Personal data breaches in schools, to report or not to report?

Under the GDPR, all personal data breaches need to be recorded by the organisation and there should be a clear and defined process for doing so. In some circumstances, breaches also need reporting to the ICO (Information Commissioner’s Office) and within 72 hours of their discovery.

In the third of our #BreachReady blogs for schools, we explore which typical school breaches need reporting.

Understanding what constitutes a personal data breach

The ICO defines a personal data breach as

“…a breach of security leading to the accidental or unlawful destruction, loss, alteration, unauthorised disclosure of, or access to, personal data.”

Examples of personal data breaches in schools

  • An unauthorised person accessing the data. For example, a pupil or unauthorised staff member accessing a staff laptop, because it has been left logged in or they know the login details. This also applies if unencrypted laptops and other devices are lost or stolen.
  • Deliberate or accidental action (or inaction) by the school or one of the processors. An example could be sending old PCs, laptops or even filing cabinets to be destroyed without removing the data held within them.
  • Sending personal data to the wrong person, such as by email, post or fax. This would include sending completed data collection sheets to the wrong parents.
  • Alteration of personal data without permission. For example, someone accessing the school’s payroll system and changing staff pay grades.
  • Loss of availability of personal data, such as networks or systems going down. Such as the school internet going down, either accidentally or through a cyber-attack, so that all web and cloud services are unavailable.

Which breaches need reporting to the supervisory authority?

The Regulation outlines that any data breach that is likely to risk the rights and freedoms of natural persons must be reported. This includes any breaches that could lead to physical, material or non-material damage.

Which breaches do not need reporting?

Where data has been encrypted, such as on a laptop, mobile device, memory stick or email, the breach does not need to be reported, however sensitive the data is. This is because unauthorised people would not normally be able to access the data. If there is a risk of this happening, then the breach should be reported.

Breaches that need to be reported to the ICO

This list explains this further by categorising the risks to the rights and freedoms of individuals, as defined by the Regulation with examples of relevant personal data held by your school. Remember that a breach includes personal data that’s on paper as well as electronic.

Where the data breach may give rise to…

Discrimination, including bullying:

  • Pupil special needs information;
  • Staff and pupil health records;
  • Child protection records;
  • Staff pay scale and payroll information; or
  • Pupil progress and attainment records.

Identity theft or fraud:

  • Names, dates of birth and addresses – when breached together; or
  • Completed pupil data collection sheets.

Financial loss:

  • Banking information from payroll data or recruitment forms; or
  • Criminal hackers accessing school parent payment software, billing information or bank accounts.

Damage to the reputation:

  • Staff performance management records;
  • Pupil behaviour records; or
  • Child protection records.

Loss of confidentiality of personal data protected by professional secrecy:

  • Staff performance management records; or
  • Child protection records.

Unauthorised reversal of pseudonymisation

Where this method has been used to protect data and has been reversed.

Any other significant economic or social disadvantage:

  • Payroll information;
  • Pupil premium records; or
  • Information about pupils receiving bursary or other financial support, perhaps with trips or uniform.

Any breach to data classed as sensitive

Such as:

  • Racial or ethnic origin;
  • Political opinions;
  • Religion or philosophical beliefs;
  • Trade union membership;
  • Genetic data;
  • Health data;
  • Data concerning sex life; and
  • Criminal convictions and offences or related security measures.

Sensitive data is held in many places across the school such as:

  • The school’s (MIS) management information system, e.g. SIMS, iSAMs or Progresso;
  • Staff and pupil recruitment forms;
  • Data collection sheets;
  • DBS (disclosure barring service) paperwork;
  • Staff and pupil medical records; and
  • Minutes of trade union meetings.


Supporting your school to identify and manage data breaches

One of the many features of the platform is a comprehensive data breach recording section that follows the ICO’s data breach reporting process. Serious data breaches can also be reported directly to the ICO via the platform.

Visit to sign up for a seven day free trial. Secondary schools pay only £495 and primary schools £295 for a one year license.

Find out more >>