Or is this a GDPR breach?

[nanamouskouri]

DC school has been getting a bit sloppy with communication to parents, up until now nothing serious just annoying, changing the fees without notice (46% rise 🙄), conflicting information about uniforms, telling us to return forms they sent out (that no one has received so probably not sent).

However they have now sent parents an email and cc’ed them all in. So everyone can see each other’s email addresses. AIBU or is this a GDPR breach? If so do I report it? Should I reply to the teacher who sent the email pointing it out?

It is a GDPR breach. GDPR covers all personal data not just sensitive (special category).

Of course it is, but not all GDPR breaches must be reported by the institution.

You can report the breach to the Information Commissioners Office if you wish, they would be fined.

Same happened from ds school today and not for the first time. The last time it happened one parent 'replied to all' giving out about it. Obviously didn't make a difference

So much nonsense on this thread

It is a breach.

Its perfectly reasonable for you to report it to the school but you're not obligated too.

The school don't need to report it to the ICO.

Even if they did and the ICO investigated, they won't be fined.

Definitely a breach.

Although mn-enters may not mind people having their emails, there could be a safeguarding issue. Ie mum A may not want abusive ex to know her email, but abusive ex is also on mailing list as still has parental rights. He could find out Mum A new email address etc.

School is both sloppy and in breach of GDPR. Someone will have been sent on training when the law changed, so perhaps they've moved on and been replaced by someone untrained in GPDR and generally less experienced.

It does want to be brought to school's attention and it's better they are told a dozen times than not at all.

Thank you to everyone who has commented. I’ve emailed back and not heard anything from her since. I imagine she will pounce on me tomorrow when I take DC in. I’ll report back.

@ seaweedandmarchingbands

It is a GDPR breach. GDPR covers all personal data not just sensitive (special category). Of course it is, but not all GDPR breaches must be reported by the institution

Indeed, but I never said they had to be. People seem to believe data breaches only matter if it is, in their eyes, sensitive data that has been breached. That is not the case. It is more important that the organisation learns from their error, and this is the approach the ICO are mostly taking. I have worked on data protection under GDPR in schools and charities for the last 3 years. This type of breach infuriates me because it is avoidable.

It's a GDPR breach - probably one of the most common ones that exist.

Is it reportable by the school? Not necessarily. They have to make a decision on the seriousness of the breach and make their own decision.

They have to justify that decision in writing - and if someone reports it to the ICO, the ICO will want to see that decision and then decide if it's a reasonable decision to have made if they decide not to report it.

ico.org.uk/for-organisations/report-a-breach/

The school should self report to the ICI. That's the new requirement. It will be logged and advice given.

The school should self report to the ICO. That's the new requirement. It will be logged and advice given.

ICI😂😂😂😂

The school should self report to the ICO. That's the new requirement. It will be logged and advice giv

It's not a requirement.

"A personal data breach is a breach of security leading to the accidental or unlawful destruction, loss, alteration, unauthorised disclosure of, or access to, personal data.

If you experience a personal data breach you need to consider whether this poses a risk to people. You need to consider the likelihood and severity of the risk to people’s rights and freedoms, following the breach. When you’ve made this assessment, if it’s likely there will be a risk then you must notify the ICO; if it’s unlikely then you don’t have to report. You do not need to report every breach to the ICO."

My doctors surgery did the same thing this week, followed up with another email 20 minutes later apologising for the data breach and telling us it would be reported to the data protection officer and the ICO.

I am pissed off, there are people who attend that surgery who I do not want knowing my email address (very obviously mine, full name) but this is the first time anything remotely like this has happened and the email stated it was human error.

I'm reluctant to get any of the very nice receptionists into even more trouble than they are probably already in, so I won't be saying anything. If anything like this happens again, I will.

You say they've been lax for a while so that may put a different slant on things.

Husband is a GDPR expert - this is a definite preach & should have been reported

Preach 😆

Did you get a reply to your email @nanamouskouri?

Husband is a GDPR expert - this is a definite preach & should have been reported

Does he know the full circumstances and the numbers involved? How many email addresses in a CC is enough to justify reporting to the ICO?

I would be intrigued to hear his thoughts.

In a case with anything to do with children who have specific rights under GDPR one is enough

Hi all, no reply to email and the teacher who sent the email and is always normally at the door greeting us was no where to be seen. DC said she hadn’t been there all day. Might be a coincidence but if she’s not there tomorrow I’m going to ask where she is in my best casual voice 😬.

I've had similar before, it was my employment email that I'd used as an emergency contact info during work hours. It was completely inappropriate that it got shared (think: something like a local activists group to get the first female MP in the area elected, nothing bizarre but certainly not something that I (e.g.) wanted associated with a hospital email address!!).

... hit post too soon.
I was livid, as were others on the distribution list.
I'd report so they're more careful!!

Well the ICO 'Do I need to report' toolkit is unhelpful

ico.org.uk/for-organisations/report-a-breach/pdb-assessment/y

1. Does it involve personal data?

2. How likely is it to result in a risk to individuals?
   a) Likely - it tells you to report it
   b) Neutral - it tells you to ring up
   c) Unlikely - it says keep a record.

Remarkably unhelpful.

That's the thing though about email. It's so easy to do - instead of BCC. We use Mailchimp to ensure our mailing lists get out - and I constantly have to remind people about email lists. It's unfortunately not that easy in Outlook to limit the number of people that can be included in an email without it warning you.

That's why you might need specialist GDPR software which can recall emails immediately

And tell you who has read them