Former headteacher’s prosecution demonstrates the risks of storing personal data on USB sticks

This week, the ICO (Information Commissioner’s Office) prosecuted and fined a former deputy headteacher for unlawfully obtaining personal data from two schools he had previously worked at. Darren Harrison was suspended from Isleworth Town Primary School only six months into his new role.

Harrison uploaded large volumes of sensitive personal data from Spelthorne Primary and The Russell School in Richmond to Isleworth Town Primary’s server via USB stick.

Harrison was unable to provide a valid explanation for how the information had appeared on the server, and claimed it had been deleted. He later told the ICO that the data had been taken for professional reasons.

Because Harrison had no lawful reason to process the personal data, he was in breach of data protection legislation. He was fined £700 under the Data Protection Act 1998 and ordered to pay £364.08 costs and a victim surcharge of £35.

Mike Shaw, the ICO’s criminal investigation group manager, said: “The ICO will continue to take action against those who we find have abused their position of trust.”

To ensure data is being handled correctly, schools should:

  • Introduce Cloud services and online access to data so that staff can access data from any location and don’t need to download it;
  • Block the use of USB sticks so that nothing can be saved to them;
  • Conduct data mapping to reveal how staff are storing data; and
  • Conduct data walks of the premises to reveal daily practices and if staff continue to use USBs.

To better support your school’s GDPR compliance project, IT Governance’s newly acquired GDPR.co.uk platform will:

  • Train all staff and governors
  • Record and report data breaches
  • Record subject access and freedom of information requests
  • Track suppliers and their compliance
  • Map data across the school

If you purchase before the end of the month, you’ll receive three free months of access to the platform.

Sign up for a free seven-day trial to receive a free privacy notice template.