Is this a Data Protection breach? Email from school.

[CryCeratops]

DC1 is starting secondary school in September.

I’ve just received an email from the school containing information for parents of new starters.

Whoever has sent the email hasn’t used bcc.

I clicked on the “to” bit of the email, and there’s a massive list of names.

I can see from the address section, an alphabetical list of first name & surname of new Year 7 students, plus the email addresses of who I presume is listed as their first contact person in the schools database. It’s basically “Child 1’s parent/guardian - then parent’s email address; Child 2’s parent/guardian - then parent’s email address” and so on. With whatever parental relationship is relevant listed after the child’s name. Which includes Foster Mother / Father in some cases.

I’m guessing from the number of names listed that this email has gone out to most, if not all, parents of new Year 7 students.

So…. This is unusual to see in an information email sent to a whole bunch of people, but does this count as a breach of data protection?

I’m not thrilled about having my email address shared like this, but I’m not sure if complaining to the school about it would be an overreaction.

Yes that's a problem! Report it to them asap.

It is a data breach and you should let them know asap so they can follow their breach procedures.

It absolutely is a clear beach, no blurred lines here

Yes, it is.

What they need to do in future is address it to themselves and then add the mailing list as bcc (after enabling the option of bcc to be displayed on Outlook).

It's unfortunate - I think it should be drawn attention to, rather than going ballistic, mainly because the odds are that they'll get that from some of the parents in any case.

Thanks all.
I’ll send them an email to report this issue.

So talking about this with DH, and he’s worrying about the school taking it out on DC1 if I report this.

Is that likely?
The draft email I showed DH was worded politely.

They probably already know but you should def email them, it won't go back to your child. Just say your not happy - they should email an apology at the very least or have a proper procedure

Really? Your dh thinks teachers are going to pick on your child because you did them a massive favour and alerted them to something which could get them in a whole heap of trouble?

They won't take it out on your child. If it's anything like my school, the people responsible for sending these messages out don't have many interactions with the students. A polite message is the way to go.

Not at all likely. Please let them know so they can make sure it doesn't happen again.

With respect to your DH, he's being ridiculous. The school needs to know and follow their procedures. It's unlikely that the name of the person who reported it will make it past a couple of key people - senior leaders will need to be informed of a breach but not necessarily WHO reported it. The core teaching staff, even less likely. We certainly don't report that in our logs for Heads of Department (not a school).

Plus, for all you know after all these hours have passed since you spotted it, you could be the last parent in the entire year to report it - are they really going to penalise the entire year group?

Quick side point, but that's a fairly basic method to avoid this for a mulgi million pound organisation - which is what a school is at the end of the day.

They should well be able to afford an email mailmerge tool which would eliminate this risk rather than reduce it.

Come on, he's being a total silly billy. Does he think the school data protection officer is going to be circulating a photo of your son to all staff with an nstriuction to take it out on him?😀

Sorry to read about your DHs view. Perhaps some training in data protection should be found for him.

I'd have phoned the school if it was term time or spoken in person, but understand why you chose email.

It's really unusual for a school to send emails
like this in the first place. I would absolutely email them. They will then report it to the ico. It's a minor breach though in the scheme of things.

If schools don't respond to safeguarding issues immediately it's an instant Ofsted fail.

You child's name would be protected under gdpr

Thanks for the reassurance 🙂

Yes, on reflection, it does seem unlikely that all the teachers who’ll be in contact with DC1 will even know that I’ve sent an email about this, much less penalise DC1 for it.

I’ll point that out to DH too.

Imagine if there were children in care whose parents had friends with children at the school and now had the email address of the foster carer, or similar. Not ok.

It looks like there’s several children in care starting Year 7 from that list.

Like on the list it says “Child X - Foster Mother” then an email address.

Definite breach of GDPR. The school will be grateful for you dropping a polite reply telling them (not complaining, informing). Although they're probably going to get an email from half the mailing list. Your son needn't worry.

Watch out for the eejit that will hit Reply All to tell them about their error and make it as a complaint rather than informing them - probably using a few choice words and shotgun spelling/grammar.

It's up to the school to investigate the breach and decide whether or not they need to inform the ICO.

Definitely. I had this when we were invited to an online open evening.

Your DH is being ridiculous.

I would drop them a message letting them know, our head teacher did this just before the holidays and then sent another email a little later on apologising for the data breach and said they were reporting themselves to the relevant people. I’m assuming someone contacted her to let her know she had made the error.

I'm surprised you haven't had any reply emails from people who have simply hit "reply all" on the email without thinking yet ;-) when this happened to me a few years ago there were dozens of "eeek this is dreadful" emails that ironically went to all recipients .... sigh

But yes. Definite breach.

I am sure the school is aware of this already but I would send a note to register your feedback. I dont think this would reportable to the ICO but the school will have a data loss register and will have to report somewhere under their Governance requirements.