To complain about school's breach of DPA?

[sananbaz]

My DS(9 yo) has brought out an envelope from school (addressed to us) with a copy of his care plan to sign. Also in the envelope is a consultant's clinic letter and minutes from a TAC (team around the child) meeting for a different child at his school. I don't know this child or her parents. It contains name, address, DOB, and various diagnosis. I immediately returned the paperwork to the school office and pointed out how serious a breach of data protection and confidentiality is, but the receptionist didn't seem to look at all bothered, took it from me and said she'd give it back. I said I thought it was quite serious and that I would send an email - she didn't seem interested.
So, aibu to email the head and the senco, telling them what happened and that I'm very concerned how poorly sensitive data has been mishandled or am I blowing it up more than is necessary? And if I do email, what sort of key phrases will get them to take this seriously?

And I have known people (justifiably) fired for sending out the wrong data to the wrong people. It's gross misconduct in most jobs. In this case if it's a one off, I would hope no one would lose their jobs and procedures be tightened. But if it is a recurring issue in the school, or down to someone not taking their duties appropriately seriously, then they need to look at things very carefully indeed.

gamer exactly. Drawing their attention to this could prevent future slip-ups and avoid fines for repeated offences.

Love wine chocs

What a lovely thing to do for the op!

Thanks dataandspot I work with this kind of thing all the time, it's nice to be able to use it to help a fellow MNer

I've had similar happen. I got an annual update of DS care plan and halfway through it segued into the care plan of another child. Basically they were overwriting their care plans on the same template and someone obviously stopped half way through writing DS's then when they came back to it thought they'd completed it, printed it and sent it without checking.

I luckily had a meeting with the head anyway, so I took it in and handed it over. Unfortunately for the school I work in data quality so I know the DPA inside out.

The head was extremely apologetic and I didn't take it any further, although I did ask that they let the other parents know and reassured them I had handed the document back. More for their protection than anything - if they'd covered it up I could imagine the other parents raising a massive stink and they are well respected in the community. Luckily I know the family and have previously offered support and advice to the mum as her DC has a similar health condition to one that I have.

For those wondering what the point of writing and demanding a written response is - it's good practice for the school to keep transparent records of these sorts of things. Yes, mistakes happen, but if they're ever asked by ofsted etc they can produce OPs letter and their response and show how they have dealt with the situation. In the NHS when a patient complains, or there is an incident, there is a full investigation and in the cases of incidents, several reports written at different stages of said investigation before a letter is written to the complainant advising of the outcome. This is all filed away for several years and can be used as evidence of best practice.

It's a serious breach but probably a very easy and honest mistake to make. I work for the NHS and something similar happened where I work - basically someone took a document from a printer to give to someone and hadn't realised that a letter to another patient had also come out with the document they were printing and this was given to another patient - who duly returned it and let us know what had happened.

It was a simple and honest mistake (and any of us could have made it as we were constantly sending multiple letters and documents to the same printer)

From memory, an incident report was raised and advice was sought from the information governance team. I think they were advised to tell the patient whose confidentiality had been breached what happened and to offer an apology and then take it from there.

Perhaps the secretary did not realise the seriousness of such confidential information being inadvertently disclosed. Perhaps give the SENCO or the head a ring and just state what happened and let them deal with it. They should definitely know it's a serious issue and respond appropriately!

Roo

I'm a bit lost here. I don't understand the advice being given.

If my child's data was sent to mum X, I'd be pretty cross.

If the school then sent
"an explanation as to how this error occurred"

To mum X
But did not tell me what had happened, on the grounds that I might be distressed by the disclosure, I would be calling my friendly lawyer.

I don't mean to be an arse Love but I think you've got mixed up. Are you a lawyer?

Continuing to try not to be an arse,.....

the OP's child is not (we hope) the data subject. The other child is.

I appreciate OP has a right to know what has happened to her own child's info - has it also been disclosed?

Love can you give chapter and verse on this concept of the school getting to decide whether to tell other mum (because I think you're wrong).

