What does the school have to do now?

[MrsDylanBlue]

My data protection consent form arrived from DS2 school yday.

It contained the slip along with a form which had my address, DS2 dad’s address and his mother’s (who is emergency contact) and phone numbers, our with our Drs info and DS2 medical info and all three of my children’s full names and dates of birth.

The envelope was unsealed and the flap hadn’t even been folded down meaning any number of people may have read it and replaced it.

I have emailed the school alerting them to this and asking them to follow their data protection breach policy.

Can anyone tell me what they need to do now (obvs after half term!). Do they need to contact everyone whose data protection has been breached etc?

Ok your worrying over an unsealed envelope, isn't the bigger question did Dad & Gran consent to their data being shared with you?

Hm.

Having thought about this, I’m really surprised that anything confidential was sent through the post in a non recorded format - otherwise there is no way to find out if data has been lost/gone astray. We’ve changed practice to sending any confidential personal data by recorded delivery.

Why did the school send the information to you?

It didn't "float around town". It would have gone from school to the sorting office, then to your home.

At least you know one thing, OP. You're lucky enough to have this to worry about instead of an actual real problem..

I dunno scrumples - I’d say medical info falls under “higher sensitivity” - so recorded delivery is more appropriate.

No matter how many people tell OP to get over herself she’s not listening. Why ask AIBU and then ignore the response and keep on and on about it?

I just don’t understand why the actual information needed sending in the first place.

If someone really wanted the data they could just take the whole envelope surely?!

Better stop sending any sort of communication about anything because of GDPR

For GDPR smile

As I see it
The OP reports the potential data breach.

The school needs to report 72 hours after they have been made aware

The clock could start on Tuesday 28th or Monday 4th June depending on the office staffing and whose email she sends it too.

The school reports to ICO. (if they have to).

ICO says review your procedures.

School reviews their procedures and envelopes get stuck down.

The end.

Ana - I know that - but if it was an opt in “do we have permission to hol your data” thing, I don’t understand why it wasn’t just a generic “is it ok for us to hold contact details/medical info/etc” form?

I don’t understand why they sent the actual details.

😂😂😂 I bet someone has a gdpr kink

I have emailed the school alerting them to this and asking them to follow their data protection breach policy.

Isn't a near miss or potential breach, rather than an actual breach?

Can anyone tell me what they need to do now (obvs after half term!). Do they need to contact everyone whose data protection has been breached etc?

You dot know if anyone else has been affected. Sound more like they just accidentally missed one letter put of however many, I guess potentially several hundred if a secondary school. So, base don what you know, the only person with a potential breach is yourself - and they don't need to notify you as you already know!

Do you have any evidence it is likely to have been breached? You can normally tell if an envelope has had something removed and replaced in my experience, even if it was unsealed originally.

OP: "AIBU?
All of mumsnet: "Yes"
I think you have your answer. You've let them know- they will address it and apologise. What more do you want them to do? What do you have to gain from pushing this agenda any further? Please let it go.

If the health info has been provided by an outside agency they might?

Oh I don’t know.

I really want to know why they sent the info.

I am not sure what you're getting so angry about?
Did it have the results from the sexual health clinic in it and now you can't look the postie in the eye cos he knows you have warts

But it wasn't floated around town for a few days Or do you think the staff at the local sorting office had a look?

GDPR has just come into effect and OP has proven themselves to be “one of those” within minutes. OP definitely is a troublemaker who has a problem with the school or a general inferiority complex.

The Data Protectiom act was always around before GDPR and barely and bothered