0370 270 6000

British Airways £183m data breach fine – should schools be worried?

17 July 2019

In a word (or three) no, not really. Before we get overexcited about BA’s hefty fine, let’s put it in perspective and remember that for the moment it is the Information Commissioner’s Office intention to levy this fine – BA will now make representations about it.

Under the old rules the ICO could fine organisations up to £500k. You may remember that Facebook and Equifax got stung with £500k fines in late 2018 for breaches under the old rules and earlier that year Carphone Warehouse paid out £400k and Uber stumped up £385k.

Those fines don’t really make a dent to large organisations and that’s why the rules now allow for a fine of up to €20m or 4% of worldwide turnover. The details of the breach that led to the fine are not hugely relevant; the key point is that it was a cyber breach that led to the personal data or around 500,000 people being compromised, which included payment card details and log in information. So, the data stolen was significant in terms of volume and content.

Does this mean schools will be hit with similar fines? Personally, I don’t think so. We do need to take it seriously, not because of the big chunk of cash BA will be handing over, but because of what Elizabeth Denham said:

“People’s personal data is just that – personal. When an organisation fails to protect it from loss, damage or theft it is more than an inconvenience. That’s why the law is clear – when you are entrusted with personal data you must look after it. Those that don’t will face scrutiny from my office to check they have taken appropriate steps to protect fundamental privacy rights.”

Ask yourself this: if you had a data breach and faced the scrutiny of the ICO, how would you fare?

Here are my top tip tops to help you fare pretty well:

  1. Appoint and train your DPO and keep that training updated;
  2. Train staff and be able to evidence outcomes of that training;
  3. Carry out basic audits (and be able to evidence them) and then take steps to remedy any weaknesses;
  4. If you have a reportable breach, report quickly and fully;
  5. The fines can be hefty, so getting legal advice when managing a breach is worthwhile.

Focus on...

Legal updates

A new School Admission Appeals Code for 2022

On 1 October 2022 the School Admissions Appeals Code 2022 (“the Code”) comes into force, replacing the 2012 version and the amendments brought in during the pandemic. The Code will apply to all appeals lodged on or after 1 October 2022.


Legal updates

New Guidance on Behaviour in Schools: What has changed?

This month the Department for Education (“DfE”) released new guidance on behaviour in schools which has substantial changes from the previous guidance from 2016.


Legal updates

be connected newsletter for education - July 2022

In this edition we provide you with the latest in legal updates, news and insight from the sector.


Legal updates

New statutory guidance on school suspensions and exclusions now published

New statutory guidance on school exclusions has now been published, along with new Behaviour in Schools Guidance. The new guidance incorporates changes recommended in Edward Timpson’s May 2019 report on school exclusions. The new guidance will apply to any exclusion or suspension decisions taken from 1 September 2022.


The content on this page is provided for the purposes of general interest and information. It contains only brief summaries of aspects of the subject matter and does not provide comprehensive statements of the law. It does not constitute legal advice and does not provide a substitute for it.

Mailing list sign up

Select which mailings you would like to receive from us.

Sign up