05 May, 2020
Last week, the High Court published a judgment where a school that sent a letter to parents regarding the disruptive behavioural issues of a disabled pupil, designed to reassure them that staff were able to deal with the behaviour appropriately, was liable for breaches of the Data Protection Act 1998, misuse of private information and breaches of the Human Rights Act 1998.
The case of ST (A Minor) and another v L Primary School  EWHC 1046 (QB), dates back to 2013 and the case relates to breaches of the Data Protection Act 1998. Whilst this legislation has now been replaced by the General Data Protection Regulation (GDPR) and the Data Protection Act 2018, there are useful points to take away from this decision which will assist schools in their ongoing GDPR compliance.
Background of the Case
The pupil joined the school in Year 5, after her parents moved to the area. On joining the school, the pupil's parents completed a consent form where they did not provide consent for the pupil to be photographed or recorded by the school, for photos of the pupil to be used on the school website or for any photo of the pupil or her name to appear in the local newspaper in school-related news items.
The pupil was in receipt of a statement of special educational needs and the school put in place a programme of support for her. The pupil started her classes in February 2013. Between the pupil starting and the middle of March 2013 there were a number of incidents involving the pupil's behaviour, including an incident where the pupil threw objects at other children and was biting and pulling hair. After that incident, the school advised that it was contacted by several parents of other pupils regarding what their children had seen or experienced during class. The decision was taken by the school to write to all Year 5 parents, rather than to respond to each parent individually.
On 14 March 2013, the school wrote to around sixty Year 5 parents. The letter notified parents that there was a new pupil in Year 5 who had Downs Syndrome and she found some aspects of school life challenging and that their child may have witnessed some behaviour that they find disturbing. The letter also stated that staff are trained in positive handling techniques and are more than capable of dealing with any situation that arises.
Breaches of the Data Protection Act
The High Court found that the school had not obtained the consent of the pupil's parents to send the letter in question. The letter contained information relating to the physical and mental health of the pupil which was 'sensitive personal data' for the purposes of the Data Protection Act 1998. In these circumstances, consent was the only justifiable way under the Data Protection Act that this information could be disclosed to all year 5 parents. There was no documentary evidence that the school had obtained consent - they did not have it in writing from the parents nor were there any minutes of meetings with the parents. Therefore, the Court found that consent had not been obtained. The sending of the letter was neither fair nor lawful in accordance with the Data Protection Act 1998.
Whilst the Court found that the school had breached the Data Protection Act 1998, it did not award any compensation for the breach as there was no clear evidence that the pupil was informed of the sending of the letter or had been distressed by it.
However, claims were also brought for the misuse of private information and breaches of the Human Rights Act. The Court found that the school had breached human rights and misused private information and awarded compensation of £3,000 to the mother and £1,500 to the pupil.
Whilst these proceedings were brought under the Data Protection Act 1998, there are some important parallels for schools to consider. Under the GDPR, the appropriate legal basis to send a letter of this kind would still be consent. Therefore, schools need to ensure they document when consent is obtained in order to be able to demonstrate at a later date that consent was validly obtained. In this case, a complaint was made to the ICO who did not investigate the individual complaint but rather took the opportunity to consider whether best practice would need to be revised in the school sector. If this happened today, a different approach would be taken by the ICO as it has a statutory duty to investigate individual complaints and the ability to impose large fines or take other regulatory action where there has been a breach of the GDPR.
For more information contact Bethany Paliga in our Governance, Procurement & Information department via email or phone on 01254 222347. Alternatively send any question through to Forbes Solicitors via our online Contact Form.