GDPR breach?

[Snard4]

Would you say it was a breach of GDPR to send letters home to secondary school pupils with a lists of other pupils’ full names? I think it is but just wanted to see what others think. TIA.

Any organisation can have a privacy policy that goes beyond the GDPR. That does not mean it is reportable or is a breach of the statute. It is crackers to say a school list of children's first and last names is a GDPR breach.

As a privacy lawyer this is what we'd call a technical breach. It is a breach but it isnt going to go anywhere at ICO or claim wise.

Plenty of people have, though! It has been useful.

You may not have noticed, but some people said yes and some said no - and not one of them knows the answer. That is because the context - your beef - is critical to the correct answer. But if you want to kick off at the school, just go for it - they won't be in the slightest bit interested in the uninformed opini9ns of av bunch of random people on the Internet. Or get a proper legal opinion. Which costs money and might be even correct.

It isn't a case of what people think it is not a breach of GDPR.
That is a fact.

You can see the full names of everyone in the class on google classrooms. Who cares?

It could well be. But it also depends on the circumstances. A parent at DD's school got worked up about something which was a technical breach as it was sharing a list of pupils doing an activity but as DD could give me the names of all of those pupils anyway, it didn't matter. If it was the SEN register or something, it would be very different.
What harm has been caused by the breach?

How is it useful to have one post contradicting the previous one throughout?

This.
It's not an all singing all dancing GDPR breach.
The school itself may have its own additional "rules".

What the hell are you on about? I mean my thread has been useful.

I just wanted to know if it was a breach or not, and it appears that it could be considered a breach in certain circumstances, or it could not. Because I haven’t had a unanimous yes, I am not as concerned as I first was.

If you’re not going to answer my question, but just bloody pick holes in my post, then why bother?

Thanks again for all the information.

Woah, angry much, all though this thread poster A says no breach, poster B says breach, poster C says no breach, poster D says breach etc

I'm asking how that can possibly be useful

Under the GDPR a name is personal information, and especially so with both first name and surname.
But alone names, are not sensitive personal information

A breach is always dependant on context.
There should be a policy on the handling & sharing information and when it was collected the suitable purposes for which information could be used & shared should have been stated

The links below cover both the post Brexit UK legislation and the EU legislation / regulations

Purely based on your original post I would not say that a school email sent to parents/guardians for school purposes with a RELEVANT list of names is not a GDPR breach
But if there was no good reason to provide addressees with the list then it could be a breach - particularly subject to the schools information policy.

Even the addressees of an email in the to / cc boxes could be a GDPR breach. A semi better option is bcc but quite often when intending to use bcc email addresses have been exposed as GDPR breaches. There are other methods for bulk mailings

https://ico.org.uk/for-organisations/uk-gdpr-guidance-and-resources/personal-information-what-is-it/what-is-personal-information-a-guide/

https://www.gdpreu.org/the-regulation/key-concepts/personal-data/#:~:text=The%20definition%20of%20personal%20data%20is%20any%20information%20relating%20to,Phone%20number.

The thing is - what is a GDPR breach and what should be done is subjective

Understanding and assessing risk in personal data breaches | ICO

Personal data breaches: a guide | ICO

There is a lot of information in there.

Great! Thanks so much for all of the information 😊

How is a ‘yes’ or a ‘no’ a ‘rational opinion?’

Oh my word. (UK)GDPR really is the legal nonsense of our age.

Its intention, and the predecessor law’s, was to stop sinister profiling and underhand data collection. But it seems to have become mostly the hobby of every pettifogging complainer.

There’s a cottage industry now in compo or vindictiveness for the most pathetic breaches. The courts have got a bit wise - dismissing some claims or flicking them off to the small claims track - but not wise enough yet. 99.9% of complaints about data breaches should be binned.

Even if something is technically a breach, an organisation is only going to face any consequences if it causes actual material harm.

It frustrated me when people clog up organisations and the ICO by getting excitable about purely technical breaches that haven't caused any harm to any one

Yes, unless the school has consent of the parents to share the names it’s likely a data breach.

Any information that leads to the identification of a person is personal information and processing (i.e. sharing it) without a legal basis (I.e. consent) is a breach.

it doesn’t matter the the data is “in the public domain”

it doesn’t matter that there are no risks to rights and freedoms of the data subject (this is relevant to reporting and sanction)

it doesn’t matter that the data is not sensitive.

unless there is consent or a very specific set of circumstances that would allow an alternative Article 6 bases to exist this is a data breach.

@LeSoleil

It is crackers to say a school list of children's first and last names is a GDPR breach

except it is a breach.

OP if you have a genuine reason to be concerned about this - eg you are a foster parent who did not want this information shared. Post on the legal board. it’s a generally nice, helpful crowd who can give advice.

if you’re just pissed at the school and want a stick to beat them with, you’ll get precisely no where.

“OP if you have a genuine reason to be concerned about this - eg you are a foster parent who did not want this information shared. Post on the legal board. it’s a generally nice, helpful crowd who can give advice.

if you’re just pissed at the school and want a stick to beat them with, you’ll get precisely no where.”

Thank you. I am furious with the school and am waiting til after half term to have a meeting with them.

How is your comment useful to anyone?

"Any information that leads to the identification of a person is personal information and processing (i.e. sharing it) without a legal basis (I.e. consent) is a breach"

And yet at the same time....the names of children at a school can be published in the media via exam results

Exam results | ICO

Publishing examination results is a common and accepted practice. Many students enjoy seeing their name in print, particularly in the local press and the UK GDPR does not stop this happening. However, under the UK GDPR schools have to act fairly when publishing results, and where people have complaints about their or their child’s information being published, schools must take those complaints seriously.
Schools should make sure that all pupils and their parents or guardians are aware as early as possible whether examinations results will be made public and how this will be done. Schools should also explain how the information will be published. For example, if results will be listed alphabetically, or in grade order.
In general, because a school has a legitimate reason for publishing examination results, pupils or their parents or guardians do not need to give their consent to publication. However, if you have a specific complaint about publication of your results, you have the right to object. Schools should consider objections from pupils and parents before making a decision to publish. A school would need to have a good reason to reject someone’s objection to publication of their exam results.

No not here.

@cakeorwine I’m not sure what your point is? I made it clear that the school would need a legal basis. I used consent as it is likely the only bases applicable to the fact pattern the OP set out. Legitimate interests are an alternative basis which may be applicable to exam results but don’t appear to apply in the OPs case, are you suggesting they do?