0370 270 6000

already registered?

Please sign in with your existing account details.

need to register?

Register to access exclusive content, sign up to receive our updates and personalise your experience on brownejacobson.com.

Privacy statement - Terms and conditions

British Airways £183m data breach fine – should schools be worried?

17 July 2019

In a word (or three) no, not really. Before we get overexcited about BA’s hefty fine, let’s put it in perspective and remember that for the moment it is the Information Commissioner’s Office intention to levy this fine – BA will now make representations about it.

Under the old rules the ICO could fine organisations up to £500k. You may remember that Facebook and Equifax got stung with £500k fines in late 2018 for breaches under the old rules and earlier that year Carphone Warehouse paid out £400k and Uber stumped up £385k.

Those fines don’t really make a dent to large organisations and that’s why the rules now allow for a fine of up to €20m or 4% of worldwide turnover. The details of the breach that led to the fine are not hugely relevant; the key point is that it was a cyber breach that led to the personal data or around 500,000 people being compromised, which included payment card details and log in information. So, the data stolen was significant in terms of volume and content.

Does this mean schools will be hit with similar fines? Personally, I don’t think so. We do need to take it seriously, not because of the big chunk of cash BA will be handing over, but because of what Elizabeth Denham said:

“People’s personal data is just that – personal. When an organisation fails to protect it from loss, damage or theft it is more than an inconvenience. That’s why the law is clear – when you are entrusted with personal data you must look after it. Those that don’t will face scrutiny from my office to check they have taken appropriate steps to protect fundamental privacy rights.”

Ask yourself this: if you had a data breach and faced the scrutiny of the ICO, how would you fare?

Here are my top tip tops to help you fare pretty well:

  1. Appoint and train your DPO and keep that training updated;
  2. Train staff and be able to evidence outcomes of that training;
  3. Carry out basic audits (and be able to evidence them) and then take steps to remedy any weaknesses;
  4. If you have a reportable breach, report quickly and fully;
  5. The fines can be hefty, so getting legal advice when managing a breach is worthwhile.

focus on...

Legal updates

FOI requests and the use of the section 36 exemption

As schools and academies you get plenty of Freedom of Information requests. When you answer them you are effectively publishing the information to the world.


Legal updates

be connected newsletter for education - July 2019

As we approach the final few days of the school term, this edition of BeConnected provides you with the latest in legal updates, news and insight from the sector.


Legal updates

Schools and Raising Money for Charities

Traditionally there are many ways for schools to raise money for charity: bake sales, non-uniform days and throwing wet sponges at teachers.


Legal updates

be connected newsletter for education - December 2018

In this edition we will connect you with a comprehensive selection of the very latest in legal updates, news and insight from the education sector.


The content on this page is provided for the purposes of general interest and information. It contains only brief summaries of aspects of the subject matter and does not provide comprehensive statements of the law. It does not constitute legal advice and does not provide a substitute for it.

mailing list sign up

Select which mailings you would like to receive from us.

Sign up