Back to News

Posted 12.05.21

A guide for schools: preventing, offsetting and preparing for ICO investigation

By Antonia Noble, Barrister and Founder of Carter Noble

An investigation into your school by the Information Commissioner’s Office (ICO) can be serious, both for the school and those impacted. Just late last year the ICO issued reprimands to schools for improperly disclosing children’s personal data.

In the first case a class photograph, sent to a local newspaper, included the images of two pupils whose adoptive parents had refused consent for their children’s images to be shared. The second followed a class photograph being taken and sent home to parents. The photo included the image of a child whose adoptive parent had previously signed consent forms clearly stating that no photographs of her daughter were to be used outside of the school.

These cases serve as a useful reminder of school’s compliance obligations and the risks associated with processing children’s images on the basis of consent. So, your school is coming under ICO investigation.

In this article we’ll look at the steps you should take in the event of an ICO investigation. Remember: the clearer everyone responsible for data in your school is on these steps, the more straightforward the process will be.

First things first: appoint an experienced DPO

First and foremost, one of the best things you can do to help and to mitigate the chances of a situation like this arising in the first place, is to appoint an experienced DPO who knows what to do and can act as the main point of contact for the ICO. They can also liaise with the ICO at the first sign of a data breach, or should a school have any concerns around challenging data issues (i.e. checking contracts).

Steps to take to prevent data breaches

Prevention is always the best form of protection. The steps below are therefore strongly recommended. They will help to minimise the chances of a breach (and subsequent ICO investigation) ever occurring. Honesty and objectivity should underpin all that you do – they’re crucial when it comes to implementing these steps.

  • Put in place a data breach policy and plan and ensure everyone’s aware of it
  • Ensure everyone knows that they should report breaches as soon as possible – and that they know how to do so
  • Likewise, ensure that the person receiving information about the breach is aware of what to do with it
  • Make an individual responsible for action should a breach occur
  • Make a person the main point of contact for the ICO. They should know how to handle a breach, but also the ICO itself. The chosen person should be highly competent at drafting documents. This is crucial. Knowledge of the law is also desirable.
  • The data breach plan must be simple and straightforward to follow, yet effective
  • Schools should run through this plan in advance to identify and fix any problems, comprehensively documenting any decisions taken during the internal data breach review. Remedial action should then be taken.

Offsetting a data breach, and what to do in the event of investigation

Outlined below are a number of steps, processes and tips to help your school offset a data breach and ensure an ICO investigation (should it come to this) runs as smoothly as possible.

  • Ensure you have adequate security for the processing your school undertakes and that all your systems remain fully up-to-date. Remember: you process a lot of data and much of it is sensitive/special category
  • All data policies, including those relating to information security and acceptable use etc., must be in place and current
  • The school’s data privacy notices must be up-to-date and reflect the very latest data processing arrangements of the school. Remember: privacy notices should be available to everyone whose data you process (i.e. governors, trustees, parents, contractors etc.), not just staff and students
  • Ensure notices are available at every point information is gathered (i.e. on a website for staff, HR systems etc.)
  • Any contracts that pertain to data must be checked to ensure they comply with UK GDPR
  • Data Privacy Impact Assessments must be undertaken and in place for any data processing you do
  • Have a full and up-to-date record of all your data processing activities (this could be in an Information Asset Register or similar format)
  • Ensure all the data you process has a legal ground for processing, including consents which must be up-to-date and comply with all GDPR requirements
  • Ensure all staff are trained and you have a record of all training undertaken by staff
  • Robust and simple breach detection policies and internal reporting and investigation procedures should be in place. These will help you decide whether the ICO and/or affected individuals need to be notified
  • Any personal data breaches, regardless of whether you’re required to notify individuals and/or the ICO, must be comprehensively recorded
  • In light of breaches, the systems and procedures you have in place must be reviewed and are actions taken that will mitigate the chances of a similar breach occurring again
  • Keep data protection, in all its forms, on a risk register.

For more information on keeping data safe in school systems, see our other blog: Keeping data safe in school systems: a straightforward guide .

Options for data subjects in the event of a breach: complaints, legal action, and compensation

Data subject complaints

All data subjects, whether it’s students, staff, volunteers ,etc. have the right to lodge a complaint with the ICO if they feel that the processing of their personal data infringes UK GDPR.

Judicial remedy

After complaining, if the data subject feels that the ICO has not handled the complaint sufficiently, their decision can be delayed by over three months.

Data subjects also have the right to take legal action without first seeking an intervention from the ICO, so parents, staff, students (and any other data subject) could bring action in the civil courts. For schools, this could relate to almost all of the processing done, but it’s possibly most likely where there has been a contentious disciplinary action against a student and the school has been asked to undertake a subject access request.


Data subjects have the right to claim compensation from controllers and/or processors under Article 82(1) of UK GDPR. This can occur where there has been both actual, material damage and non-material damage (i.e. distress) caused by the infringement. A school may lose a staff member’s sickness record or a student’s examination data, for example. In which case, the staff member and student may have grounds for compensation. Importantly, this can occur where there is no lawful ground for processing data, so ensure you have grounds and all necessary consent for using/processing any personal information/imagery, etc.

For more information on schools publicly using personal information/imagery, see our other blog: Keeping students and staff safe while raising your school’s online profile . To find out more about data breaches, reporting data breaches and how breaches are investigated, see Understanding data breaches and ICO investigations.

In summary

Data breaches can be complex and extremely damaging, both for the school and the individuals impacted. In the event of a breach being reported to the ICO, time is of the essence. You need to act quickly and thoroughly, so everyone needs to know their roles and what the next steps are. Crucially, your DPO can help with this process, liaising with the ICO and ensuring all necessary procedures are followed.

And don’t forget: by properly training your staff, having good systems in place, including robust IT provision, and appointing an experienced DPO, you may even prevent something like this from happening in the first place.

Want to stay in Sync?

Sign up for all the latest news, events and updates from Sync.

  • This field is for validation purposes and should be left unchanged.