Why "for no fault of their own"? The school is the data controller, it's their responsibility to ensure they take all measures to protect this data. That includes not blindly relying on a third-party vendor well-known for its poor track record in terms of data privacy.
Of course schools don't have the resources to properly assess the security of their systems, and Capita was probably imposed on them anyway, but that doesn't remove their obligations for data protection.
