Who Must a School Notify After a Data Breach?
A data breach in a school setting can be incredibly stressful, particularly when it involves sensitive pupil records. Managing the fallout requires clear headspaces and swift action. When it comes to informing individuals about a breach involving a child's data, the rules are distinct, balancing statutory data protection laws with a school's parental duties.
Here is exactly who you need to notify when a child’s data is breached, based on the Information Commissioner’s Office (ICO) guidelines and legal frameworks.
Do We Have to Tell the Child?
Once parents are notified, the secondary question arises: Do you also need to tell the pupil directly?
According to the ICO, the deciding factor is Gillick Competence—a legal concept used to evaluate whether a child has the maturity and intelligence to fully understand what is being proposed or what has happened.
Formal ICO guidance states that if a child’s data is breached that their parents/carers must be told irrespective of their age as this is part of the duty of care the school takes on in being in place of the parent (loco parentis) in law.
The only question then is which children must you also tell?
The ICO’s guidance is:
From the day of their 13th birthday children could be ‘Gillick Competent’. You will need to make an assessment of them to decide if you think they will understand the risks that the data breach present to them. It is Handsam’s opinion that in this day and age they may well and it would only likely be if they have some potential lack of cognisance such as being an SEND with learning difficulties that you would not also tell them. Even then there may be many SEND students who would understand which is why you need to make each assessment on an individual basis.
The Age 13 Threshold
Under UK data protection law, the statutory age of digital consent is 13. Therefore, from the day of their 13th birthday, a child is legally presumed to have a greater degree of control over their personal data.
When a breach occurs involving a pupil aged 13 or over, school leadership must perform an individual competence assessment to determine if the child possesses enough cognition to understand the specific risks the data breach presents to them.
Managing SEND Assessments
This assessment must always be handled on a case-by-case basis. You cannot make sweeping assumptions based on labels.
Individual Evaluation: A pupil with Special Educational Needs and Disabilities (SEND) or learning difficulties might require a more gentle or adjusted explanation, or they may lack the cognisance to understand the digital risks entirely.
No Blanket Exclusions: Conversely, many SEND students have excellent technical and cognitive understanding. Each student must be evaluated purely on their own merits and understanding.
If the individual assessment shows the pupil can comprehend the situation, the school should notify them directly alongside their parents, using accessible, age-appropriate language to explain what data was lost and how they can stay safe online.
The Regulatory Obligation: When to Notify the ICO
While notifying individuals addresses the human element of a breach, you must also consider your regulatory duties to the Information Commissioner's Office.
The 72-Hour Rule
Under the UK GDPR, if a school experiences a personal data breach, school leaders must assess the risk to the rights and freedoms of the individuals affected. If the breach is likely to result in a risk (such as identity fraud, physical harm, safeguarding issues, or severe distress), you must report it to the ICO within 72 hours of becoming aware of it.
If the breach is severe enough that it poses a high risk to the pupils, the law states you must inform the affected individuals (parents and competent children) without undue delay.
Office 27, East Moons Moat Business Centre
Oxleasow Rd, Redditch B98 0RE
Phone: 0333 207 0737