I am a lawyer, yes. You are not being an arse. What I mean is, the OP being in receipt of someone else's personal data and being understandably concerned about the school's data handling practices, draws the school's attention to the error. The other parent is not aware of this at this stage. She then follows up with a concerned letter asking how this happened and for reassurances that the school are adhering to their own data protection policies as she's worried about her own DS's data. The school, having been notified of the breach, would hopefully provide reassurance to her. She is not seeking any legal redress, as it is not her son's data that has been inadvertently disclosed. The onus is then on the school to deal with the breach. There is no legal obligation under DP to report the breach to the ICO or to inform the other parent-that is for the school to assess and decide and, as I said, their own policies or other legislation may require this. The other parent can then also seek an explanation and report the breach to the ICO if dissatisfied with this, the difference being that the parent who's DS' data was wrongly disclosed is the one who can claim compensation through the courts for damage/distress caused by unfair and unlawful disclosure.

"didldidi under DP they are not-the school would be advised to assess whether telling the other parent and the damage/distress it would cause would be disproportionate"

Proportionality seems rather to require that the relevant person be told....
Chapter and verse on this bit please?

Eyelevel this is the advice given by the ICO. I'll try and find the relevant bit of guidance for you.

I Would also want to know of the other child's parents had received your child's info.

The NHS response described above seems the only possible one here.

"From memory, an incident report was raised and advice was sought from the information governance team. I think they were advised to tell the patient whose confidentiality had been breached what happened and to offer an apology and then take it from there. "

Yes-they were "advised" to tell them. All I'm saying here is that they are not legally obliged-again, only under DPA, they do need to consider other policies and legislation. The short answer is, no-one DPA-wise can MAKE them tell the other parent, although it may be best practice. They need to consider, and assess, notifying the individual, including any detriment which may be caused by the breach. I have heard this advice given by ICO staff and received correspondence to this effect and it is on their website regarding reporting a breach. In the school's position I would tell the other parent.

"In the school's position I would tell the other parent."

Of course you would.
Because you are not batshit crazy

link?
I wonder if the DPA person was having a bad day or giving a very extreme, very different example.

I still refuse to believe that it can be a defence to say that it would upset the victim if you told them what you had done. I think you have mixed this up with situations where people can claim damages? In which case you might prefer not to tell them.

Also, someone being "none the wiser" is the opposite of no damage being done...

What DPA person, the one from the ICO? What link? The ICO's website is www.ico.org.uk. No extreme example given as far as I recall (it was at an information rights conference) it was just guidance on considering the seriousness of the breach and the effects of notifying, which I can understand in a case such as this as the individual has not been distressed by the disclosure itself, as it has been contained, but would certainly be distressed by notification of the disclosure. The school needs to be aware of all factors when deciding, including the fact that they don't know whether the OP herself will tell the other parent and cause a shitstorm. It is a no-brainer really but nothing is enshrined in statute about it. Oh well, OP's letter will leave them in no doubt about the breach, then it's up to them.

Eyelevel they could claim damages in this case also, for detriment caused by breach of privacy. Once again, no one is saying it is a defence to anything, someone asked if the school were obliged to report it and I said not under DPA.

I don't know if anyone has been given my son's paperwork to another parent - that's why I want to contact the school so they can review policy so it doesn't happen again. If my son's data had been given out, I would want to know though.
It's unlikely that my son's care plan came off the printer with this girls paperwork - my DS's care plan is one I gave to the school but they were giving it back now it's been reviewed, for me to sign. The girl's TAC minutes had been annotated by hand and the consultants letter was an original (probably sent to the parent and then they have given it to the school).
Also, the envelope was sent by an admin assistant not the senco - I don't believe the senco would have made this mistake because she's a bit of a stickler!!

Good luck OP and goodnight all!

What are you wanting to happen? Heads of chopping boards? A quiet word with SENCOm

I appreciate all your help lovewine , I feel much more confident about what to write and will await a response. I don't know the other child, or her parents, so am unlikely to seek them out. I know that I didn't read the information the paperwork contained (once I twigged it wasn't ours!), and I (unlike someone at the school) respect confidentiality

If it was sent by an admin assistant you realise this is someone probably earning barely more than minimum wage in a job where they are constantly multi-tasking and coping with demands from head, teachers, parents, students, salespeople etc? And you want to quote the DPA and get them sacked?? This is a clerical error ffs. Yes it's not good, so send it back and suggest they look at how to prevent this happening again. But please don't go overboard. They're only human. No actual harm was done to anybody.

You are not entitled to an "explanation". You are right to inform them of this and suggest that they review the procedure.

You don't need to quote subsections of the DPA. The school knows perfectly well about confidentiality. It will be a 17 year old stuffing envelopes on minimum wage.