ICO Reprimand: Finham Park Multi Academy Trust and GDPR Failures
On 26 October 2023, the Information Commissioner’s Office (ICO) issued a formal reprimand to Finham Park Multi Academy Trust (FPMAT) for serious breaches of the UK General Data Protection Regulation (UK GDPR). The reprimand highlights repeated failures to secure personal data appropriately, with shortcomings that left the trust’s systems and the personal data it held vulnerable to compromise.
This case is a strong reminder that schools and trusts must take data protection and cyber resilience seriously—not just in policy, but in practice.
Why the ICO Took Action
The reprimand was issued due to breaches of Articles 5(1)(f) and 32(1) of the UK GDPR. These provisions require organisations to process personal data securely and implement technical and organisational measures appropriate to the risks involved.
The ICO found multiple deficiencies at FPMAT, including:
Inadequate account lockout policies – which made systems more vulnerable to brute-force attacks.
Reversible password encryption – leaving passwords exposed to compromise.
No multi-factor authentication (MFA) – despite long-standing guidance from the National Cyber Security Centre (NCSC).
Lack of employee training on password security – staff were not adequately educated about the dangers of reusing passwords across accounts.
Together, these failings amounted to a systemic weakness in FPMAT’s security posture.
Aggravating Factors
The ICO was especially critical of the trust’s repeated failure to follow advice.
FPMAT had reported three similar incidents in the past, each time receiving detailed guidance from the ICO about strengthening password and access controls. Despite this, the trust failed to act, leaving its systems exposed. This disregard for regulatory advice was a major aggravating factor in the decision to issue a reprimand.
Remedial Steps Taken
Since the reprimand, FPMAT has taken corrective action, including:
Restoring systems from backups to maintain operational continuity.
Implementing MFA across the trust to secure user accounts.
Launching a digital transformation project including credential monitoring to improve long-term resilience.
The ICO welcomed these steps, though noted they came only after repeated failures to address earlier warnings.
What This Means for Schools and Trusts
The Finham Park case underscores key lessons for all educational institutions:
Follow the guidance. When the ICO or NCSC provides advice, failure to act could aggravate enforcement decisions.
MFA is essential. It is a basic but vital safeguard for protecting sensitive personal data.
Don’t neglect staff training. Employees need clear, practical education on password management and cybersecurity hygiene.
DPIAs aren’t enough—implementation matters. Strong technical and organisational measures must be in place to demonstrate compliance.
Conclusion
The reprimand issued to Finham Park Multi Academy Trust demonstrates the ICO’s willingness to act against schools and trusts that repeatedly fail to secure personal data. While remedial measures have since been taken, the trust’s earlier failings emphasise the importance of proactive, not reactive, compliance.
For the education sector, the message is simple: data security is non-negotiable. Weak passwords, absent MFA, and ignored advice will not be tolerated.