18 December, 2018
Darren Harrison of Twickenham was a Deputy Head teacher at Isleworth Town Primary School (the School). Six months into his role, he was suspended. Following an IT audit carried out by the School, it transpired that there were large volumes of sensitive personal data on the School's servers from two previous schools that he had worked at (Spelthorn Primary and the Russell School in Richmond).
Following the matter being referred to the Information Commissioner's Office (ICO), an investigation was carried out. The ICO reported that Mr Harrison did not have a valid explanation as to how personal data of pupils from two previous schools was being processed on the IT system of his current employer. The personal data in question had been uploaded through a USB stick on to the School's IT systems.
In the course of an interview with the ICO, Mr Harrison claimed that the information had been taken for professional reasons.
As Mr Harrison did not have a lawful reason to process the personal data of his former pupils, this was a breach of data protection legislation. The ICO as the information rights regulator initiated a prosecution against Mr Harrison for two offences of unlawfully obtaining personal data in breach of section 55 of the Data Protection Act 1998.
Mr Harrison admitted the offences and was fined £700 and ordered to pay £364.08 costs and a victim surcharge of £35.
The ICO's criminal enforcement team noted that children and parents or guardians have the right to have their personal data treated with respect and the right to privacy to be respected. Headteachers within schools hold a position of standing in the community, which entails responsibility to carry out their role beyond reproach.
This case demonstrates the importance of compliance with data protection legislation for all professionals in the education sector due to the individual rights of pupils and parents, the personal liability that can arise, as well as obligations for schools. Processing of personal data can arise in a number of ways including through copying of data, deleting it or retaining it on unused equipment or devices.
Schools and staff may have considered some of the implications of the data protection legislation brought about by the General Data Protection Legislation (GDPR) and made changes. This case demonstrates that compliance with data protection legislation is not a one off event but continuous day to day and may arise in a range of situation.
As part of on-going compliance, schools should consider:
Forbes Solicitors regularly assist schools and colleges with a range of data protection queries. If you have any questions, please do not hesitate to contact a member of our Commercial team or a member of our Employment team.