GDPR breach?

[Snard4]

Would you say it was a breach of GDPR to send letters home to secondary school pupils with a lists of other pupils’ full names? I think it is but just wanted to see what others think. TIA.

Anyone? Please, I’d just like yes or no answers. Thank you.

Our school wouldn’t do it, but we have a thing about how much info we hold - so a list with names would also need addresses and a photo to be considered a GDPR breech ie 3 pieces of identifying data.

Just names, I wouldn’t think so no.

No it’s not

It depends on the linked information. An info letter to everybody in 7B with all names on display is different to a letter to everybody who had a detention for beating somebody up.

Of course it's not!

Thank you! Much appreciated.

I’m a teacher and I’ve done some GDPR training. I would say this did fall into it based on what we’ve been told as staff. I could be wrong of course but we aren’t to name children in any correspondence that goes to other parents!

If it was unintentional then while not a GDPR breach it may be noted as a "near miss" and not in line with school policy. So the process may need review to remove the risk.

I am, too, @Rycbar . I personally think the school is on dodgy ground, but I needed to hear rational opinions.

It was entirely intentional! Thank you for your response.

No.

What freedoms and rights have been breached? Most schools would be in breach on prize giving day or school events if this were a breach.

It isn't a breach. Names are public domain I believe. If the list also had say, DoB, addresses and phone numbers then it would be a breach, unless those people had agreed for the information to be shared in that way, and it was absolutely necessary to do so.

I work for a LA and it would be a breach.

I think it depends on the context. I'm looking at the communications from our school and we certainly get a newsletter that includes student first and last names. It isn't a list of all students or a list of students with any other personal data attached, but it is things like Anne Smith and Lucy Jones are representing Year whatever in the cheerleading competition held at wherever. Or here is some artwork from Mable Staines in Year 8. Perhaps these names have been shared with permission, but there are definitely first and last names included. These are shared via email and posted to the website and Facebook page.

Arguably a breach but it depends on the context whether it is a serious one or not.

And I work for an LA and it wouldn't. What have we just proved?

The context aphid be important, but I doubt a simple list of names would constitute a breach - otherwise a prize giving ceremony would have to be reported in secret!

OP instead of posting esoteric questions, what exactly is your beef about this?

We get sent a list ever week of who has been selected for the school football team, so 13 full names. I don’t think that counts as a breach (and I’d be appalled if it did).

Did they give you all the names of the entire year group? Or just a select group that are going on a trip or similar?

“OP instead of posting esoteric questions, what exactly is your beef about this?”

I wanted simple yes or no answers! I’m not discussing my “beef”. Thanks to all the responses so far.

I don’t think anyone can say yes or no without the context.

It absolutely is.

We aren’t allowed to put anything in a normal bin that has both forename and surname of students on it, not even worksheets. They should go in confidential bin. Unless permission has been given to share names in this way, it should be reported as a gdpr breach. School should have a named person to report this to who should then self report the school.

It’s the linking of the name (and thus, person) to the school that is the breach.

Depends what the privacy notice says and the lawful basis for processing stated within

we are not allowed to use surnames at all in school now, in our MAT