Welcome to this guide on claiming data breach compensation for data breaches in schools and universities. As technology advances, the importance of personal data protection is becoming increasingly crucial.
Schools and universities hold large amounts of personal data on their students, staff, and alumni, and have a legal duty to protect it from unauthorised access, disclosure, and theft. Failure to do so can result in data breaches that expose individuals to risks such as identity theft, financial fraud, and reputational damage.
If you have been harmed by wrongful actions that have led to the exposure of your personal data in a data breach at a school or university, you may be eligible to claim data breach compensation. This guide will explain how such breaches can happen, the types of harm that can result from data breaches, and the compensation eligible claimants can claim for.
We urge you to read on and understand your rights to claim compensation for data breaches in schools and universities. If you have any questions or would like further assistance, please contact an advisor by:
What Is A University Or School Data Breach And When Can I Claim?
A university or school data breach can occur when there is unauthorised access, loss, theft, or disclosure of personal data held by educational institutions. Such data breaches can occur due to a variety of reasons, including cyberattacks, phishing scams, employee negligence, or system failures.
Examples of school or university data breaches include, but are not limited to:
- Cyberattacks that result in unauthorised access to personal data, such as names, addresses, email addresses, student IDs, and financial information.
- Phishing scams that trick students or staff into providing their personal information to hackers.
- Employee negligence, such as leaving personal data on an unsecured computer or device or failing to properly dispose of confidential documents.
- System failures that result in data loss or corruption, or that allow unauthorised access to personal data.
To be eligible for claiming compensation for a school or university data breach, an individual must have suffered harm as a result of the breach. The exposure of personal data must have also happened because of wrongdoing by the data controller. Harm can include financial loss, emotional distress, and reputational damage. It is also important to note that the Data Protection Act 2018 and the Limitation Act 1980 set time limits for making claims and that claims must be made within specific timeframes.
Can Everyone Claim Data Breach Compensation For Data Breaches In Schools and Universities?
It is important to note that not all data breaches will result in victims being eligible to claim compensation. To be eligible, there must have been wrongful actions on the part of the data controller, which is the organisation responsible for handling the personal data.
Wrongful actions can include IT-based actions, such as failing to implement appropriate security measures, using outdated software, or failing to encrypt sensitive data. Physical documentation can also be subject to wrongful actions, such as leaving confidential files in an unsecured location or failing to dispose of them properly.
Furthermore, not all data breaches will result in harm to individuals. If the breach does not result in any harm or damage, there may not be a basis for claiming compensation. Harm can include financial loss, emotional distress, and reputational damage.
It is essential for individuals who believe they have suffered harm as a result of a data breach to seek legal advice to determine whether they are eligible to claim compensation. An experienced legal advisor can review the circumstances of the data breach, assess whether there has been any wrongful action, and provide guidance on the next steps to take.
Have Schools Or Universities Breached Personal Data Before?
One example of a university data breach involving the Information Commissioner’s Office (ICO) is the data breach that occurred at the University of Greenwich in 2016. The breach was discovered when an ex-employee of the university informed a member of the public that personal data held by the university was being sold online.
An investigation by the ICO found that the university had failed to take appropriate measures to ensure the security of personal data, including failing to implement appropriate access controls, failing to encrypt sensitive data, and failing to monitor and audit third-party access to personal data.
The personal data involved in the breach included sensitive information such as names, addresses, birth dates, and contact details of over 19,000 individuals, including current and former students and staff.
The ICO imposed a fine of £120,000 on the University of Greenwich for the breach, citing serious failures in the university’s data protection practices. The university also faced legal action from some affected individuals who claimed compensation for harm suffered as a result of the breach.
What Evidence Do I Need To Claim?
To make a successful claim for compensation for a university or school data breach, it is essential to gather as much evidence as possible to support the claim. The type of evidence required will depend on the circumstances of the data breach and the harm suffered as a result.
Some of the key types of evidence that may be required for a claim include:
- Evidence of the data breach – this could include a copy of the notification letter received from the school or university informing you of the breach, or any other evidence that you have been made aware of the breach.
- Evidence of harm – this could include medical records, bills for any financial losses, or evidence of any emotional distress or reputational damage suffered as a result of the breach.
- Evidence of the data controller’s wrongful actions – this could include IT system audits, reports on cybersecurity measures implemented by the data controller, or witness statements from employees who may have been involved in the breach.
In addition to the above, it is important to keep a record of any correspondence with the school or university, including any discussions or agreements reached in relation to the breach.
How Much Compensation Could I Receive?
When making a claim for compensation for a data breach, there are different types of damages that may be awarded depending on the harm suffered by the individual. These damages can include:
- Non-Material Damages – This refers to the compensation awarded for non-financial losses, such as emotional distress or psychological harm suffered as a result of the data breach. The amount of general damages awarded will depend on the severity of the harm suffered, and this can be assessed by reviewing medical evidence, psychological reports, and any other relevant evidence.
- Material Damages – This refers to the compensation awarded for any financial losses incurred as a result of the data breach, such as expenses incurred to prevent further damage or financial loss. This can include the cost of credit monitoring services, and any other expenses related to the breach.
When working out the appropriate level of compensation, lawyers may refer to the Judicial College Guidelines, which provide guidance on the appropriate level of compensation for different types of harm suffered. These guidelines provide a range of compensation amounts for different levels of harm, which may be adjusted up or down depending on the specific circumstances of the case. You can find examples below. However, these are only rough indications.
- Severe- £54,830 to £115,730
- Moderately Severe- £19,070 to £54,830
- Moderate- £5,860 to £19,070
- Less Severe- £1,540 to £5,860
No Win No Fee Data Breach Claims
If you are an eligible claimant seeking compensation for a data breach, you may be able to get help from a solicitor under a Conditional Fee Agreement (CFA). A CFA, also known as a No Win No Fee agreement, is a type of agreement between a solicitor and a client where the solicitor agrees to take on the case without requiring the client to pay upfront legal fees.
Under a CFA, the solicitor’s fees are only payable if the case is successful, and the amount payable is usually calculated as a percentage of the compensation awarded to the client. The percentage charged is known as the success fee.
In the UK, the success fees charged by solicitors under CFAs are capped under the Conditional Fee Agreements Order 2013. The cap on success fees is set at 25% of the compensation payout.
If you believe you have a claim for compensation for a data breach, an advisor could assess your case to see if you could be eligible to claim under a CFA. If you are eligible, they could connect you with a solicitor from our panel who can provide you with the legal representation and support you need to pursue your claim. With a CFA, you can be assured that your solicitor will only charge a success fee if your claim is successful, giving you peace of mind as you seek the compensation you deserve.
Why not get in touch today to find out how we could help.
Further Insight Into Claiming Data Breach Compensation For Data Breaches In Schools And Universities
Company Data Breach – Find out if you could claim compensation for a data breach by a company.
Medical Data Breach Claims – Has your medical data been exposed? Find out if you could claim compensation.
Compensation For GDPR Violations – Learn more about making claims for a breach of GDPR here.
Greenwich University Data Breach – Learn more about the incident we mentioned in this guide..
Be Data Aware – Learn more about how to protect your personal data.
Spam Emails And Data Protection – Learn about this important topic from the ICO and understand how to protect your personal data.