Is this a Data Protection breach? Email from school.

[CryCeratops]

DC1 is starting secondary school in September.

I’ve just received an email from the school containing information for parents of new starters.

Whoever has sent the email hasn’t used bcc.

I clicked on the “to” bit of the email, and there’s a massive list of names.

I can see from the address section, an alphabetical list of first name & surname of new Year 7 students, plus the email addresses of who I presume is listed as their first contact person in the schools database. It’s basically “Child 1’s parent/guardian - then parent’s email address; Child 2’s parent/guardian - then parent’s email address” and so on. With whatever parental relationship is relevant listed after the child’s name. Which includes Foster Mother / Father in some cases.

I’m guessing from the number of names listed that this email has gone out to most, if not all, parents of new Year 7 students.

So…. This is unusual to see in an information email sent to a whole bunch of people, but does this count as a breach of data protection?

I’m not thrilled about having my email address shared like this, but I’m not sure if complaining to the school about it would be an overreaction.

How come you can see more than just the email addresses? It's unusual to see the extra details that you've added in an email address header.

But yes, the email addresses make it a breach. The extra information with child's name and relationship is much more serious - but I am surprised that's on there.

Given that this is children's details (albeit their parental contacts and relationships) as children are afforded extra protection this is a pretty big breach. Your dh will need thicker skin if he doesnt want to complain. You will need to advocate for your child quite a few times I imagine.

I work with schools as a DP advisor so here’s my tuppence worth of advice. Sorry it’s a little essay, but it may be helpful for the OP to know what the school is considering.

We support about 180 schools and get about five of these kind of email breaches a week. Most of the time, the breaches are recorded in house, and the school emails the parents again asking them to permanently delete the email they received in error and not to share the info further (e.g. by using the email addresses as a handy contacts list for your child’s class).

This is followed up with a letter of apology to the affected parents explaining how it happened and what the school are doing to reduce the risk of it happening again. The letter should also give advice on how the parents can reduce any risk to themselves e.g. by checking their email account hasn’t been compromised by looking it up on Have I Been Pwned.

Generally it’s caused by the poor sod in the school office, who is doing about a million things at once, including sending emails to parents. They know they should use BCC, but they slip up. Most schools I work with still use Outlook for school comms - a few have specialist comms tools such as ParentMail, etc, but these can be quite expensive so can be the first thing to go when budgets are tight. Schools using Teams, Google, or even Tapestry can send messages without manually inputting addresses.

Ideally the school should spot the breach straight away, but sometimes they don’t, and the parents are the first to let the school know.

As I say, mostly the breaches are recorded in house without escalation to the ICO because the risk to parents is usually quite low. Parents won’t usually use the email addresses they’ve seen in a way that could be harmful. The real damage is usually to the trust between the school and parents, and the school should be acting quickly to preserve this. OP, they will not discriminate against you in any way for spotting the breach.

In some cases though, a BCC email breach can be high risk enough to inform the ICO. Generally the ICO only need to be informed if there is a likely risk of harm or something harmful has actually happened. There’s a likely risk of harm if lots of email addresses are disclosed, but sometimes it’s more about safety. Last year, a school emailed its new parents without using BCC, and one parent had recently given evidence against a local criminal. He was really worried that someone in the community would realise his child went to the school in question, and his child would be at risk. So we reported this to the ICO because it reached the threshold of causing him significant emotional harm.

In summary… these breaches happen a lot (people make mistakes) but the school should be acting promptly to assess risk and reassure parents. Any decent school will be grateful to you for letting them know.

I should also say that the breach you’ve described sounds like a lot more than just email addresses, and for a whole year group? Yes, they should really consider escalation to the ICO, even if no harm has been reported yet. The ICO can help regulate the school’s response to the breach.

To be honest you should stop looking at it as well. You know it has been incorrectly shared so why are you scrolling through the list and looking at the details? Delete it and tell the school surely.

you Should have called the school immediately as there was a chance they could recall the email.

Your DH is being ridiculous.

Is he generally paranoid?

If you ever get an email with a breach like this, you should reply immediately pointing it out, and phone.

It may be possible to recall the email and reduce its exposure if you act fast.

And the person who did it will be embarrassed and upset, not cross you pointed it out.

I've had this with and replied all simpluv stating " just so you are aware this email was sent cc rather than bcc so all recipients emails have been shared"

I might not always notice so would have preferred if others did notice they reply all to draw my attention to it

You are just compounding the problem doing that, the correct process is to alert the sender.

And this course will definitely mark you out as an unhelpful parent IMO.

Interesting you say that, an earlier post made me think was disapproved of by some and so made me wonder. I have appreciated when others have replied all and highlighted it so would have done if I was first to notice, wouldn't have added to a barrage of reply all emails though if others had first.

I don't think there is a "process" to follow if you dealing with general public rather than at work etc, so hard to know what is thought of as best by everyone.

Yeah, you need to report it IMO, as others have said, details of who foster carers are etc could be really sensitive information and a child protection risk. However, they will probably also report this themselves if they know it's a risk.

But yes, a quick email to the sender won't have any impact on your child- as others have said, it's very likely that class teachers won't know anything about this!

Littleducks if you reply all then it makes the information more widely available- to the people who haven't yet noticed it.

The sender of the original email should send another correctly BCC'd informing people that
'Email was sent at 3pm yesterday which contained the email address, relationship and names of students. Our apologies for this inadvertent error. Please contact us if you have any concerns.'

That way, people are made aware there was an error without the error being repeated. Those who need to take further action (inform SS, change email address, in extreme circumstances change school) can then do so.

@cakeorwine. Often when a programme is used to generate email addresses they have short codes so in this case say parent 1 2 and then a 3rd option that will explain further. Foster/aunt/grandparents when the programme generates the emails it can then at times (if poorly programmed) take the short code option as the main show part of the email so it woild look something like this

Fostercarerchild1Enkomumsnet<<[email protected]>> the highlighted part would be fostercarerchild1enkomumsnet but if you hover over it you get the full email.

Hope that makes sense? We use a similar programme at My work and I never see the actual email unless I hover just the short code. Can be really handy but can also like op described. End up giving more information out than needed.

Just send a quick polite note to the sender, maybe also saying you realise that they will be very busy gearing up for the start of term and accidents happen. As for people saying the email could have been recalled, there is a pretty short window for this to happen, so unless the OP opened it immediately, and the phone or reply email was answered or read immediately, the horse would have bolted by then.

Will also add short codes comes in handy when you need specific people so if say I want to email Bob the Builder at work all I type in is Bobthe and it comes up i do not have to remember that "Bobs" email is say [email protected]. (name made up) so there are benefits for short codes they just need to be programmed right. In ops case it appears it takes in both short code and option.

I sent an email last night politely pointing out the issue.

So the school should definitely know about it now, and hopefully it won’t happen again.

The person who sent it will be mortified and it will be taken seriously.

Something similar happened within a healthcare's setting only all the recipients were HIV patients and their confidentiality was breached by everybody knowing they had HIV.

You were right to report it. The school will likely have to self-report the breach to the ICO. There will be absolutely no repercussions for your DS and it's sad that your DH assumed there would. Did he have a negative experience of school himself?

It would be unlikely to happen again, as once the kids are admitted on the system, they'll be available as an email group for a specific app (most schools use them now).

It sounded as though the original was a cut and paste/merge from a spreadsheet of the preadmission group on Outlook or even that some unfortunate has been tasked with creating a contacts list one by one. Schools don't always have the most up to date software and are frequently completely unaware of the most useful tools/what integrates with the existing systems, never mind putting money into training admin staff or teaching ones in the things they already have.