AIBU re data protection / common sense

[Butchmanda]

Just got an email from my son's school SENCO about a general matter of general interest to SEN parents. Instead of putting people in blind copy, she's just but everyone's emails for everyone to see.

It makes me wince when one of my amateur clubs does that but I suck it up and wouldn't make a fuss. But this s a school and surely she should know how to send group emails discreetly.

It's not the first time I feel she's crossed a line in terms of privacy and discretion. Unprofessional I think.

maybe they didn't think it required the same amount of discretion? That's not a decision they can take... emails are personal data, this email was to parents of kids with SEN, thus identifying the kids as having SEN... which breaks all sorts of confidentiality.

That's why it isn't a decision any individual takes. The SOP in all organisations is to BCC and not to disseminate personal data.

I don’t beleive an email address alone is classed as sensitive information, under the DPA, however the information in the email would be due to potentially identifying the child with the SEN or if the email address identifys the parents etc... which could lead to the identification of the child.

I’d email the HT.

I would say something in the spirit of ensuring they tighten up on their email procedures which they clearly need to do.
I found my Dd’s school SEN documents (including ed Psyc reports etc) and the documents of dozens of other kids in our village hall store cupboard, so I’m a bit biased/bitter on this subject matter though!

@curiousaboutsamphire non with regards to data. Safeguarding training comes via the council/social care and is purely safeguarding. I’ve only heard of GDPR because my DH works in recruitment. I’ve always though the lack of training at schools is shocking but it’s such a different environment to the university I used to work at where I was probably over trained

Technically, it's a data breach. Under GDPR, even if they don't report it to the ICO, they need to record that it happened, how it happened, identify training needs etc to prevent it happening again.

But the threshold for reporting is much lower than under current data protection laws.

Easy to do. People need to think before they press send.

I would speak to the school and say you are concerned that this lack of understanding of data protection is leaving them open to future breaches and could the necessary training be taken.

HaudYerWeesh That is all changing now. Any data that can identify and individual is personal data. It has been for a few years, but it hasn't been enforced, but the GDPR will change all of that! So [email protected] is potentially identifying and therefore is personal data.

@kalpattar yep! But as Georgie is saying, many schools just don't know about the GDPR, the ICO etc. At least not in that way. Though in this case, a SENCO definitely should know better as they deal almost exclusively with sensitive data!

WHMum I remember reading your post about that! Utterly shocking!

The email was inviting us to a SEN coffee morning. Which is kind. And we have the option of whether or not we turn up and 'out' ourselves as having a SEN child. (I'm ok with it but I know others are very sensitive. Some people need time to get their heads around a diagnosis etc). I haven't been to many of these meetings but it's a nice idea and generally other SEN parents are supportive in these kinds of environments. I looked a bit more closely at this email because I thought I should see the extent of the damage before deciding how bad it was. And from that I recognised several surnames and now know those children have SEN. And ditto with my surname which is unusual. I also know where parents work and can infer what they do. Several names were actually the name of the child, but with the parent's email address. That's really shit. I will delete, wipe it from my mind and say absolutely nothing to anyone but, in theory, other recipients could be less discreet.

Does that mean you will NOT be informing the school?

Please do before you delete it! They really do need to know!

There's also the issue of info among the SEN children themselves. The SENCO sometimes sends emails to a particular group of kids about a trip or social skills session (the kids all have a school email account) I guess my son is ok with that and he's realised who else has similar issues (he has ASD) but there might be others who don't want to engage and don't want anyone to know. I'm probably splitting hairs here!

I do recall the primary school SENCO giving out newsletters from a local autism charity to all the autistic kids. Not in an envelope! And at that point my son didnt know about his diagnosis. Again, totally shit ...

Curious: you're right. I'll file it out of sight for now. DH has just got in so I'll talk it over with him. He works in s university and is quite hot on data protection - he often notices things I don't. But he might suggest we don't rock the boat / pick our battles. As a SEN parent we do this all the time.

Sorry, I was hectoring you wasn't I?

Whatever you decide should be the best thing for you and yours.

Just tell them to google GDPR!

Stern message to the HT and ask for a response.

Curious - please don't apologise. I appreciate your comments. Proves that my uneasy feeling about this wasn't misplaced!

Maybe just mention to her that you can see all the email address and suggest she uses BCC to keep within data protection laws. No need to make a huge deal.

^This.

Sounds like the email sender has made an error, let them know and then drop it. If they do it again then maybe complain.

I really think you need to, can you imagine how an accidentally "outed" parent/child could feel and how that could end up? I just think raise it as informally as possible so this person realises.

I think email is going to be one of the major sources of data breaches under GDPR - once more reports come in.

So easy to do BCC, to send to the wrong address - and then once send is pressed, it's very difficult to undo it.