The UK’s independent authority set up to uphold information rights in the public interest, promoting openness by public bodies and data privacy for individuals.

The ICO has been made aware of a data breach involving the Capita SIMS system that has affected a number of schools who use their services. We understand that Capita have added messages to the system to update schools and to help them identify if their data has been involved.

Schools should establish if they have been affected by the breach and if so assess which pupils’ data have been affected and how.

Under the GPDR, which came into force on 25 May 2018, controllers have an obligation to report data security breaches to the ICO unless there is unlikely to be a risk to individuals. Before 25 May 2018 there was no legal obligation to report to the ICO.

If your school has been affected by the Capita SIMS incident and you have enough information to establish that there may be a risk to your pupils or parents, you should report the breach to the ICO. If we need further information we will be in contact with you.

You should consider how your pupils or parents may be affected by the breach. If you think there is a high risk to their rights and freedoms, you need to tell them about the breach without delay. You should tell them about any steps you are taking to mitigate the effects of the breach and provide them with advice on what to do to protect themselves.

Self-assessment

Take our self-assessment to determine whether your school needs to report to the ICO.

Click here

If you decide to report, please copy and paste the table below into a blank email, add your response and send your email to casework@ico.org.uk.

You should include ‘Capita SIMS breach notification’ in the subject line of the email, along with your school's name.

ICO breach notification form – Capita Business Services Ltd (SIMS) breach only
ICO question Controller response
Name and contact details of the person reporting  
What were you using SIMS for when the breach occurred? (ie sending correspondence to parents)  
What type of data has been compromised?  
Are you aware of any data breach incidents at your school as a result of this matter? How many? How have you arrived at this figure?  
Were you informed about the issue with SIMS by Capita? If so, when? If not, how did you discover the issue?  
Any other information that you think it would be useful to provide?