British Airways £183m data breach fine – should schools be worried?
In a word (or three) no, not really. Before we get overexcited about BA’s hefty fine, let’s put it in perspective and remember that for the moment it is the Information Commissioner’s Office intention to levy this fine – BA will now make representations about it.
In a word (or three) no, not really. Before we get overexcited about BA’s hefty fine, let’s put it in perspective and remember that for the moment it is the Information Commissioner’s Office intention to levy this fine – BA will now make representations about it.
Under the old rules the ICO could fine organisations up to £500k. You may remember that Facebook and Equifax got stung with £500k fines in late 2018 for breaches under the old rules and earlier that year Carphone Warehouse paid out £400k and Uber stumped up £385k.
Those fines don’t really make a dent to large organisations and that’s why the rules now allow for a fine of up to €20m or 4% of worldwide turnover. The details of the breach that led to the fine are not hugely relevant; the key point is that it was a cyber breach that led to the personal data or around 500,000 people being compromised, which included payment card details and log in information. So, the data stolen was significant in terms of volume and content.
Does this mean schools will be hit with similar fines? Personally, I don’t think so. We do need to take it seriously, not because of the big chunk of cash BA will be handing over, but because of what Elizabeth Denham said:
“People’s personal data is just that – personal. When an organisation fails to protect it from loss, damage or theft it is more than an inconvenience. That’s why the law is clear – when you are entrusted with personal data you must look after it. Those that don’t will face scrutiny from my office to check they have taken appropriate steps to protect fundamental privacy rights.”
Ask yourself this: if you had a data breach and faced the scrutiny of the ICO, how would you fare?
Here are my top tip tops to help you fare pretty well:
- Appoint and train your DPO and keep that training updated;
- Train staff and be able to evidence outcomes of that training;
- Carry out basic audits (and be able to evidence them) and then take steps to remedy any weaknesses;
- If you have a reportable breach, report quickly and fully;
- The fines can be hefty, so getting legal advice when managing a breach is worthwhile.
Contact
Dai Durbridge
Partner
dai.durbridge@brownejacobson.com
+44 (0)330 045 2105
You may be interested in...
Legal Update
SEND capacity issues leading to non-compliance
Legal Update - Be Connected (higher education)
Be Connected – Higher education Spring 2024
Press Release
Browne Jacobson’s school leaders survey illustrates rising volume of parental complaints and impact on teachers
Legal Update
High Court dismisses school prayer ban challenge
Legal Update
School leaders survey Spring 2024 - the results are in
Guide
Revisions to Ofsted’s complaints procedure: what you need to know
Legal Update
OFS Consultation on freedom of speech guidance
Legal Update
Understanding the ICO's new fining guidance
Legal Update
7 ways academy trusts can prepare for the new Corporate Transparency Act
Online Event
School complaints: handling problem parent behaviour
Press Release - Firm news
Three newly-qualified solicitors join Browne Jacobson’s education team
Podcast - #EdInfluence
#EdInfluence podcast (series 3) - in conversation with inspiring leaders
Opinion
Can teachers personal and political views amount to misconduct?
Legal Update
New leadership for our education team
Press Release - Firm news
Browne Jacobson announces Nick MacKenzie to succeed Mark Blois as head of Browne Jacobson’s education team
Legal Update
Changes to academy conversion funding
Legal Update
Holiday pay: Government change clarifies treatment of term time only workers
Legal Update
All change at Companies House - Corporate Transparency Act
Online Event
Understanding the changing role of company secretary for academy trusts
Legal Update
Cyber-attacks in UK universities: Why failing to prepare is no longer an option
Opinion
School attendance matters
Legal Update
Not quite a blanket ban on mobile phones in schools: DfE guidance insights
Legal Update
Charity law update – March 2024
Opinion
Caregivers at work: Navigating new carer's leave regulations
Legal Update
Updated guidance for collaborative learning delivery in higher education
Opinion
EHRC publishes new guidance on menopause and the workplace
In Person Event
Child protection in Education – London
In Person Event
Leading Safeguarding 2024 - London
In Person Event
Optimus: HR update and people strategy
Legal Update - Be Connected (schools)
Be Connected (schools and academy trusts) - February 2024
Legal Update
Ofsted reform: Where are we now and where do we go from here?
Legal Update
New case on the reasonable adjustment duty for pupils in schools
Legal Update
What does the new gender questioning guidance mean for schools?
Legal Update
How do holiday pay reforms affect the education sector?
Legal Update - Building Safety Act
Do your campus buildings comply with the latest legislation?
Published Article
Proactive handling of vexatious complaints and abuse of staff in schools
Legal Update
Subsidy control: Guide to streamlined routes for universities
Legal Update
Data protection in higher education: what to expect in 2024
Legal Update
Installing EV charge points on university campuses
