Great Marlow School in Buckinghamshire sent most of its students home for a second day this week while it scrambles to contain a suspected malware infection. The closure is one of several hitting schools on both sides of the Atlantic, and it raises a question that keeps going unanswered: what happens to children's personal data when the institutions holding it get breached?
Great Marlow School in Buckinghamshire, England, has spent two days this week running on a skeleton timetable after what it calls "a suspected malware incident." Only students sitting GCSE and A-level exams, those in Years 11 and 13, were allowed on site Wednesday and Thursday. Everyone else, Years 6 through 10 and Year 12, was told to stay home and pull whatever revision material they could from Microsoft Teams, because teachers had no working systems to set them any actual work.
This is becoming a familiar pattern, and the part that should worry parents most is the part the school has not addressed.
What happened
The school restricted access to large parts of its own network as a precaution while it investigates. Headteacher Guy Pendlebury said in a statement posted to the school's website that "immediate action has been taken to contain the incident" and that the school is working with specialist IT and cybersecurity professionals to assess the damage and restore operations. The school says it is following guidance from the Department for Education and the National Cyber Security Centre, and that "appropriate reporting procedures have also been followed."
That phrasing matters. Internal mock exams for Years 10 and 12 have been pushed to later in the year. A Year 7 learn-to-row session got rearranged. The athletics event for Years 7 and 8 went ahead. These are the visible, manageable disruptions. What the school pointedly did not say is whether the incident involved ransomware, or whether any data was accessed or stolen.
The legal basis nobody is talking about yet
Here is where the rights of students and staff come into focus. Schools in the UK are data controllers under the UK General Data Protection Regulation and the Data Protection Act 2018. The records they hold on children are not trivial. They include names, addresses, dates of birth, attendance, behavioral notes, safeguarding records, medical information, free school meal eligibility, and in many cases data about parents and guardians too. Much of this falls into the special category data bracket, which carries heightened protection precisely because it can be used to harm or profile vulnerable people.
When "appropriate reporting procedures have also been followed," that almost certainly means a notification to the Information Commissioner's Office, the UK's data protection regulator. Article 33 of the UK GDPR requires a controller to report a personal data breach to the ICO within 72 hours of becoming aware of it, unless the breach is unlikely to result in a risk to people's rights and freedoms. If the breach is likely to result in a high risk, Article 34 requires the controller to tell the affected individuals directly, in plain language, without undue delay.
The key word in both articles is "personal data breach." Under the regulation that does not only mean stolen data. It covers accidental or unlawful destruction, loss, alteration, or unauthorized access. A ransomware infection that encrypts a school's files and locks staff out of pupil records can qualify as a breach on the basis of loss of availability alone, even if no data ever leaves the building. So the absence of a confirmed data theft does not necessarily put a school outside its reporting obligations.
Why the silence is the story
Great Marlow's refusal to confirm or deny ransomware or data compromise is understandable from a containment standpoint. Investigators often genuinely do not know in the first days whether attackers exfiltrated anything, and saying the wrong thing early can be worse than saying little. But for the families involved, that silence is the difference between knowing whether to watch for fraud and identity misuse aimed at their children, and being left in the dark.
Children's data is valuable on the black market for a specific reason: a child's clean credit history and unused identity can be exploited for years before anyone notices, because nobody is checking a twelve-year-old's credit file. That is what makes school breaches different from, say, a corporate leak of adult customer emails. The window of harm is longer and the victims are less able to protect themselves.
A grim week across the sector
Great Marlow is not an isolated case. A high school in Illinois closed for two days this week after a ransomware attack, reopening Wednesday with its phone lines still down. The University of Nottingham confirmed it was hit by the group known as Shiny Hunters. And in Wales, 13 schools across the Powys region were caught up in a cyberattack that Powys council disclosed on June 4. The council said the intrusion was originally identified back in April, and that sensitive data belonging to students and staff at one of the 13 schools is suspected of having been compromised. None of the Welsh schools closed.
The Powys timeline is worth sitting with. An incident identified in April, disclosed to the public in June. Whatever the internal reasons, a months-long gap between detection and public disclosure is exactly the kind of delay that erodes trust and leaves affected people unable to act in their own defense.
What changes, and what should
For the students and staff at Great Marlow, the immediate change is practical: disrupted lessons, postponed mocks, and a tense wait to learn whether their personal information is safe. For the wider sector, the repeated closures point to an uncomfortable truth. Schools are soft targets. They hold rich data, often run aging or underfunded IT, and rarely have dedicated security staff. The NCSC has published specific guidance for schools, but guidance only goes so far without budget and people to act on it.
The accountability question now sits with the regulators. If the ICO finds that a breached school failed to protect children's special category data adequately, it has the power to issue enforcement notices and fines, though in practice it has tended to favor reprimands over penalties for public sector bodies. Whether that restraint serves the people whose data is at stake is a fair thing to ask.
What parents and staff are entitled to, regardless of how the investigation ends, is honesty about what was taken and clear advice on what to do about it. If Great Marlow's data turns out to have been exfiltrated, the families deserve to hear it directly and promptly, not to piece it together from a carefully worded website notice. That is not just good practice. Under Article 34, where the risk is high, it is the law.
Comments
Please log in or register to join the discussion