*Reassuringly dull cyber security

Damages awarded against school for misuse of pupil information

Damages awarded against school

Damages have been awarded against a school for the misuse of pupil information.

A school sent out – without the child’s mother’s consent- a letter to parents with information about the child’s condition (Down Syndrome) and her disruptive behaviour, with a view to reassuring them that the school’s staff could handle the situation. The mother and child sued the school for breach of the Data Protection Act and for misuse of private information.

The Court decided that, by sending the letter, the school breached the Data Protection Act and misused private information. However, it did not award damages (compensation) for breach of the Data Protection Act – it said that the mother could not recover damages because under the DPA only a ‘data subject’ is entitled to compensation (and only the child was a data subject in this instance, not also the mother). The Court did not award damages to the child either, as it found that there was no clear evidence that the child was informed of the sending of the letter and distressed by it.

But, the Court said that both mother and child had a reasonable expectation of privacy about the information in the letter and the school could not show that the disclosure was justified. Damages were awarded against the school; £3000 to the mother and £1500 to the child.


To calculate the damages, the Court took into account the claimants’ loss of control over their information and the impact of the data breach upon each of them. The Court also, took into account awards made for psychiatric or psychological injury in personal injury cases.

The amount of damages for breach of data protection laws/misuse of private information is currently a very ‘grey area’, as the GDPR gives no guidance about this. However, the Court’s decision to take into account awards made for psychiatric or psychological injury in personal injury cases is very interesting and suggests that damages for personal injury and distress for invasion of privacy are comparable.

If your organisation is looking to comply with the requirements of the GDPR then take a look at how our CSaaS and DPaaS solutions can help.

We were looking for a virtual DPO service that offered all of the benefits of a fully qualified data protection lawyer, without the overheads of an in-house hire. The DPaaS solution from norm. has been invaluable in helping us to ensure we respect the integrity of our customers’ personal information, while using it to continue to deliver differentiated products and services which support our growing customer base.

Mike Whitfield, Compliance Manager

I’m thrilled to have signed off on the CSaaS offering.  I’m looking forward to having the most complete cyber security package for the mid-market and continuing our successful working relationship with norm.

Richard Taylor, CIO
Summit Therapeutics

CSaaS allows me to step away from multi-vendor management as the Security Operations Centre coordinates all of the technology for me.

David Vincent, CTO

We were in the market for an independent Data Protection Officer service that was well versed with both UK and EU regulators. We’re thrilled to have acquired this service knowing that an expert is available 24/7.

Suzanne McCabe, Head of Project Management
James Hambro & Partners

Norm’s penetration testing layer, along with the suite of CSaaS modules has enabled MA to exceed all its audit requirements for its major clients.

Rob Elisha, ICT and CRM Manager
Montreal Associates

The speed of your Data Protection Officer’s response was very impressive – it was far quicker than I would have expected even from an in-house DPO

Will Blake, Director of Technology and Analytics
CRU Group