Or is this a GDPR breach?

[nanamouskouri]

DC school has been getting a bit sloppy with communication to parents, up until now nothing serious just annoying, changing the fees without notice (46% rise 🙄), conflicting information about uniforms, telling us to return forms they sent out (that no one has received so probably not sent).

However they have now sent parents an email and cc’ed them all in. So everyone can see each other’s email addresses. AIBU or is this a GDPR breach? If so do I report it? Should I reply to the teacher who sent the email pointing it out?

What if there's a handful of hunbots on that list, you can imagine they'd be scraping up all those prime leads for endless MLM garbage?

This is exactly what happened when a similar thing happened at DCs school some years ago. Several MLM type round robins plus some political canvassing. People were livid.

Yeah, that is pretty bad across the board.

The school is ought to report itself within 72h but otherwise you can submit a complaint, too: ico.org.uk/for-organisations/guide-to-data-protection/guide-to-the-general-data-protection-regulation-gdpr/personal-data-breaches/

Reply to email (just to teacher obvs)

Dear Mrs Teacher, are you aware that parents are cc’ed rather than bcc’ed into this email so we therefore all now know each other’s personal email addresses

I’m not sure what to put after that? Just to state that this is a GDPR issue? The teacher in question is pretty bolshy so I’m reasonably sure I’ll get a shitty reply.

dollydaydream114 How do people stalk you through your email address?

Cyber-stalking, @ElizaDee

Sending you messages and photos, adding your email address to their Contacts in their phone and then using that to search for all your social media accounts, signing you up for various creepy mailing lists (violent porn sites, for instance), attempting to hack into your web mail and social media accounts, posting your email address publicly and asking other people to bombard you with abuse ...

And those are just the ways I can think of off the top of my head. I'm sure there are more. I've had several of these things happen to me. None of them are pleasant.

Dear Mrs Teacher, are you aware that parents are cc’ed rather than bcc’ed into this email so we therefore all now know each other’s personal email addresses

She is probably shitty because of how you communicate. “Are you aware” is pointlessly rude.

Possibility A: She wasn’t aware (doesn’t help)

Possibility B: She was aware but didn’t realise the issue (doesn’t help)

Possibility C: She was aware, knew it was an issue and just doesn’t care (unlikely - still doesn’t help)

Try talking to her like a person.

It’s a breach and they should be reporting it to the ICO

I would say something more along the lines of "Just wanted to let you know that you seem to have accidentally cc'd everyone into this instead of using bcc." And then give some of the examples cited here as reasons why that's something to avoid

Thanks @Chouetted

Something like, "It seem you accidentally cc'd instead of bcc'd everybody.I know it is an easy thing to overlook for the sender and just wanted to ensure it is brought to your attention, so it can be reported ICO in accordance with GDPR"

I am not prone to mince words, though

Yes, it’s a breach, but I was more taken aback that you thought an unexpected 46% rise in fees wasn’t serious but only annoying!

@Seeingadistance the price hike pissed me off royally but other than move DC I can’t do anything about it so I’ve had to lump it for now. Im not ok with it by any means though.

I am that people would seriously waste the Information Commission’s time with something this trivial. What a nonsense. Not every breach of every bit of personal data needs to be reported. Very little risk is attached to the publication of an email address. Mine is my [email protected]. If someone wanted it, they could get it very easily. Not sensitive data.

It’s a very minor breach and likely the ico won’t act unless someone has been harmed as a result

This still happens a lot I find. The bloody bank did it recently. And I do think it should be reported.

Id not mince my words on this occasion.

Yes, it is a breach and they should know better.
However, it is probably not reportable to ICO. Unless it has an 'impact on the rights and freedoms' of those involved.

Yes, if someone has a real reason for their email address not to be discovered (and there are some good reasons) then it is an inconvenience.

If it happens a lot, then yes ... complain to ICO, but they will also ask if you have followed up the complaint with the school.

I'll dig out some of our resources later if folk think that will help (yes, this is my day job and I would normally just lurk but a few things like this have cropped up over time).

What if there's a handful of hunbots on that list, you can imagine they'd be scraping up all those prime leads for endless MLM garbage?

This actually did make me laugh out loud.

A polite reply to draw her attention to the issue would be very kind of you.

It’s a breach and they should be reporting it to the ICO
This 100%

It's a breach but not a reportable one. The school should investigate it, assess its level of impact and review it's practices. They should report it to their DPO who will write a report to summarise the incident and the change in practice and ensure a copy is filed for future reference at the school. It should also be included in a report to governors once per year.
(Yes, I am a DPO!)😉

GDPR is for the protection of sensitive, personal identifiable data. Email addresses alone would possibly not lead to any investigation as usually it would require additional identifiable information to lead to that information being used for potentially nefarious means. Also I’m not sure that the ICO would cover this as a school isn’t classed as a business but I could be wrong on that one.

I had similar last year when I volunteered for a large event. I consented for them to communicate with me by email. But my team leader sent out a generic get to know you email to 50 people, me included and used cc instead of bcc. So 49 other people I had never met had my email address. Which has my full name in it, it's not something like fluffybun968.

I flagged it up to them right away. They didn't see the issue. "We're all on the same team!" That's as maybe but I don't want all those randomers having my email.

It's a breach and it defnitely needs to be reported to the school. It's not notifiable to ICO because it won't:

result in physical, material or non-material damage to natural persons such as loss of control over their personal data or limitation of their rights, discrimination, identity theft or fraud, financial loss, unauthorised reversal of pseudonymisation, damage to reputation, loss of confidentiality of personal data protected by professional secrecy or any other significant economic or social disadvantage

I had a similar issue when I was unemployed a few years back and the Job Centre sent out a CC list. I didn't report to ICO but I did report to them, I think it would have been reportable to ICO under the above definition though as it was not "well known" I was unemployed etc.

ico.org.uk/for-organisations/guide-to-data-protection/guide-to-the-general-data-protection-regulation-gdpr/personal-data-breaches/

My childs school uses what appears to be some online system to send emails which I presume takes care of all this privacy stuff as all the emails come from "schoolcomms.com" email addresses.

Our school recently sent out an email about a particular childs repeated poor behaviour and a plan of action for the parents to sign, to every single parent.
Awful.

It is a GDPR breach. GDPR covers all personal data not just sensitive (special category).

Sent your polite email to the Head who will either be the DPO or will delegate appropriately.

The reason you are reporting the breach to the school is that this type of breach is avoidable. Staff need to take greater care/and or the school needs to put in place a better communication system. Next time it could be serious (there have been plenty of examples given already on this thread).

My sons old nursery did this a lot. His current nursery sent a WhatsApp to all parents in a group too so I can see everyone's numbers.
They shouldn't do it but I'm not bothered about anyone having my email address or phone number so I've not bothered saying anything,

@Serin that's awful