*Reassuringly dull cyber security e: info@normcyber.comt: +44 (0) 203 855 6215

Damages awarded against school for misuse of pupil information


Damages have been awarded against a school for the misuse of pupil information.

A school sent out – without the child’s mother’s consent- a letter to parents with information about the child’s condition (Down Syndrome) and her disruptive behaviour, with a view to reassuring them that the school’s staff could handle the situation. The mother and child sued the school for breach of the Data Protection Act and for misuse of private information.

The Court decided that, by sending the letter, the school breached the Data Protection Act and misused private information. However, it did not award damages (compensation) for breach of the Data Protection Act – it said that the mother could not recover damages because under the DPA only a ‘data subject’ is entitled to compensation (and only the child was a data subject in this instance, not also the mother). The Court did not award damages to the child either, as it found that there was no clear evidence that the child was informed of the sending of the letter and distressed by it.

But, the Court said that both mother and child had a reasonable expectation of privacy about the information in the letter and the school could not show that the disclosure was justified. Damages were awarded against the school; £3000 to the mother and £1500 to the child.


To calculate the damages, the Court took into account the claimants’ loss of control over their information and the impact of the data breach upon each of them. The Court also, took into account awards made for psychiatric or psychological injury in personal injury cases.

The amount of damages for breach of data protection laws/misuse of private information is currently a very ‘grey area’, as the GDPR gives no guidance about this. However, the Court’s decision to take into account awards made for psychiatric or psychological injury in personal injury cases is very interesting and suggests that damages for personal injury and distress for invasion of privacy are comparable.

If your organisation is looking to comply with the requirements of the GDPR then take a look at how our CSaaS and DPaaS solutions can help.

Appointing NormCyber as our virtual DPO has given Ferrero the best of both worlds – access to data protection experts who understand what we stand for as a business, without the hefty overheads usually associated with appointing an in-house DPO.

Harpreet Thandi
Regional Counsel, UK & Ireland, Ferrero

We were looking for a virtual DPO service that offered all of the benefits of a fully qualified data protection lawyer, without the overheads of an in-house hire. The DPaaS solution from norm. has been invaluable in helping us to ensure we respect the integrity of our customers’ personal information, while using it to continue to deliver differentiated products and services which support our growing customer base.

Mike Whitfield, Compliance Manager

CSaaS allows me to step away from multi-vendor management as the Security Operations Centre coordinates all of the technology for me.

David Vincent, CTO

We were in the market for an independent Data Protection Officer service that was well versed with both UK and EU regulators. We’re thrilled to have acquired this service knowing that an expert is available 24/7.

Suzanne McCabe, Head of Project Management
James Hambro & Partners

Norm’s penetration testing layer, along with the suite of CSaaS modules has enabled MA to exceed all its audit requirements for its major clients.

Rob Elisha, ICT and CRM Manager
Montreal Associates

The speed of your Data Protection Officer’s response was very impressive – it was far quicker than I would have expected even from an in-house DPO

Will Blake, Director of Technology and Analytics
CRU Group