This is a Premium feature
To use this feature subscribe to Mumsnet Premium - get first access to new features see fewer ads, and support Mumsnet.Start using Mumsnet Premium
GDPR breach- I cocked up!(32 Posts)
I work in school admin and our school is in the process of getting ready to open on the 1st June. Part of the process is to contact parents of the children in the specific year groups and ask them to complete a survey for us. The IT department have sent the survey out through our app and Facebook page. Both of these require the parents to have registered and a lot of our parents haven't. I was asked by the headteacher to email the parents we hold email addresses for. Our MIS system is capable of communicating via email but our trust has not set this up so I had to copy and paste each email address. I was doing this from home, on a tablet with a two year old running around (my husband had to hold him still whilst I sent the email) and I don't generally work fridays but knew the deadline for the responses was 5pm so I sent the email asking parents to complete the survey by clicking the attached link.
I didn't BCC it! I know I should have, it never even occurred to me at the time though! I reported the breach to the headteacher immediately and was told to wait to see if anyone complains.
I checked this morning and a parent had emailed me to say 'a huge well done for the GDPR breach'.
I feel sick. There was no personal information included in the email other than addresses. The parent in question doesn't have her name in the email address so it doesn't give away her identity, but others probably do use their names.
The parent has said she will be requesting a SAR.
How screwed am I?
I am not sure how a SAR will help the parent. That gives her a right to a copy of information the school holds about her so would have little relevance to the breach.
Try not to worry too much, to be honest this type of thing does happen a lot and even if she reported this to the ICO they are unlikely to take any action.
I think all you can do is apologise. Given that no other information was included it is difficult to see how the individual could argue any significant loss/distress.
The school should carry out a breach investigation so it can be documented and it can be agreed how to avoid this happening again. Have you already had DP training?
Yes, I have had training, ironically!
I did wonder what the SAR would do for her, I think she could possibly be trying to scare me or something?
I did a self assessment on the ICO this morning and that came back that they don't need to be notified but the incident needs to be recorded. Which I have already done. I have also screen shot the response from the ICO page.
I don't think it can go much further but this parent is unlikely to let things go if she doesn't get the resolution she thinks she's due.
If her email address doesn't include her name then I don't think it's even a breach for her. Obviously it will be for other parents. I would be sending an apology email to everyone asking them to delete the original one and confirm to you that they've done it. Not sure the Head's response is great!
Don't beat yourself up about it though. I've dealt with two breaches since lockdown where people have made silly errors because they're not totally focused or on different devises.
I don't think you need to notify the ICO yourselves but she may choose to notify them directly. As I said they are unlikely to do anything as they are so busy dealing with bigger issues.
Has a formal apology been written - I would probably do that - apologise, acknowledge that a mistake was made and that it should not have happened, indicate that an investigation will take place so practices can be improved so it does not happen again.
Apart from that I am not sure there is much else you can do at this point apart from wait to see if she makes any sort of formal complaint.
Eye roll!! Why would a parent send that!? Ridiculous. I feel for you but don't worry you've done everything you should have, just an apology now and there's no more you can do.
Mistakes happen, all you can do is apologise
Thank you for all of your advice.
I'm happy to send an apology, I'd actually like to do it now so it's off my chest so to speak, but I'd have to clear it through the headteacher first.
I immediately thought of sending another email out telling parents about the breach, but I'm wondering if that would then alert them to the other email addresses when it seems most of them haven't noticed. Not that I'm trying to get away with it, but because they'd then possibly go looking for the other addresses.
It was a mistake, they happen. We'd all rather we didn't, but we do.
I hope your HT has your back.
The parent complaining.... hopefully it's just someone who's a cunt rather than someone who has fled DV or something. But they're pretty rare. Much more likely to be a cunt.
Should have registered earlier, eh!
As far as I know there are no safeguarding risks for her, she isn't identifiable from the email address and neither is her child. Obviously there are others on the email though, but only parents of the school were included in the email.
Other people will have noticed.
