GDPR breach?

[Snard4]

Would you say it was a breach of GDPR to send letters home to secondary school pupils with a lists of other pupils’ full names? I think it is but just wanted to see what others think. TIA.

OP why are you furious?

You've had plenty of replies.

Imo how can a name be a breach, most other kids in the school know the names of others. I'm not sure you could argue harm from knowing a name which is already known to be at the school.

Name plus other info is potentially a breach.

My son is in P7 (Scotland) and their leavers hoody's have the first and surname of each child in the class printed on the back. This is with the school badge on the front. I was a bit taken aback that they included surnames but didn't consider it to be a potential GDPR breech.

Imo how can a name be a breach, most other kids in the school know the names of others. I'm not sure you could argue harm from knowing a name which is already known to be at the school

you don’t need existence of harm for a breach to exist.

and (the U.K.) GDPR concerns processing not knowledge, so kids knowing names is not relevant to the consideration.

It is not.

I spent two weeks writing my company's GDPR policy and we are HIGHLY regulated by an external body which means if we got this wrong, game over.

She’s very angry, isn’t she!

I spent two weeks writing my company's GDPR policy and we are HIGHLY regulated by an external body which means if we got this wrong, game over

Good for you 🤣 you’re still wrong.

Instead of telling me how clever you are perhaps detail why you believe it’s not a breach. Are you claiming it’s not PI? Or the school have legit interest? It’s not clear. You reference reporting in your first post, are you suggesting disclosures are only breaches if they meet the reporting threshold?

Why are you so angry? Presumably the pupils know one another's names?

I'm a highly experienced DPO and lawyer and I am curious how you can possibly be certain about this when the op hasn't given any context to the list of names?

Firstly it's a technical breach either way (a name is personal data)

Secondly, it could be anything from trivial to the most serious breach depending on the context (what the list was about, who the list went to, whether anyone on that list had a particular sensitivity)

But you need harm for any compensation. Distress will do. That’s what most GDPR compo chancers rely on.

Is compensation what the OP’s after? Who knows. It’s difficult to see what other reason there could be for the OP’s objection to disclosure of data to people who already know it.

But you need harm for any compensation. Distress will do. That’s what most GDPR compo chancers rely on

Yes but that wasn’t the question.

We don’t know what the harm was, if any, it could be nothing it could have been significant - as I alluded to in a previous post.

on the disclosed fact pattern this is a breach, unless an article 6 basis applies.

the existence of a breach and whether compensation might apply are two entirely different considerations.

I am so sorry but I can’t really give any more details or information, which I know is frustrating. I am grateful for the discussion, though; as I explained above, even the contradictory nature of the responses is helpful to me. I am angry with the school, yes.

I understand that. That’s what I said.

But “breach” can be and often is meaningless.

Again as I said, on the facts there is no reason to think that the “breach” is of any significance at all. The data was disclosed to pupils. Pupils already know who attends the school.

(If there was a good reason for listing names there may well be a legitimate interest anyway.)

@WhatsTheUseOfWorrying maybe you didn’t intend to quote tweet me then? 🤷‍♀️

Eh?

“Tweet” was a typo.

You quoted my statement that this was a breach, stating “but you need harm” for compensation. I pointed out that the existence of harm is not relevant to the issue of breach. You have responded that is what you said. In which case I have no idea what your original point in quoting me to say “but you need harm was”

but maybe you were just saying what I was saying in the first place or you didn’t mean to quote me at all. 🤷‍♀️

My point is:

What is the difference between publishing names in the paper and publishing names like this?

To what degree is a name personally identifiable data? Coupled with a school, then it helps further identify someone

Legitimate Interest is used as the basis for exam results - and is the basis for sharing this data

The data has been shared. Is it personally identifiable data? Or would it need further information to make it identifiable?

I can think of serious cases where emails have been shared and it is personally identifiable AND causes harm - e.g. Afghan translaters, patients at a gender identity clinic.

I am not exactly sure if a name by itself comes under personally identifiable data.

What is personal data? | ICO

I suppose some pupils could be identified if names were unusual

But is a name personally identifiable data?

John Smith by itself is meaningless.

But add more data and it gets identifiable

@cakeorwine
Yes a name is personally identifiable data. It doesn’t necessarily need to be identifiable to the person to whom the data has been disclosed, or indeed to the processor or controller but if it can be combined with other existing data sets to lead to the identification of an individual then it is PI under the doctrine of singling out. This is settled law.

In this particular case an additional data characteristic has also been disclosed i.e the subjects attendance at a particular school, this increases the likelihood of singling out and is a (minimally) aggravating feature of the breach.

We don’t have the facts to establish whether there is a legit interest to disclose, but a school communication is not analogous with the publication of exam records where you could argue there is a need for process transparency and public interest in the disclose of exam metrics.

(edited to add pp name)

School data manager. Yes it is a breach. Some other examples provided by pps which may look Similar eg team information might be disclosed by.consent. A different legal basis under GDPR.

As the DP lawyers have said, it might be in your school, but in, and of itself, it's not.

If it was in the context of something like naming and shaming those with low attendance, I would be furious too. Just a guess. This is the kind of thing superannuated academy heads get up to these days.

Sorry didn't read all of this but I think if in doubt you could ask the ICO.

Sounds really unnecessary and therefore a long way from best practice, I think sounds like a breach personally but I'm not an expert.

Well done for raising this.

Thanks @WhatsTheUseOfWorrying 'pettifogging' is now for my vocab bank alongside 'querulous'!

I find things like these 'breaches' fascinating and they just add to my thoughts of 'who the fuck is mad enough to work in a school these days' am sure what ever gov body regulates this isn't on holiday now, so why not contact first thing, if its so awful that it's raised this palpable rage in you, unless as pp said you just want to use whatever happened as a big stick to threaten or beat the school with?