By Stephen Burke. Last Updated 18th October 2024. Did you know that if you or your child suffer mental harm or financial loss because of a school data breach, you may be in a position to make a compensation claim? You would need to prove that a school’s positive wrongful conduct caused the breach and that your personal data (or your child’s) was involved.
That’s where this guide aims to help. We will equip you with a basic knowledge of the process of making a data breach claim. You will also learn about what justifies a valid claim. We’ll explore what a No Win No Fee claim involves too.
Your claim will be based on a unique set of circumstances. Because of this, you may find that this guide does not answer all of the questions you have. We can answer those questions for you. Just call 0800 073 8801 and speak to our advisors. Alternatively, use our live chat.
Our advisors give free legal advice. What’s more, if you have grounds for a solid claim, they could connect you with our solicitors. However, you won’t be under any obligation to proceed with these services. So why not get in touch?
Select A Section:
- A Guide To Personal Data Breach Claims Against A School
- What Personal Data Could A School Hold About Me?
- What Is A Personal Data Breach Claim Against A School?
- Examples Of What Should Schools Do If They Breach Your Data Privacy
- When Could You Claim For A Breach Of The GDPR?
- Evidence That Could Support A Data Breach Claim
- Educational And School Data Breach Compensation Calculator
- No Win No Fee Claims For A School Data Breach
- Related Guides
A Guide To Personal Data Breach Claims Against A School
This guide is aimed at equipping you with the knowledge that you will need to make proper decisions about your own claim. It covers data protection breaches in schools, but much of the guide will apply to any kind of data breach claim. You will learn about what a valid claim is, and how a data breach lawyer can help.
First, it’s important to note that not every school data breach will be a consequence of the school’s positive wrongful conduct. However, if it is, and you or your child’s personal data is affected, you could claim. You’d need to prove the financial losses or psychological damage that the data breach caused.
We refer to data subjects in this guide. A data subject is anyone whose personal information is collected or processed.
Personal information or personal data is any information that can be used to help identify a data subject. It can include names, addresses, photographs or phone numbers, for example.
We also refer to data protection laws in this guide. The GDPR is an EU law that was enacted into UK law via the Data Protection Act 2018. The Data Protection Act sits alongside the UK GDPR. As data protection laws, they aim to ensure you have more security and control in relation to your personal data.
Get More Free Legal Advice
Our advisors give free legal advice and are here for you 24/7. You can call us, send an instant message through our live chat or use a different contact method at the bottom of the page. If you have evidence of a justifiable claim, they could connect you with our solicitors.
Time Limits To Make A Claim
The time limits for making a data breach claims are:
- Six years.
- One year if your human rights are involved.
You can check with our advisors to learn which time limit could apply based on your own claim.
What Personal Data Could A School Hold About Me?
Schools hold a variety of personal data about employees, students and parents. For example:
- Names, dates of birth, email addresses and telephone numbers.
- Your bank details or credit card information if you have paid for school services in the past.
- Information relating to a child’s relationship with social services if it’s appropriate for them to have that information.
- Medical information such as known allergies or long-term medical conditions.
- Logins for the school intranet.
If personal data is exposed, it could cause varying degrees of harm. For example, you or your child might suffer psychologically or you may lose out financially if banking information is accessed.
What Is A Personal Data Breach Claim Against A School?
A personal data breach begins with a breach of security. This then causes personal data to be lost, destroyed, accessed, disclosed or altered without a lawful basis. It can be accidental or deliberate.
Every educational establishment has to comply with all relevant rules and regulations pertaining to data privacy and security when they collect or process personal data. There could, for example, be a robust school data breach policy in place, ensuring that all personal data is adequately protected.
If the school fails in its legal obligation to protect personal data, this can expose the data to risk. And this risk could ultimately lead to you or your child becoming the victim of a data breach. In such cases where these failings and subsequent harm can be proven, you would potentially have a valid cause to make a compensation claim.
How Does A Data Breach Happen?
Accidental data breaches can be caused by error, oversight or omission, for example. Deliberate external intrusions, by cybercriminals, for example, can also result in a data breach.
