To complain about school's breach of DPA?

[sananbaz]

My DS(9 yo) has brought out an envelope from school (addressed to us) with a copy of his care plan to sign. Also in the envelope is a consultant's clinic letter and minutes from a TAC (team around the child) meeting for a different child at his school. I don't know this child or her parents. It contains name, address, DOB, and various diagnosis. I immediately returned the paperwork to the school office and pointed out how serious a breach of data protection and confidentiality is, but the receptionist didn't seem to look at all bothered, took it from me and said she'd give it back. I said I thought it was quite serious and that I would send an email - she didn't seem interested.
So, aibu to email the head and the senco, telling them what happened and that I'm very concerned how poorly sensitive data has been mishandled or am I blowing it up more than is necessary? And if I do email, what sort of key phrases will get them to take this seriously?

www.legislation.gov.uk/ukpga/1998/29/contents

Read through the DPA so you have an idea of:
a) whether a breach happened
b) what consequences the school can face

The receptionist had nothing to do with the original letter, it would have been the SENCO.

SENCO will feel physically sick when she finds out what she did and will take extra care in future. Depends what you hope to achieve really.

As my child has medical needs and a care plan, I'm hoping to ensure that his information isn't handed out to total strangers (or worse, someone in his class). Does it sound like I'm just trouble making? That's not my intention.

It is sensitive personal data and is definitely a breach. However, no damage or distress has been caused to the other data subject, i.e the other child, as you have handed the information back and they are presumably none the wiser. I'd write or e-mail raising the matter with the school and see what they respond. Depending on what they respond, you may wish to complain to the ICO, but they will expect you to have approached the school first.

PS I can help you with key phrases if you like.

Thank you, lovewineandchocs. My plan was to email the school, tell them what happened and ask how they can ensure it doesn't happen again. My fear is that medical information is so personal - from my son's perspective, he would be mortified if children in his school discovered information about his continence issues. He has other visible things - such as adaptive aids, but he absolutely would never go to school again if other children knew about his continence issues. I think they've had a lucky escape that it came to me and I returned it straight away. Also, my DS would never open a letter sent home to us, but I know some who do.
Some helpful phrases would be lovely

A similar thing happened to me, my dc was being referred for investigations, the referral along with data on her performance within the class was sent to the LA. The postage was not correct and the LA rejected the letter (policy apparently that they will not pay excess postage) letter was opened by royal mail as there was no return address and they returned it addressed to my dc as that was the address on the form, there was no covering letter from school so the post office in fairness had done their best to return to sender.
I opened the letter and saw all the referral information and the data on all the other pupils in the class as it had not been redacted!!!
I returned it to the head (who went white) and followed up with a letter, not stroppy just raising concerns.
Upshot was that I received an apology and the internal procedure within the school was changed so that it could never happen again. This was a few years ago and I did not mention it to any of the other parents as I felt the school were dealing with it, if they hadn't I would have taken it further.

Lovewine- won't the school be obligated to inform the other parent though?

We all make mistakes, I doubt they weren't being careful.

This happened in our previous school - an SRB unit - twice.
We let the teacher know - and then the head teacher....
Like you we returned the other childs paperwork immediately but it did make us nervous about whose paperwork was going where!
We did not make a formal complaint though as we felt a human error had been made and hoped after we told the head then it wouldn't happen again (and didn't in 2 years).

Ok.

Dear [school]

On [date] I received a copy of my son [....]'s care plan to sign and return to the school. In the same envelope I found consultant's notes etc....relating to [.....] who is also a pupil at this school. Upon realising this, I handed the other pupil's paperwork back to the school immediately.

I am extremely concerned about this, as the other pupil's paperwork contained a great deal of personal data, much of which would be classed as "sensitive" under Section 2 of the Data Protection Act 1998 and which should only be processed where conditions for processing as outlined in Schedules 2 and 3 of that Act are present-to the best of my knowledge, they were not, and it is highly unlikely that they would have been.

According to the provisions of the DPA, the personal or sensitive personal data of an individual should not be disclosed to a third party without that individual's explicit consent, or where disclosure is necessary or justified in some limited circumstances, none of which were present in this case.

The School, as a registered data controller, has an obligation to keep the personal and sensitive personal data of its staff, pupils and others secure and to guard against its unfair and inadvertent disclosure to others.

I am concerned that, on this occasion, that obligation has not been fulfilled and that the DPA has been breached.

As a parent whose child is under a care plan, I rely on the school to fulfil its DPA obligations by keeping his personal information safe and need to be able to trust that this is being done.

Please provide me with an explanation as to how this error occurred and with your firm reassurance that this will not happen again. Please also provide me with a copy of the school's Data Protection Policy and details of any specified Data Protection Officer.

I look forward to hearing from you in early course.

Yours sincerely

Hope some of this is of use to you OP

didldidi under DP they are not-the school would be advised to assess whether telling the other parent and the damage/distress it would cause would be disproportionate. I'm not sure whether there is other school-related legislation or policies which would oblige them to. If they did, then the other parent could also make a complaint and refer them to the ICO.

Definitely not bu - they could be fined literally thousands (£100,000+). Many local authorities have been - they need to take this very seriously.

Wow, lovewine, that's amazing! Thank you. I may adapt it to sound a bit more like'me' though! I particularly like the bit about relying on the school to fulfil dpa obligations.
I think their data protection policy might be on the website, so off to have a look!

Thank you for everyone who shared their similar experiences - it's worrying that it isn't an isolated event

I'd be cross with the school and let them know but personally I couldn't take any further from that. People are human and make mistakes, accidentally putting a piece of paper in the wrong envelope shouldn't cost someone their job.

Good luck OP! Sheldon I agree but think it depends on how the school reacts. Apologies and reassurance, fine, the Commissioner wouldn't take action if these had been offered and it was an isolated incident, but she would if the school showed that they didn't give a damn and repeated this sort of thing. A breach is one thing, it's all about how the organisation handles it.

No need to become an amateur prosecutor citing the law etc.

Be constructive: point out the seriousness of what has happened and say you hope they'll take the opportunity to make sure people are reminded to be more careful sound sensitive data.

And leave it at that.

britbat that works too 😀 I specialise in information rights and am involved in prosecutions (hopefully not amateur 😀) hence citing the law. I appreciate that not everyone would do this but the school does need to be aware that a breach has been committed. Anyway the OP will make it sound more "like her".

It isn't great but people do make mistakes. I am not sure what good demanding explanations is going to do. "We cocked up" probably doesn't go far enough for some of the suggestions here.

Lovewine's email is spot on quoting the correct regulations, not at all amateur. It will certainly make the school take it more seriously if you send something that.
Anything which contains identifiable data which is inadvertently disclosed is a DPA breach.

accidentally putting a piece of paper in the wrong envelope shouldn't cost someone their job

Depending on the bit of paper concerned it absofuckingloutely should.

I work with similarly sensitive data at times. It has been impressed on me that a slip in handling it WILL cost me my job.

People make mistakes but they will never learn from their mistakes if they don't take time to review them and reflect on what could be done better next time. It does need to be reported formally to the school so that it can be logged as an information governance incidence and investigated appropriately.

Odds are it's a one off mistake but it's a very serious one and needs to be reported and dealt with. I would absolutely raise it - the letter above may be a bit formal for a first approach, they will hopefully realise how serious it is and act accordingly. But if they don't listen I would follow up with that letter. Such sensitive data should be treated very carefully indeed.

Thanks candlelight

I would just have a quiet word with the Senco, let them know your not happy and leave it at that.