When running training courses and speaking at conferences I am often asked whether any school staff have been prosecuted for Data Protection breaches. In reality there hasn't been anything newsworthy for quite some time... until now!
The ICO's website reported the following on 5th December:
A former headteacher has been fined in court for unlawfully obtaining school children’s personal data from previous schools where he worked.
Darren Harrison of Twickenham, obtained the information from two primary schools were he had worked, and uploaded it to his then current school’s server. As he had no lawful reason to process the personal data, he was in breach of data protection legislation.
Six months into his role as Deputy Head at Isleworth Town Primary School, Harrison was suspended. A subsequent IT audit showed large volumes of sensitive personal data present on the Isleworth server from his previous schools, Spelthorne Primary and The Russell School in Richmond.
During the course of the investigation, Harrison provided no valid explanation as to how the information had appeared on his system, which was via an upload from his USB stick, stating he had deleted the personal data from it.
In a subsequent interview with the Information Commissioner’s Office (ICO) Harrison read from a prepared statement advising the information had been taken for professional purposes.
Appearing before Ealing Magistrates’ Court, Harrison admitted two offences of unlawfully obtaining personal data in breach of s55 of the Data Protection Act 1998.
He was fined £700, ordered to pay £364.08 costs and a victim surcharge of £35.
Mike Shaw, the ICO’s Criminal Investigation Group Manager, said:
“Children and their parents or guardians have the right to expect that their personal data is treated with respect and that their legal right to privacy is adhered to. A headteacher holds a position of standing in the community and with that position comes the added responsibility to carry out their role beyond reproach. The ICO will continue to take action against those who we find have abused their position of trust.”
Many of you have heard me questioning repeatedly the need to use USB sticks in this day and age, when secure remote access to network servers is often routinely available for school staff. This is just another example of why I think the time has come to ditch those memory sticks!