It wouldn’t bother me in the slightest, but I would definitely notice and raise an eyebrow at the breach. I really would send out an apology and a reassurance that personal data privacy is taken very seriously and steps have been taken to correct the issue.
And then move on, you can’t do any more.
Don’t beat yourself up, we’re all human. We had something similar in our school. We are a large LA secondary school and we have a duty to report this to our LA DPO who makes the decision as to whether it’s reportable. My advice would be to ensure that you put it in writing to whoever is in charge of GDPR in school (ours is the Headteacher) and then it’s up to them how to deal with it. A quick acknowledgement letter , or phone call to the parent and apology for the error from the Headteacher is often enough. There are different levels for any breach, I can’t remember what they are but I think the action required is determined by the number of parents involved in the breach.
What kind of person would respond like that! I would have probs emailed and said you might want to try and recall this ASAP and I know breaches CAN be serious but this is effectively just a list of email addresses - half of which won’t be identifiable as people and even if it is so?? Some people need to get a grip
She's trying it on. All the SAR crap and the email she sent you. She's looking for some type of compensation or something. Don't worry too much about it. You're only human
Training I've had said in this scenario the best thing to do is try to recall the email and resend properly. Given it's probably too late to recall the initial email now you could resend it, using bcc of course, apologising for the earlier error, stating you've followed ICO guidance and request they recipients delete the first email.
I'm very big on data protection, mistakes will happen but the handling thereafter makes the biggest difference.
I did this very recently at work too and somebody immediately complained which alerted me to what I’d just done. I told my boss who composed an apology email - we also asked people to delete the email and resent it properly. Most people were fine - turns out it had happened to a lot of other people. Still felt sick at the time though so you have my sympathies OP.
Speak to the headteacher and encourage them to self report to the ICO, it is a reportable breach but is highly unlikely to result in any kind of penalty as long as you document on the report that it was human error, and that it has been addressed.
You can then reply to the parent apologising and advising that you have self reported, you can even give them the ref number.
This happens a lot, it is a simple human error and completely forgivable so don't dwell, just move on.
All my colleagues too had done it at some point so it felt like a rite of passage! (I’m relatively new)
Don't worry OP. These things happen, I am sure you will be super vigilant going forward even if it's 'only' email addresses at risk.
Some people get really funny about GDPR breaches, but often there is no real harm done and it's worth having some perspective. I think that was pretty shitty tone wise from the parent. Sure reply and say whoops think this is a breach, but...
I don't use (most) social media and am one of those who wouldn't give my real DOB when it's asked for on various websites, but I couldn't care this much about an email address.
The SAR will do nothing for her at all. In my experience people often request them just to be difficult.
Send her/his comments the head and let them deal with it.
So it was just their email address? That can only identify their name and nothing more personal/identifying (in most cases I assume) than that and the parents will know each other anyway, so it’s hardly too secret information.
I’ve had this happen to me a couple of times, and yes I’ve been the smart arse who has - politely - pointed it out (it’s been external business mailing lists so all potentially not brilliant). I have always had a reply that apologises, says it’s an error and they will out in procedure to make sure it didn’t happen again. I only really pointed it out as I know that some people can be arsey about such things and I’d hate the sender to get threats/abuse over it.
I did all the training when it became law and I really don’t think this is any kind of offence. It was an accident pure and simple. And I’ve never had so much junk/spam since the laws can in, so it’s not working at all!
I’ve done this though not at work. I recalled the email where I could. Only one person complained (but not too that level) which was ironic as she did something similar involving me the previous year. I’ve also asked a million times to be removed from her contacts but still I receive emails..... don’t worry.
I once pointed out that someone had done this on a much larger scale with more people and where the outcome was that lots of those people 'replied to all' with their children's full names with times, dates and locations of where they would be. They and their manager replied back apologising and assured me it would never happen again and that was the end of it. Hopefully it will be for you too.
in my job a mistake like this means instant suspension and possibly dismissal.
it's bad tbh
we are not allowed to use our own it equipment either as the company own has several safeguards against issues like this.