• Careers
  • Contact Us

How to Protect Your School Against Data Breaches and Fines

on Monday, 24 June 2019.

Bupa and Heathrow Airport Limited (HAL) have been fined by the Information Commissioner's Office (ICO) for data protection failures. How best can you avoid similar data breaches?


Bupa was fined £175,000 due to the ineffective security measures that Bupa had in place to protect its customer's personal information.

The incident took place last year and resulted in the personal information of 547,000 Bupa Global customers being offered for sale on the dark web. The information was accessed via the customer relationship management system that Bupa used, SWAN. This system holds the records of 1.5 million customers. An employee accessed the information through SWAN and sent bulk data reports to his personal email account. Types of information that was accessed included names, dates of birth, email addresses and nationality, and these were later advertised for sale on the dark web.

The breach became known to Bupa on 16 June 2017 when an external partner spotted that customer data was for sale. There have since been 198 complaints about the incident to both the ICO and Bupa.

The ICO found a number of failings by Bupa, including the fact that Bupa did not routinely monitor SWAN's activity log, which meant that Bupa was unaware of a defect in the system and could not identify unusual activity.

It is also worth noting that although the Bupa breach was the result of a rogue employee, because Bupa did not have adequate measures in place they have been subject to enforcement action.

Heathrow Airport

Not long after the Bupa fine was issued, the ICO issued a further fine of £120,000 to HAL for failings in relation to network security.

This related to a memory stick containing 76 HAL folders and over 1,000 files which was not encrypted. A member of the public viewed the information at a local library and found a small amount of personal information, including a training video which exposed ten individuals' details including: names, dates of birth, passport numbers, and the details of up to 50 HAL aviation security personnel. The stick was then passed to a national newspaper, where copies were made, before the stick was returned to HAL.

During its investigation, the ICO found that only two percent of a 6,500 strong workforce had received data protection training. The use of the memory stick was in contravention of HAL's own policies and guidance. There were also ineffective technical controls to prevent personal data from being downloaded onto unauthorised or unencrypted media.

Banner MOS Elearning Jun19

What Should Schools Learn from This

Failing to put adequate security measures in place can have severe consequences. Schools should consider the following:

  • Staff Training
    Staff should be sufficiently trained regarding information security. If your school allows staff to use USB sticks they must be trained on how to use USB sticks securely. You may wish to consider prohibiting the use of USB sticks entirely due to the risks that they raise and the availability of alternatives which are far more secure. However, if you do wish to allow USB sticks, we suggest putting additional safeguards in pace, for example, limiting their use to school issued devices with built in encryption which meets the standards of data protection law.

  • Clear Policies
    Make it clear to staff that a breach of your information security policies may result in disciplinary action.

  • Limited Access to Data
    Access to information should be on a need-to-know basis, to avoid employees having access to large quantities of personal data unnecessarily.

  • Monitoring
    Ensure that you have sufficient monitoring in place to spot anomalies and suspicious behaviour early

To discuss how best to protect your school, please contact Andrew Gallie in our Data Protection team today on 0117 314 5623, or complete the below form.


Get in Touch

First name(*)
Please enter your first name.

Last name(*)
Invalid Input

Email address(*)
Please enter a valid email address

Please insert your telephone number.

How would you like us to contact you?

Invalid Input

How can we help you?(*)
Please limit text to alphanumeric and the following special characters: £.%,'"?!£$%^&*()_-=+:;@#`

See our privacy page to find out how we use and protect your data.

Invalid Input