GDPR breach school

[lmhj]

Letters home from school this week, two pages, not in envelope.

I have received two other children's, nothing for my children.

I called school and said I had this information, could they please check bags and locate mine and come back to me.

My children do not attend on a Friday.

I have heard nothing.

I would say this is a breach, I have the other children's full details, contact numbers, emergency contacts, medical info etc.

I don't know where my children's are. My emergency contact would not wish their personal number to be given out.

Am I correct this should now be reported by the school and I am right to be concerned ?

This of course could have been just a mistake and no big deal had they been in envelopes, I would have seen name and nothing else.

When and how GDPR breaches need to be reported is not straight forward.

They have so long from becoming aware to act and not all breaches need to be reported directly to the ICO.

Report if you want but if it’s a genuine mistake I wouldn’t.

It is a breach of GDPR yes - you've been given access to other people's personal data including sensitive personal data (medical details) that you don't need to have access to.

The school should treat this seriously and investigate how it happened and who's data is affected. They should also implement procedures and possibly internal training to prevent similar happening again. They have a duty of care and legal responsibility to keep the information confidential and secure.

Like you say a simple policy of ensuring that similar letters are put in a envelope with correct names on would have prevented you from seeing the information and should be a basic requirement.

In terms of if they need to report themselves to the ICO, it depends on whether they can account for all the letters. Not all breaches need to be reported - usually it would be when the breach isn't contained (they don't know what happened to the personal data and who may have been able to access it). The school should be able to make that call, but regardless they should treat it as a data breach incident and take appropriate action.

Thank you both.

@Anni23 I dont need to report it. I just wanted to know process and whether school need to.

due to the way my day works I got the wrong pages before anyone else so because I opened the school bag and alerted them it has hopefully been stopped and only I have the incorrect data.

@Baileysandcream so technically I suppose they should as they don’t know what I have done with it (nothing but is my word enough)

due to the info I have been given and the amount I am concerned

@Danglers I'm trying to be careful here but I am worried. I'm in safeguarding so let's say I'm aware of some of what I have anyway. But if it had fallen into another parents hands, one in particular that would be a disaster.

Think child protection and friend of perpetrator another parent at school

This is very poor from the school OP and agree with you in raising this. Imagine if it was details of a child who was in care with a protective order or similar. So easily avoided too.

You should report to the school, they will have someone designated as the Data Protection Officer/Lead.

You can also report to the ICO if you choose and they will make contact.

No action will be taken beyond the ICO providing general guidance on best practice. The school should also review their practices to identify if there's a way to reduce the likelihood of this happening again.

While this is a breach, an assessment will show that it was low volumes of data and there that it is unlikely that any significant harm to the individuals will result from the breach.

School in the middle of August? Didn't think Scottish schools went back until next week.

They’ve sent out what sounds like a printout of the contact and personal information for each child (presumably for checking it’s correct and accurate) and they didn’t even put it in an envelope or ensure it went to the correct child?!

I’d actually make a formal complaint, school staff should know better than that and if they don’t then they need training.

My kid’s school do this process annually - parents are warned by email it is coming out and asked to state if they want to collect it personally from the office, otherwise class teacher hands a named envelope personally to the adult collecting the child at the end of the day. Same with school reports and anything else sensitive. Loose bits of paper in bags is a recipe for problems.

Most of my wider family went back to school last well. My kids and a nephew (in a different area) go back next week.

This is why a lot of schools are moving to email & comms apps only. Much easier to prevent breaches when you've removed the manual element (stuffing envelopes) from the process.

The school will have a data protection officer - might be the office manager or business manager or ops manager, maybe the head teacher if it's a small school. If you are not convinced it's been dealt with I would try and contact them directly.

I work at a school where a similar thing happened. We reported ourself to the ICO as it was a data breach. They were spectacular uninterested by it. Said we should review our processes/training but it was just human error and not to ring with such a matter again basically.

Exactly this happened to me years ago when my children were at school, so things don’t improve and people don’t learn from mistakes.
As it happened , I used to help in the classroom on one afternoon a week so I got the letter first and was able to alert the teacher.
The teacher had been given a pile of letters with everyone’s name on. She just thought it was one each and didn’t read the names. She was an excellent teacher but clearly someone in the office should have put the in named envelopes.

Thank you all. I have the reassurance I'm not over reacting as I do err on that side.

@NeverDropYourMooncup what???? My children returned to school this week. On Wednesday. As did many others.

Why is that even slightly helpful?

@Leafcutterantsarecool yes. The envelope would have meant I could only see name.

Emergency contacts, doctors, allergies, medication, phone numbers, work phone numbers, the lot.

I don't understand how your dc got it - they came up and lifted it off a table, or the teacher handed it to them...? Did they think your dc was the other child?

@Scotteacher they put it in her bag. X 2 bags x 2 children. Correct flu letter in sealed envelope. Incorrect loose sheets of data documents. Email to say they were being sent home in bags

That's because there's no money or interest in fining a school.

Gosh. That's shockingly awful

How do you know the teacher put it in the bag rather than the students? I wouldn't have thought they would have time to do that

@Scotteacher age.

Small school.

Knowledge of workings.

Just an envelope would be perfect.