Data Breach

Ex headteacher fined for unlawfully obtaining school children’s personal information

An ex headteacher has been fined in court for unlawfully obtaining school children’s personal data from previous schools where he worked.

Darren Harrison of Twickenham, obtained the information from two primary schools were he had worked, and uploaded it to his then current school’s server. As he had no lawful reason to process the personal data, he was in breach of data protection legislation.

Six months into his role as Deputy Head at Isleworth Town Primary School, Harrison was suspended. A subsequent IT audit showed large volumes of sensitive personal data present on the Isleworth server from his previous schools, Spelthorne Primary and The Russell School in Richmond.

During the course of the investigation, Harrison provided no valid explanation as to how the information had appeared on his system, which was via an upload from his USB stick, stating he had deleted the personal data from it.

In a subsequent interview with the Information Commissioner’s Office (ICO) Harrison read from a prepared statement advising the information had been taken for professional purposes.

Appearing before Ealing Magistrates’ Court, Harrison admitted two offences of unlawfully obtaining personal data in breach of s55 of the Data Protection Act 1998.

He was fined £700, ordered to pay £364.08 costs and a victim surcharge of £35.

Mike Shaw, the ICO’s Criminal Investigation Group Manager, said:

“Children and their parents or guardians have the right to expect that their personal data is treated with respect and that their legal right to privacy is adhered to.

 “A headteacher holds a position of standing in the community and with that position comes the added responsibility to carry out their role beyond reproach.

“The ICO will continue to take action against those who we find have abused their position of trust.”