British Airways £183m data breach fine – should schools be worried?
In a word (or three) no, not really. Before we get overexcited about BA’s hefty fine, let’s put it in perspective and remember that for the moment it is the Information Commissioner’s Office intention to levy this fine – BA will now make representations about it.
In a word (or three) no, not really. Before we get overexcited about BA’s hefty fine, let’s put it in perspective and remember that for the moment it is the Information Commissioner’s Office intention to levy this fine – BA will now make representations about it.
Under the old rules the ICO could fine organisations up to £500k. You may remember that Facebook and Equifax got stung with £500k fines in late 2018 for breaches under the old rules and earlier that year Carphone Warehouse paid out £400k and Uber stumped up £385k.
Those fines don’t really make a dent to large organisations and that’s why the rules now allow for a fine of up to €20m or 4% of worldwide turnover. The details of the breach that led to the fine are not hugely relevant; the key point is that it was a cyber breach that led to the personal data or around 500,000 people being compromised, which included payment card details and log in information. So, the data stolen was significant in terms of volume and content.
Does this mean schools will be hit with similar fines? Personally, I don’t think so. We do need to take it seriously, not because of the big chunk of cash BA will be handing over, but because of what Elizabeth Denham said:
“People’s personal data is just that – personal. When an organisation fails to protect it from loss, damage or theft it is more than an inconvenience. That’s why the law is clear – when you are entrusted with personal data you must look after it. Those that don’t will face scrutiny from my office to check they have taken appropriate steps to protect fundamental privacy rights.”
Ask yourself this: if you had a data breach and faced the scrutiny of the ICO, how would you fare?
Here are my top tip tops to help you fare pretty well:
- Appoint and train your DPO and keep that training updated;
- Train staff and be able to evidence outcomes of that training;
- Carry out basic audits (and be able to evidence them) and then take steps to remedy any weaknesses;
- If you have a reportable breach, report quickly and fully;
- The fines can be hefty, so getting legal advice when managing a breach is worthwhile.
Contact
Dai Durbridge
Partner
dai.durbridge@brownejacobson.com
+44 (0)330 045 2105
You may be interested in...
Legal Update
An update on the independent review of university spin-out companies
Press Release
Half of school leaders think Ofsted does not have the expertise for Multi-Academy Trust inspections, according to new survey
Press Release
Our education expertise recognised in latest legal directory rankings
Legal Update
School leaders survey Autumn 2023 – the results are in!
Legal Update - Be Connected (schools)
Be Connected - Winter 2023
Opinion
Cross-sector collaboration and civic leadership: round table insight
Guide
Education sector contracts – top 10 tips on how to get it right
Podcast - #EdInfluence
#EdInfluence podcast (series 3) - in conversation with inspiring leaders
Opinion
Overcoming barriers: Building leadership resilience in MATs
In Person Event
Claims Club - London
Legal Update - Shared Insights
Shared insights: The challenges caused by disordered eating in education, health and social care settings
Press Release
Browne Jacobson and the National Association of Head Teachers publish new guidance for faith schools faced with joining or becoming an academy trust
Legal Update - RAAC
RAAC: the tip of the iceberg for school building safety
Online Event
EdCon2024
Legal Update
Strike minimum service levels in schools and academies: Proposals for voluntary agreement
Legal Update - Be Connected (higher education)
Be Connected - Higher Education Autumn 2023
Legal Update
Improving support for disabled higher education students
Legal Update
School exclusions guidance: Managed moves between schools
Legal Update
PFI expiry - hope for the best, plan for the worst?
Legal Update
Transgender pupils and single sex schools
In Person Event
CST Trust Safeguarding Conference 2024: Courage, creativity, capacity
Legal Update
The season of goodwill: what education charities need to know
Legal Update
The commercial realities of disputes and litigation
Legal Update
Students claim contract breach for university disruption
Legal Update
Are parental complaints to schools undermining staff retention?
Legal Update - Be Connected (schools)
Be Connected - October 2023
Legal Update
What does ‘RAAC’ mean for university campuses?
On-Demand
Changes to flexible working webinar: Opportunities for schools
Legal Update
Covering the costs of RAAC – new guidance published
Legal Update
Introducing the Estates Competency Framework
Legal Update
Academy Trust Handbook 2023: Short sharp focus
Legal Update
Admissions consultations underway: what do you need to know?
Legal Update
Pupil attendance: still a lingering issue
Legal Update
School leaders – share your views on the issues of the day
Legal Update
An update on Ofsted’s early monitoring programme: ineffective safeguarding
Legal Update
Lessons learnt: Handling a vexatious complaint - case study
Published Article - RAAC
RAAC: 5 questions to guide investigations
Legal Update
The role of Ofsted in school complaints
Legal Update - Procurement Act
Procurement Act 2023: Getting Ready for Reform - the countdown is on!