It is important to note that data protection laws cover physical data and also digital data. Examples of how physical data could be compromised include:
- Leaving a file containing personal information open on a desk where any unauthorised member of the public can access it.
- Losing paperwork containing personal information while travelling to or from work.
- Throwing away scans containing personal data without properly disposing of it.
- Giving personal information held on files to a person who requests them, but doesn’t have a lawful reason to have them.
Examples of a digital school data breach could include:
- A hacker manages to gain access to a school’s systems and steals personal information due to vulnerabilities in online security.
- Storage devices, such as USBs, are improperly thrown away without the personal data held on them being destroyed first. The USB is then obtained by someone who doesn’t have a lawful basis to access the information on it.
- A member of staff emails your child’s personal data to the wrong person, who isn’t authorised to access it but does anyway.
These are just some examples of how physical and digital data breaches can happen. There are, of course, many more.
The Damage That A Data Breach Can Do
We have already shown that a school stores a significant amount of personal data. If a person with malicious intent accesses it then, depending on what kind of data they steal, they could potentially steal your identity. They could, for example, take out new loans. There may be long-term ramifications in this instance.
If financial information is accessed, someone could steal from your bank account.
You may also suffer psychological harm because of the distress of having your personal information exposed or that of your child.
If you make a successful data breach claim, you could recover the financial losses and be compensated for any psychiatric harm the data breach causes too.
Examples Of What Should Schools Do If They Breach Your Data Privacy
If school security measures have been ineffective and a third party has gained access to your personal data, the school should take specific steps. These can include:
- Define the scope of the breach and the risk attached to it.
- Fix the breach to stop more personal data from being exposed.
- Report the breach to the Information Commissioner’s Office within 72 hours if it risks the rights and freedoms of data subjects.
- Inform the data subjects without undue delay if their rights and freedoms are at risk.
Even when a school takes these measures, it does not mean the breach has been mitigated. You could still be in a position to make a claim if the breach was caused by their failings and you suffered financial loss or mental harm. Call and talk to our advisors to learn how.
When Could You Claim For A Breach Of The GDPR?
There are different reasons why you might want to make a compensation claim for a school data breach. For example:
- A representative of the school, such as a member of staff, accidentally exposed your personal data or your child’s personal data.
- An unauthorised third party gained access to your personal data through nefarious means.
- The school used your personal data in a way that it did not have a lawful reason for.
However, in order to claim, you would need to be able to prove that the school’s positive wrongful conduct caused the data breach. Not every school data breach is caused by the school’s failings.
You’d also need to ensure you have evidence that your personal information was involved in the data breach and that it caused you financial loss or mental harm (or both).
If you need help making a claim, you can call and speak to our advisors. An advisor can help you to get your claim started.
GDPR And Your Rights
Data protection legislation in the UK gives you a number of rights. These help you to control how your personal data is being used. Under the UK GDPR, your rights are:
- You have a right to be informed about why your personal data is being collected and what it’ll be used for.
- You have a right to access your personal information and receive copies of it.
- Any errors in the data that the school has about you should be corrected if you request it (right to rectification).
- You can ask the school to delete the personal data it has about you (right to erasure).
- In certain circumstances, it should be possible for you to tell the school that you don’t want your data being used in specific ways (right to restrict processing).
- You might ask that you are given a copy of the personal data that the school has about you. If you do, this data should be given to you in easily transferrable format (right to data portability).
- You have the right to object to your personal information being processed in certain instances.
- You have rights in relation to automated decision making and profiling.
If you have any concerns about how your personal information was involved in a data breach and whether you can claim, why not get in touch?
Evidence That Could Support A Data Breach Claim
When making a data breach claim against schools and colleges, you should be able to gather some evidence that will add weight to your claim. Our claims team can tell you more about this, but typical evidence might include:
- Information about how you discovered your data had been exposed.
- Copies of any communication between you and the school regarding the breach.
- Details of any complaint you made to the ICO.
- Documented proof of financial loss caused by the data breach.
