018 for breaches under the old rules and earlier that year Carphone Warehouse paid out £400k and Uber stumped up £385k.

Those fines don’t really make a dent to large organisations and that’s why the rules now allow for a fine of up to €20m or 4% of worldwide turnover. The details of the breach that led to the fine are not hugely relevant; the key point is that it was a cyber breach that led to the personal data or around 500,000 people being compromised, which included payment card details and log in information. So, the data stolen was significant in terms of volume and content.

Does this mean schools will be hit with similar fines? Personally, I don’t think so. We do need to take it seriously, not because of the big chunk of cash BA will be handing over, but because of what Elizabeth Denham said:

“People’s personal data is just that – personal. When an organisation fails to protect it from loss, damage or theft it is more than an inconvenience. That’s why the law is clear – when you are entrusted with personal data you must look after it. Those that don’t will face scrutiny from my office to check they have taken appropriate steps to protect fundamental privacy rights.”

Ask yourself this: if you had a data breach and faced the scrutiny of the ICO, how would you fare?

Here are my top tip tops to help you fare pretty well:

  1. Appoint and train your DPO and keep that training updated;
  2. Train staff and be able to evidence outcomes of that training;
  3. Carry out basic audits (and be able to evidence them) and then take steps to remedy any weaknesses;
  4. If you have a reportable breach, report quickly and fully;
  5. The fines can be hefty, so getting legal advice when managing a breach is worthwhile.

Training and events


Optimus MAT Summit Novotel London West, Hammersmith, London W6 8DR

Come and meet the team at Optimus’ annual conference.

View event


EdCon 2021: planning for the future Online

Our virtual conference for schools and academy trusts is back and this year it’s free!

View event

Focus on...

Keeping Children Safe in Education 2021

The Keeping Children Safe in Education 2021 guidance includes a number of updates, the most significant of which is the creation of Section Two of Part Five. This introduces the concept of low-level concerns raised about staff, supply staff, volunteers and contractors.


Legal updates

Covid 19 – changes to arrangements for admission appeals and exclusion reviews

The Department for Education (DfE) has recently published further regulations to amend the operation of admission appeals and exclusion reviews given the ongoing concerns around the Covid-19 pandemic.


Legal updates

be connected newsletter for education - September 2021

In this edition we provide you with the latest in legal updates, news and insight from the sector.


Legal updates

Updated guidance on Covid-19 vaccination: 12 to 15 year olds

On 13 September the Department of Health and Social Care announced that young people aged 12 to 15 are to be offered a Covid-19 vaccine. People aged 12 to 15 in England will be offered one dose of the Pfizer/BioNTech COVID-19 vaccine, following advice from the four UK Chief Medical Officers (CMOs).


The content on this page is provided for the purposes of general interest and information. It contains only brief summaries of aspects of the subject matter and does not provide comprehensive statements of the law. It does not constitute legal advice and does not provide a substitute for it.

Mailing list sign up

Select which mailings you would like to receive from us.

Sign up