What does the school have to do now?

[MrsDylanBlue]

My data protection consent form arrived from DS2 school yday.

It contained the slip along with a form which had my address, DS2 dad’s address and his mother’s (who is emergency contact) and phone numbers, our with our Drs info and DS2 medical info and all three of my children’s full names and dates of birth.

The envelope was unsealed and the flap hadn’t even been folded down meaning any number of people may have read it and replaced it.

I have emailed the school alerting them to this and asking them to follow their data protection breach policy.

Can anyone tell me what they need to do now (obvs after half term!). Do they need to contact everyone whose data protection has been breached etc?

Complete over reaction.
As has been said upthread, I wouldn't bat an eyelid at this. If the postman wanted to read the form, they could easily have eased the envelope open and then resealed it. Why do you think the postman is that interested in you ?

If it bothers you, then a phone call, or e-mail to the school pointing out that not sealing the envelopes would make a data breach more likely.

the ico has 500 members of staff.

once you've taken the support functions aways you're now down to 350.

350 people within 2 days of the start of GDPR. I'm not sure your envelope is going to get a thought through your breach specific response this side of the next millennium.

You're right though. the envelope should have been sealed. but i think making the school aware was a proportionate response and the end of the matter.

i know you're cross with us all for not taking this as seriously as you are but you asked our opinion. you should only really ask for an opinion if you want to hear it.

from the ico website.

Today, more than 500 staff are employed by the ICO in offices in Wilmslow, Northern Ireland, Scotland and Wales, handling more than 16,000 data protection complaints, 5,000 freedom of information complaints and over 200,000 calls to the helpline. The ICO also administrates over 400,000 entries on the Register of Data Controllers.

The problems faced by the ICO aren’t any reason to not bring this up though are they?

Their issues are not my issue.

People don’t not bother reporting stuff to Social Care because they are so over stretched because of the cuts.

I've called the ICO helpline before for information and advice. Queries like the OP's are the reason why they have a helpline and the initial contact to see what they suggest will only take a few minutes of their time. We don't know how sensitive the information in the envelope was, or we would feel if it happened to us, so I don't think anybody apart from the OP can say whether or not is a big deal.

They don't need your permission to hold that data. They have a legal basis to do so. They should not have printed it out and put it in the post.

A school should not be holding any of that information under consent, so it is indeed quite odd that they emailed you it at all, do they also do direct marketing?

It has legitimate interest, legal obligation and public task grounds, consent would be a foolish and quite unnecessary one to use.

They didn’t email it - they sent it through the post.

It sounds as though someone who had 100 letters to stick down missed one. Human error. If someone wanted to get this information they could have steamed the letter open and resealed it, or put it in a new envelope. So nothing really more worrying than the usual risks of sending things through the post. I wouldn't worry about it.

When you say contact everyone, did all the letters arrive in unsealed envelopes then?

I don’t care how many envelopes they had.

It was personal sensitive information.

It’s not good enough.

I mean everyone whose info was in my letter.

The school dont seem to have a good grip on the requirements of GDPR.

Can I just ask, whilst I understand that an accidentally unsealed (or poorly sealed) envelope means that potentially, if they wanted to, someone could access your information, do you think that anyone actually has, and what do you think they are going to do with the information?

Realistically, the only people who could possibly have accessed the data are:
school office staff - have access to data anyway
sorting office staff - who don't know you and would have no motivation to look inside the envelope, plus would be putting their job at risk to do so.
postman - who doesn't know you and would have no motivation to look inside the envelope, plus would be putting his job at risk to do so.

So who do you think has accessed this information, and how do you think this is detrimental to you. Unless you are going to drip feed that you're someone in the public eye, you are massively overestimating how much interest anyone would have in this data.

The correct course of actions is for you to let the school know the envelope wasn't sealed, and for them to say "thanks for letting us know". And then get on with your life and forget about it.

My dds' schools used to send out the same every year for us to update with any changes and then send back. Any forms not sent back it was assumed info was correct. It's just basic info about contact details and doctor's, why shouldn't the school have this information? It's only what parents have provided.

I don’t have an issue with the school having the info xx

I feel like the resounding answer is YABU.
You posted this in AIBU but clearly have no interest in what people think if they don't agree with you.
You've complained/informed the school, they'll bollock the admin person in charge of sealing envelopes and will apologise to you.
What else can you reasonably expect to happen?
Why have you assumed someone would bother to read the letter or care about its contents anyway? It's a shame this happened, nothing terrible has come of it, you've told the school of their mistake.
Mumsnet have resoundingly told you to get over it.

I'm a school data protection officer. This should be dealt with internally. The school need to change procedures and document that they have done so. They will need to record the breach / near miss and audit future similar activities to ensure it doesn't happen again. It's not ICO reportable.

If you'd reported it to me I'd thank you for bringing this mistake to my attention and then carry out all of the above. It's clearly a training issue at the school.

Everyone's gone a bit GDPR-max!

Seriously OP? Get a grip. 'I don't know who could have read it?!' Are you really that interesting that people want to know about you? Are you a celeb and you are worried about the daily fail getting hold of it?? Seriously...I'm asking?

As for your dp/dh having high security clearance- so has mine. It's a bloody pain in the arse every renewal! But it is what it is- I don't see what that has to do with anything honestly?

Anyway there HASN'T been a breach. It was a POTENTIAL. They are two different things......

Hmm - there is a reason ALL that info is password protected on the school database.

But hey who gives a shit of an envelope with all that info open to anyone gets floated about the town for a few days.

It’s a big deal to me.

I agree with @scrumples
What do you expect to happen?

Do you never make mistakes OP?

Honestly, you're coming across like you're on a mission to get someone in trouble. That's nasty and vindictive.

No harm has been done. Get over it. Get over yourself.