15 January, 2019
A former head teacher has been fined for unlawfully obtaining children's personal data from previous schools where he worked.
According to the ICO, the head teacher had obtained the information from two primary schools where he had previously been employed, and uploaded it to his then current school's server. As he had no lawful reason to process the personal data, he was in breach of data protection legislation. He was unable to provide an explanation as to how the information had appeared on the system, which was via an upload from his USB stick, stating he had deleted the personal data from it.
He admitted two offences of unlawfully obtaining personal data in breach of s55 of the Data Protection Act 1998 and was fined £700, ordered to pay £364.08 costs and a victim surcharge of £35.
A representative from the ICO, Mike Shaw, commented "Children and their parents or guardians have the right to expect that their personal data is treated with respect and that their legal right to privacy is adhered to. A head teacher holds a position of standing in the community and with that position comes the added responsibility to carry out their role beyond reproach".
Schools must ensure that they are fully compliant with GDPR; teachers and schools may be fined for breaching data protection legislation. Each school should have a designated data protection officer and staff ought to be trained to ensure that they are aware of their responsibilities under the GDPR.
On a practical note, schools should consider blocking the use of USB sticks so that information cannot be stored on them, using strong passwords and ensuring electronic data is appropriately managed.
Schools should also give considerable thought as to how personal data is stored in and around school. For instance, what information is posted on noticeboards? What information do staff keep on their desks or in staffrooms? And how and where do staff store work they take home?