GDPR breach?

[Snard4]

Would you say it was a breach of GDPR to send letters home to secondary school pupils with a lists of other pupils’ full names? I think it is but just wanted to see what others think. TIA.

Some context is needed really.

A list of all kids with SEN at a particular school wouldn't be acceptable and you'd be right to be cross.

OTOH a list of kids sharing a room with your DC on a trip might be needed.

Whoever said there's a cottage industry in these spurious claims is correct. Same with the cottage industry for. 'FOI' requests. Utter ballache for schools and what do parents gain?

It could be a breach if the data has been misused, only you will know that. Gdpr covers data which can be used to identify someone, so if the letter refers to Ellie Smith in year 9, then that data could be used to identify her then yes it could be a breach if they didn't have consent or a good reason to use her data in that way or it was likely to cause harm to her reputation or whatever.

Would you find it fascinating if your workplace sent a group letter out with your name, address and salary? Or your sickness record, or your disability?

Or your insurance company left an unlocked laptop lying around with your bank details? If you complained would that just be you beating them with a big stick?

At which point is a data breach not a "stick to beat someone with" or "fascinating"?

Schools aren't always victims and they need to comply with legislation just as much as the next organisation.

So your school doesn't publish its GCSE results, sports days, prize giving etc?
What on earth can be done with a name? It's not actually identifying anyone. It's not giving their DOB, address, bank details.
Interested to know.

The world has gone entirely bananas.
The names of a child's classmates got sent to other parents. OMG, the world has ended. If any parent wanted to know the names of their child's classmates their child could jot them down in an instant. St Mark's School, LaLa Land, Class J.

More pertinent is why anyone should be worried and what sort of life they may be leading for that sort of worry to arise.

The old fashioned class list was invaluable. All the DC in your child's year, with parents' names, address and phone numbers. Brilliant for teas, and raising funds. Parents signed a form saying their details could be released or class reps sought out the info.

I'd be most worried about anyone who wouldn't engage, those who want to stay under the radar may well have been up to no good.

Makes note to self to wrote to children's old schools to have their names removed from the Honours Boards. Also to their universities to see if their names can be removed from the graduation handbooks.

Well your examples are all the high level drama examples are they not?
In the context of this thread no one knows if op is enraged because its a list of what house dc is in for sports day, a list for prize giving or if it is in fact a list of 'poor attendance'.

Well absolutely! All of this should be done forthwith, and honours boards should be dealt with as of road signs in war time, obliterated with black paint!!

@Watercolourpapier my workplace uses a national spine. Salaries are not a secret.

I would love to see the legitimate interest and the balancing act in why a school can publish pupils names and their exam results.

Perfectly fine to publish exam results without names.
But why should they share the pupil's names and results without consent?

Even a name and a school doesn't necessarily mean it can be used to specifically identify someone.

As has been argued, context is everything - pupils know who the other pupils are - but if it was a list of pupils for say extra support, then that would be different compared to say pupils who were going on a school trip.

@cakeorwine i agree that the legit interest in publishing exam results would be interesting to explore - as a lawyer I think it could be challenged, depending on facts, but as I said public interest and transparency probably feature in the argument. Which is presumably not a feature of the OPs situation. Of course any success in arguing against legit interests in exam results would likely further undermine the position of the school in the OPs case.

re name and school not necessarily being identifiable that’s extraordinarily unlikely given the law allows combination with other existing data sets to establish whether PI so anyone arguing that position is in dangerous territory.

anyway sounds like OP won’t be back and without facts this is all academic 😊

Would you be concerned if the milkman left you a note with your name on about next week’s milk delivery?

Some data breaches matter. The vast, vast majority really don’t. Schools are plagued with this sort of nonsense.

Nice that you have assumed that it is a breach that doesn't matter from the scant information provided. @WhatsTheUseOfWorrying

In and of itself this is a data breach. The next steps ie consequences and actions will vary on the factors of the case. All this discussion about technical or not is a red herring. If you have staff sending out personal data without understanding what they are doing, what might they send out next - FSM lists, SEN data (seen that before). I find a near-miss process very helpful for internal staff training.

For this situation with the information I have I would not escalate further outside the organisation.

Why should I not assume that?

Read the OP.

Without any context it is difficult to answer, but I'd say that on the whole, it is to be avoided.

I suspect this could be against LA policy and data training, but it doesn’t sound like a GDPR data breach at all.

Unless paired with say home address/telephone number/date of birth a name alone is not considered PII (Personal Identifiable Information). No sensitive information was “leaked” either so I don’t understand on what basis this could be a GDPR breach.

On a slightly different note, as a parent I would be a LOT more concerned to see the things we aren’t aware of.. like how the kids personal information is stored on the school systems etc.

As the DP lawyers have said, it might be in your school, but in, and of itself, it's not

@BlindurErBóklausMaður of the two DO lawyers in this thread that I’m aware of, we have both identified it as a breach

I was just about to say this! Or on platforms such as seesaw. Teachers often give out class lists for cards, invites etc.