What is an Educational Data Breach?

Unfortunately, it is becoming increasingly common for educational institutions to make data breach errors, leading them to fall foul of the stringent Data Protection Act/GDPR provisions.

In an educational context, the Data Protection Act aims to protect pupils, their respective families and staff.

We’ve dealt with data breach claims for the following educational institutions:

  • Schools
  • Universities
  • Nurseries
  • Colleges
  • Exam Boards

Such institutions are often over-stretched due to budget cuts, meaning that important rules regarding the protection of children’s data are being overlooked. Additionally, schools have struggled to update their processes to align them with recent advances in technology. This has left children, their parents and staff vulnerable.

It is important to note that children are eligible to make a claim for data breach compensation, provided that they have an appropriate adult acting as their litigation friend. This is usually their parent or guardian.

What are the common types of educational data breaches?

The most common types of data breaches that we see in relation to educational institutions are


As most schools fall within the category of the public sector, they are an attractive target for cyber-hackers. Cyber-hackers often infiltrate the school’s database and gain access to the vast array of personal information stored on them. Due to a lack of funding, school’s often have a limited focus on data protection and usually have out-dated systems that are weaker and more susceptible to being hacked into.

If this occurs, the educational institution in question must be able to prove that they had sufficient security measures in place and that they have done everything that they reasonably could to prevent the cyber-attack from occurring. If they are unable to prove this, then the person who has been affected is able to make a claim for any distress and inconvenience that they have suffered as a result

Human Error

Human error is the leading cause of educational data breach claims as well as most data breaches in general. The most common examples are a teacher sending personal information to the wrong person or disclosing an individual’s information to a third party, without the individual’s consent.

A recent example whereby a headteacher disclosed information regarding a child without the child’s or parents’ consent can be seen from the case of ST (A Minor) & Anor v L Primary School. In this case, a headteacher disclosed information regarding a pupil’s behavioural problems in a letter to 60 parents of the child’s year group, without the consent of the child’s parent. The school was ordered to pay £1,500 and £3,000 damages to the child and mother respectively under the tort of misuse of personal information. Consent is crucial to the processing of sensitive data under the Data Protection Act.

This case represents the severity of such breaches. As I am sure you can imagine, if your personal data has been compromised due to human error, this can still result in great distress including lack of sleep and feeling confused. This can have an impact on your personal life also. You can also claim compensation for this.

Should I make an educational data breach claim?

We understand that you may be hesitant to make a claim against your child’s school, due to the excellent job that teachers carry out and the role that the school plays in bringing the community together.

Schools are responsible for handling a lot of private and sensitive data and it is vitally important that this is kept safe, particularly when it concerns children.

It is imperative that educational institutions are held to account, in the same way that a private company would be if they were to breach your data. All of our data has value. Therefore, you are entitled to make a claim for compensation for a breach of your data, no matter who is responsible for committing such breach. Sometimes, making a claim is the only way to ensure that changes are brought about to ensure that processes are improved to adequately protect your data.

How much compensation is my claim worth?

Regardless of how the breach was caused, as long as you are able to prove that you have suffered distress and inconvenience as a result of the data breach, then you legally have a right to claim compensation.

The level of compensation that you are eligible for varies from case to case, depending on the seriousness of the claim and the damages it resulted in.

Compensation for distress and inconvenience usually ranges between £500 – £10,000, depending on the severity of the breach. Additionally, if you have suffered any financial loss as a result of the breach, we will always look to recover this in full, in addition to the figure for loss and inconvenience suffered.

How do I make a claim?

If you believe that you are a victim of an educational data breach claim, please get in touch with us on 0151 909 8212 for a free, no-obligation discussion with an experienced member of our legal team, who can advise as to whether you are able to make a claim for compensation.

If you’re still not sure about your next steps, or if you even have a claim, the best thing to do is contact our friendly team for some free, initial advice. We can help you determine your best option and if you do have a claim, get the ball rolling on claiming compensation.