British Airways £183m data breach fine – should schools be worried?
In a word (or three) no, not really. Before we get overexcited about BA’s hefty fine, let’s put it in perspective and remember that for the moment it is the Information Commissioner’s Office intention to levy this fine – BA will now make representations about it.
In a word (or three) no, not really. Before we get overexcited about BA’s hefty fine, let’s put it in perspective and remember that for the moment it is the Information Commissioner’s Office intention to levy this fine – BA will now make representations about it.
Under the old rules the ICO could fine organisations up to £500k. You may remember that Facebook and Equifax got stung with £500k fines in late 2018 for breaches under the old rules and earlier that year Carphone Warehouse paid out £400k and Uber stumped up £385k.
Those fines don’t really make a dent to large organisations and that’s why the rules now allow for a fine of up to €20m or 4% of worldwide turnover. The details of the breach that led to the fine are not hugely relevant; the key point is that it was a cyber breach that led to the personal data or around 500,000 people being compromised, which included payment card details and log in information. So, the data stolen was significant in terms of volume and content.
Does this mean schools will be hit with similar fines? Personally, I don’t think so. We do need to take it seriously, not because of the big chunk of cash BA will be handing over, but because of what Elizabeth Denham said:
“People’s personal data is just that – personal. When an organisation fails to protect it from loss, damage or theft it is more than an inconvenience. That’s why the law is clear – when you are entrusted with personal data you must look after it. Those that don’t will face scrutiny from my office to check they have taken appropriate steps to protect fundamental privacy rights.”
Ask yourself this: if you had a data breach and faced the scrutiny of the ICO, how would you fare?
Here are my top tip tops to help you fare pretty well:
- Appoint and train your DPO and keep that training updated;
- Train staff and be able to evidence outcomes of that training;
- Carry out basic audits (and be able to evidence them) and then take steps to remedy any weaknesses;
- If you have a reportable breach, report quickly and fully;
- The fines can be hefty, so getting legal advice when managing a breach is worthwhile.
Contact
Dai Durbridge
Partner
dai.durbridge@brownejacobson.com
+44 (0)330 045 2105
You may be interested in...
Press Release - Firm news
Browne Jacobson delivers record-breaking growth as strategic vision drives exceptional performance
Legal Update
DEI in school governance: Key themes and insights
Opinion
Spending Review: Setting the stage for UK investment
Article
The socio-economic duty: Shifting mindsets for true social mobility
Press Release
Spending Review 2025: Browne Jacobson lawyers respond to Chancellor’s announcement
Press Release
Browne Jacobson’s School Leaders Survey illustrates concerns over financial resilience ahead of spending review
Legal Update
ESG and sustainability report: Rethinking communication and credibility
Press Release
Majority of UK organisations remain committed to sustainability and ESG, says new research
Opinion
Addressing the gender pay gap in school trusts
Podcast - #EdInfluence
#EdInfluence podcast (series 4): In conversation with inspiring leaders
Legal Update
The OfS agrees a settlement with Leeds Trinity University
Press Release
Browne Jacobson’s latest School Leaders Survey to focus on schools exclusions and early years funding
Press Release
UK-EU reset deal: Comments from Browne Jacobson experts
Opinion
Disciplinary procedures and mental health: Employer considerations
Legal Update
Supporting mental wellbeing in the workplace: Practical steps for businesses
Legal Update - Be Connected (higher education)
Be Connected, higher education: Spring 2025
Published Article
Learning from Europe: Funding models for UK schools infrastructure
Legal Update - Be Connected (schools)
Be Connected: Schools and academy trusts, May 2025
Legal Update
New novel, contentious and repercussive transactions guidance
Legal Update
Unpacking the new guidelines for alternative provision: Practical steps for education institutions and providers
Online Event
School exclusions: A review of the latest developments and looking to the year ahead
Opinion
EHRC releases guidance for employers after Supreme Court ruling on definition of woman
Legal Update
Unfunded pay rise for teachers risks strikes, tension, restructures and budget crisis
Guide
Advice for schools on how to handle information requests from the police
Legal Update
2025/26 employment rates and limits: Are costs increases having a negative impact on the job market?
Legal Update - School leaders survey
School leaders survey, summer 2025
Legal Update
Analysing new statistics on school exclusions
Legal Update
Lessons from the 2025 cyber security breaches survey for higher education
Legal Update
Safeguarding children: Effective strategies for prevention and response
Legal Update
The rise in schools-based nurseries and the practicalities for growing trusts
Legal Update
Supreme Court ruling on trans women: What schools need to know
Legal Update
Changes to Ofsted inspection, school accountability and intervention
Legal Update
Top tips for schools handling AI generated complaints
Legal Update
Updated Modern Slavery Act Transparency Guidance: Key obligations and steps for businesses
Guide
Fair Access Protocols for school admissions: Addressing common issues
Guide
When can schools refuse admission due to challenging behaviour?
Published Article
Five key considerations for effective safeguarding leadership
Published Article
Building bridges in edtech: The convergence of AI governance and educational needs
Legal Update
Improving university governance: what we can learn from the OfS latest regulatory report
