Can academies be fined for data protection breaches?

[SquareRootz]

I suspect they can, but who do you inform if something's happened? I work in the public sector and am aware that swingeing fines can be meted out to organisations that are careless with sensitive info, but is it the same with schools?

I ask because a kid at my DS's school got sent a letter informing them that they'd been suspended. It was obvious it was a cock-up because the details of the incident were quite distinctive and easy to disprove, and there'd been no lead-up as you might expect. It turned out that they'd been mixed up with another kid with the same name (think common name with unusual spelling).

Now obviously the parents are entitled to, at least, a grovelling apology. But the identifiability of this situation and the sensitivity of the info has created a breach of confidentiality (I have been deliberately vague about details and changed a fair few, just to be careful). So what are the potential repercussions for the school? Are they obliged to tell the Information Commissioner about this? And is anyone likely to get sacked for misconduct?

[meditrina]

Yes, ICO can fine any organisation or individual which makes a culpable breach, and that includes all categories of schools in both state and independent sector.

You can either go straight to them, or exhaust the school's grievance procedure, whichever you prefer.

[titchy]

Highly unlikely a swingeing fine or job loss would be applied. A 'tighten up your procedures' letter far more likely unless there is evidence of far reaching breeches (think MI5 laptops left on trains and data unsecured, or yours is the 200th separate letter in a few months).

[prh47bridge]

Yes, academies are subject to the Data Protection Act. It applies to everyone, not just to public sector organisations.

There is no legal requirement for the school to report any data breach to the ICO. Organisations are encouraged to report serious breaches but there is no law that says they must do so. Based on the information given here this does not sound like a serious breach. It is extremely unlikely anyone would be sacked for misconduct on the basis of this incident alone. Whilst the ICO could, in theory, fine the school if this incident is reported that is extremely unlikely. Unless there is a history of problems I would expect the ICO to take no further action.