A former headteacher has been fined in court for unlawfully obtaining school children’s personal data from previous schools where he worked.
Darren Harrison of Twickenham, obtained the information from two primary schools were he had worked, and uploaded it to his then current school’s server. As he had no lawful reason to process the personal data, he was in breach of data protection legislation.
Six months into his role as Deputy Head at Isleworth Town Primary School, Harrison was suspended. A subsequent IT audit showed large volumes of sensitive personal data present on the Isleworth server from his previous schools, Spelthorne Primary and The Russell School in Richmond.
During the course of the investigation, Harrison provided no valid explanation as to how the information had appeared on his system, which was via an upload from his USB stick, stating he had deleted the personal data from it.
In a subsequent interview with the Information Commissioner’s Office (ICO) Harrison read from a prepared statement advising the information had been taken for professional purposes.
Appearing before Ealing Magistrates’ Court, Harrison admitted two offences of unlawfully obtaining personal data in breach of s55 of the Data Protection Act 1998.
He was fined £700, ordered to pay £364.08 costs and a victim surcharge of £35.
Mike Shaw, the ICO’s Criminal Investigation Group Manager, said:
“Children and their parents or guardians have the right to expect that their personal data is treated with respect and that their legal right to privacy is adhered to.
“A headteacher holds a position of standing in the community and with that position comes the added responsibility to carry out their role beyond reproach.
“The ICO will continue to take action against those who we find have abused their position of trust.”
If you need more information, please contact the ICO press office on 0303 123 9070, or visit the media section on our website.
Notes to Editors
- The Information Commissioner’s Office upholds information rights in the public interest, promoting openness by public bodies and data privacy for individuals.
- The ICO has specific responsibilities set out in the Data Protection Act 2018, the General Data Protection Regulation, the Freedom of Information Act 2000, the Environmental Information Regulations 2004 and the Privacy and Electronic Communications Regulation 2003.
- The ICO can take action to change the behaviour of organisations and individuals that collect, use and keep personal information. This includes criminal prosecution, non-criminal enforcement and audit.
- A limited number of criminal enforcement cases – including this case – are still being dealt with under the provisions of s55 the Data Protection Act 1998 because of the time when the breach of the legislation occurred.
- Criminal prosecution penalties are set by the courts and not by the ICO.
- To report a concern to the ICO telephone our helpline 0303 123 1113 or go to ico.org.uk/concerns.