- A medical report showing how you suffered psychological harm due to the data breach.
Speak to our advisors for some more advice on the types of evidence to gather and how.
Educational And School Data Breach Compensation Calculator
Compensation differs for each claimant and can involve non-material damages and material damages. Non-material damages is compensation for psychological harm. It’s calculated as it would be in personal injury cases: you’d attend a medical assessment.
An independent medical professional would assess your injuries and create a report. The report would show:
- How severe the injuries are.
- Whether the data breach caused or worsened your injuries or whether there was no link at all. (If there’s no link between the breach and your injuries, you may find it difficult to claim non-material damages.)
If you’re claiming for psychological harm caused by a data breach, the amount you receive would be assessed by factors such as how long you suffered for and how you suffered. The compensation table below demonstrates this. The Judicial College produces guidelines that we based the figures in this table on. Solicitors use these guidelines to help them when valuing injuries.
| Injury type | Severity of injury | Compensation | Additional Notes |
|---|---|---|---|
| Severe psychological harm plus financial losses | Severe | Up to £250,000+ | A single payout may be given if you're eligible to be compensated for both severe psychological harm and financial losses related to a school data breach. |
| Psychiatric damage | Severe | £66,920 to £141,240 | The claimant would suffer with various aspects of life and the prognosis would be poor. |
| Psychiatric damage | Moderately severe | £23,270 to £66,920 | The claimant would struggle with work and other aspects of life. However, the prognosis would be better than for a person suffering severe psychiatric damage. |
| Psychiatric damage | Moderate | £7,150 to £23,270 | There would be a significant improvement by trial. The prognosis would be optimistic. |
| Psychiatric damage | Less severe | £1,880 to £7,150 | This award would be calculated based on how long the claimant suffered for and how much everyday activities and sleep were impacted. |
| Post Traumatic Stress Disorder | Severe | £73,050 to £122,850 | Permanent symptoms of PTSD will be present with no prospect of employment. |
| Post Traumatic Stress Disorder | Moderately severe | £28,250 to £73,050 | Severe symptoms but also some chance of improvement with professional help. |
| Post Traumatic Stress Disorder | Moderate | £9,980 to £28,250 | An almost full recovery could be possible, although there will be some lingering effects. |
| Post Traumatic Stress Disorder | Less severe | £4,820 to £9,980 | A large recovery will have been made or occur. No grossly disabling effects will continue to persist. |
You may also be able to claim for financial loss caused by the data breach. This is known as material damages. For example, it could include financial loss caused by the breach such as money spent from your bank account if this can’t be recovered, and also loss caused by costs, such as having your passport replaced.
You can prove non-material damages by providing documents such as bank statements and credit scores.
For some advice on what types of damages to claim for, you can call and talk to our claims team any time of the day or night.
No Win No Fee Claims For A School Data Breach
If you meet the eligibility criteria to make a school data breach claim, one of our No Win No Fee solicitors could potentially assist you. Our solicitors have experience in handling a wide range of data breach cases. They could support your claim under a Conditional Fee Agreement (CFA).
When claiming for a school data breach under a CFA:
- You do not have to pay your solicitor for their services upfront or throughout the claim.
- Also, you normally don’t have to pay your solicitor for their work if the claim does not succeed.
- Following a successful claim, you will pay your solicitor a success fee. This means that your solicitor will take a small, legally capped percentage of your compensation to cover this payment. The legal cap ensures you get to keep most of your compensation.
Contact our advisors today to see if one of our No Win No Fee solicitors can help you with your data breach claim. Our advisors can also answer any other questions you may have regarding the claiming process. You can get in touch through one of the following methods:
- Call us on 0800 073 8801
- Reach us using our online contact form
- Use our 24/7 live chat
Related Guides
All of the guides below could be worth reading if you’d like more insight into claiming.
- What Is A No Win No Fee Claim?
- Claiming For A Credit Card Data Breach
- Psychological Injury After A Data Breach
Visiting these external links could provide you with some useful background information:
Thanks for reading our guide on what a school data breach could look like and how you could claim.
