Steps to take following a data breach: reporting, criminal charges and injunctions
Student and staff files will be full of personal data, much of which may be particularly sensitive such as health information (known under the data protection legislation as “special category” data).
Student and staff files will be full of personal data, much of which may be particularly sensitive such as health information (known under the data protection legislation1 as “special category” data). Here we outline what universities need to do when a data breach occurs.
Your obligations
As data controllers, universities have an obligation under the data protection legislation to ensure that this personal data is processed consistently with the data protection principles and only shared with third parties if there is a lawful basis for doing so. Furthermore, as much of this sensitive information would also have been provided to universities in confidence, it cannot be shared with third parties without the consent of the person, unless it is required by law or can be justified in the public interest (such as to prevent serious harm to the person or others).
Unfortunately, it is not uncommon for data breaches to occur either due to the malicious actions of a third party or human error. In relation to the latter, this usually occurs when redactions have not been properly applied or made at all, or where certain information is shared despite this not being strictly necessary for the particular task at hand. In such situations, it is important for data controllers to immediately consider taking the following steps.
Reporting obligations
First, you should consider whether the data breach poses a risk to people. If it’s likely there will be a risk, then you must notify the Information Commissioner within 72 hours of becoming aware of the breach, where feasible. Reporting the matter to the ICO also allows you to bring the matter to the attention of the ICO’s Criminal Investigations Team if an offence under the Data Protection Act 2018 may have been committed (for example, if the personal data has been obtained or retained without your consent). If the breach is likely to result in a high risk of adversely affecting individuals’ rights and freedoms, you must also inform those individuals without undue delay.
Informing the police
Once you have satisfied your reporting obligations, you should also consider notifying the police and/or pursuing civil action to prevent the confidential information from being used or shared more widely. It is of course a matter for the police to investigate whether any criminal offence has been committed, but if you can present sufficient evidence of an offence then, subject to it being in the public interest, the police should instigate criminal proceedings. The police could also use their search powers to obtain and retrieve the confidential information in question, which will often be a key aim for your institution.
Obtaining an urgent injunction in civil proceedings
Civil proceedings are also a good option to prevent the confidential information from being used or disclosed further. If you need to act quickly then you will need to seek an interim injunction before the substantive claim is filed. This will require you to satisfy the American Cyanamid test, namely that: (1) there is a serious issue to be tried (see below); and (2) damages are not an adequate remedy; and (3) the balance of convenience favours the grant of an injunction.
Establishing a breach of confidence
In relation to the substantive claim, the essential ingredients of the tort of breach of confidence, as set out in Coco v Clark [1968] FSR 415, are that (i) the information is confidential in quality; (ii) it was imparted so as to import an obligation of confidence; (iii) there has been, or will be, an unauthorised use of that information to the detriment of the party communicating it. This includes confidential information that has been obtained by improper or surreptitious means, but will also cover situations where it has been obtained by mistake – for example when confidential information is inadvertently disclosed in response to a request under the data protection legislation or Freedom of Information Act.
Where a public body (which, depending on the context, may include a university) claims confidentiality in a document, the damage required to establish a claim for breach of confidentiality will be assessed by reference to the public interest. For an illustration of how these principles have recently been applied by the courts, see: London Borough of Lambeth v AM (No. 2) [2021] EWHC 186 (QB).
Contact us
Browne Jacobson’s public law team frequently advises public bodies in respect of breaches of confidentiality. Its lawyers are experienced in liaising with the Information Commissioner and police in respect of possible criminal offences and commencing civil proceedings to restrain the unlawful use of confidential information. Please contact us with any questions about the immediate steps you can take to bolster your approach to data protection or if you would like any further information on what to do in the immediate aftermath of a data breach.
1 Namely, the Data Protection Act 2018 and UK GDPR
Contact
Matthew Alderton
Senior Associate
matthew.alderton@brownejacobson.com
+44 (0)330 045 2747
You may be interested in...
Opinion
Mopping up after a leak – how businesses can take steps to protect their confidential information
Online Event
Wellbeing and financial considerations – practical solutions for challenging times
Legal Update
be connected - Spring 2023
Legal Update
Teacher strikes – lessons learnt so far
Opinion
Can toilet facilities amount to sex discrimination?
Legal Update
New support launched to manage school complaints
Legal Update
Cyber security and data breaches
Legal Update
#EdCon2023 virtual event hailed a success
Online Event
Flexible working in schools webinar
Legal Update
What does the new Provider Access Legislation mean for schools?
Legal Update
High Court dismisses Welsh RSE right to withdraw claim
Legal Update
Update on the Digital Services Act (“DSA”) – Important Dates and Deadlines Looming
Opinion
Term-time school worker entitled to national minimum wage for unworked basic hours
On-Demand
Industrial action essentials: what you need to know
Legal Update
Government publishes its proposals for expanding the Scope of the Network and Information Systems Regulations 2018
Legal Update
Education Software Solutions Limited breaks against the CMA’s intervention: A victory for freedom and flexibility in contracting for MIS services
On-Demand
The Subsidy Control Act 2022. Putting the new regime into practice
Legal Update
Safeguarding at scale report published
Legal Update
Trade unions announce plans to re-ballot members
Legal Update
Widespread industrial action now confirmed for schools
Legal Update
Industrial action and minimum service levels within education
Opinion
Consultation on holiday entitlement – part-year and irregular workers
Guide
FAQs - converting to academy status
Guide
FAQs - becoming a sponsored academy
Guide
FAQs - becoming an academy sponsor
Guide
FAQs – single academy joining a MAT
Legal Update
EdCon2023 launch: Thursday 12 January
Legal Update
The importance of understanding the transitional provisions under the Electronic Communications Code
Legal Update
Biodiversity Net Gain: positive for nature and an opportunity for landowners
Legal Update
Discrimination comes of age
Legal Update
Protecting children and their data in the online environment
Guide
#EdCon2023: Access a range of expert guidance and resources at our FREE virtual conference
Legal Update
be prepared for the 2022-23 academic year
Legal Update
Teacher Pay Survey 2022
Legal Update
be connected newsletter for schools - Winter 2022
Guide
Good governance essential to avoid falling foul of the ESFA
There’s been little evidence of interventions or financial management reviews this year and it appears the Education and Skills Funding Agency (ESFA) has re-focussed on financial delivery. It’s also telling that there were no discernible changes to the reporting of financial irregularities in the Academies Trust Handbook 2022.
Legal Update
Children's commissioner recommendations for SEND reform
The Children’s Commissioner, Rachel De Souza, has recently published a report “Beyond the labels: a SEND system which works for every child, every time”, which she intends to sit alongside the DfE’s SEND Review (2019) and SEND Green Paper (2022) and which she hopes will put children’s voices at the heart of the government’s review of SEND system.
Legal Update
Top three training topics 2022-23
As well as providing day-to-day support to help you focus on managing your settings, we also provide training and professional development on a range of topics to keep you and your staff up-to-date.
Legal Update
School complaint management - exploring a new way forward
There’s greater opportunity than ever for parents, carers and guardians to voice any concerns they have relating to their child’s education and for their concerns to be heard and to be taken seriously. While most staff in schools and academies are conscious of their legal duties relating to complaints management, many are struggling to cope with such a significant increase in the volume of complaints they must manage.
