Gdpr breach

[Whatsthebl00dypoint]

If your child's school sent out an email CC"ing in over 80 parents with their child's name and parent's email addresses, and it was a specific category of children eg. SEN or Pupil Premium, is that a serious breach of data privacy?

I'm considering whether to make a formal complaint to DD's school since this happened the other day as we have not recieved an official apology or explanation how this was able to happen although it was likely human error. I know mistakes do happen but this seems pretty big for them to remain silent over. There was no sensitive information in the email, just a very general one. But it's the fact that the list of children is very specific and not all families will want this information public for obvious reasons.

I wouldn't personally but it's up to you. Everyone can tell my child has SEN - so an email won't make any difference!

But even if everyone could tell your child has SEN you still wouldn’t necessarily want them all to have your email address.

So the two issues are sharing information that some children or families might have wanted to keep private, AND sharing of parents’ email addresses.

I would be asking the school what they are going to do about it.
An apology and a reminder to people to delete the information and contact details would be first steps, the rest depends on how sensitive the information and how much people complain I guess.

Thanks @Objectrelations what if though, it was a child with a hidden disability and they didn't want others knowing? Or a FSM child who'd hidden this from their peers for fear of bullying? Or a vulnerable family and now the child's name and parent's email address is out there for 80+ families to see?

I'm hoping the school will have reported itself to ICO as per the rules, but just an apology would be enough for me. They cannot just gloss over this mistake as if it didn't happen.

Any identifying data sent out without that persons consent is a GDPR breach

so yes this is a breach and the school should be taking it seriously

It's a very multicultural school with English not being the first language for many families. So I can't see many people complaining in all honesty which is probably why the school isn't too bothered. I've sat on my hands the past couple of days to see what the school does and whether someone gets in touch. Nobody has of yet.

Well then you should today.

Was this the school that sent out the behavioural incidents with all the personal information on????

We had a cc incident at school with a reception teacher sharing a list of first names for Christmas cards. It’s a lovely idea but should have been bcc. I told the school so they can train the teacher, no need for more than that.

It needs to be reported as a GDPR breach by the school. Have they just not noticed or has it been pointed out to them and they don't consider it an issue?

Why would you complain about something you've admitted is probably human error? Just to make someone's life a bit harder before Christmas? No doubt you'll say because it's a serious breach but it isn't really. One of my colleagues made a breach similar to this, his daughter had killed herself and when someone complained he ended up going off sick for a very long time. Don't be that person, nobody's done it on purpose.

The school I worked at had to pay one parent £10k for this exact thing.
Extra training was given to hopefully prevent it happening again.

You should make a formal complaint

How horrible but you do not know how people were affected by this breach and if nobody complains, it will happen again

It likely was inadvertent, but it is worth politely drawing this to the School's attention as it is a GDPR breach to cc rather than bcc all the parents. I wouldn't frame it as a 'formal complaint' at this stage - I'd give them the benefit of the doubt and see how they respond.

Ffs, what do you expect to achieve? If you just want an apology, highlight it and ask they do an assessment to prevent it again. Why the need for a “formal “ complaint

It is a breach yes, whether it's serious enough to be ICO reportable will hard for anyone here to say without the full context. But the fact the school haven't (appeared to at least) recognised the breach is pretty bad form, they should be going out and apologising, asking people to delete the email (yes people are obligated to under the law) and then in the least recording internally. If after that point you don't feel the school have addressed it properly (ie you feel it is reportable not just recordable) you can take to the ICO, but they will do very little, they're useless and have done very little with much more serious breaches, the current commissioner has little appetite for enforcement. I think it's reasonable to complain to the school though to ensure it is handled how it is legally supposed to be.

It happens because of human error not for a laugh, why would anyone be "affected"?!

Privacy breaches have just gone way too far now. Remember the days when everyone was just cc'd in to stuff, sigh.

I think people have lost sight of what GSPR laws are for. No one gives fuck if little jimmy needs his eyes tested. Get over yourself

@Whatsthebl00dypoint I think you are right to be concerned and although it is very likely to be human error, there is a chance it would happen again. Being able to accidentally email all parents should be (administratively) a quite difficult thing to do to avoid this scenario. I.e email lists have very distinct names.

I think you have two separate issues: 1. The Breach itself and 2. The lack of urgency in the school explaining how it has happened, a request for all recipients to delete and an apology. I think if by close of play today you haven’t had the latter, it would be reasonable to make a complaint to the Head Teacher in the first instance.

ico.org.uk/about-the-ico/media-centre/news-and-blogs/2023/12/ico-fines-ministry-of-defence-for-afghan-evacuation-data-breach/

Yeah why can't we just cc people into emails, it's totally fine.

If nobody is likely to complain, maybe school haven’t realised.

I would have replied to the email as soon as I received it saying something like- good morning, just to let you know that this small has been cc Ed instead of being bcc'd. I wanted to make you aware so in future you could ensure emails are blind copied.
Thank you

then I would feel like I’d let them know, and I could forget about it. I wouldn’t be waiting to see what happened from school. I’d be more constructive about it all.

This happened in my child's high school. When they noticed they apologised immediately (was quickly after sending) and reported it to who they needed to within the council for the breach and from this I guess would come how to prevent it happening again.

I would just drop a polite email on response outlining what you have here. That way they can make sure it doesn't happen again. If it does happen again then I would look at a formal complaint (OK I probably wouldn't. But if it were bothering me this would be my approach).

If they've apologised then an internal investigation will have taken place to make sure it never happens again. If they have not mentioned it but you have noticed, then you can email the school with your concerns but don't need to be formal or a complaint. Just say you are aware and ask them to look into it. But you can be nice about it.

The school (or individual) may not have realised their error.

Not all breaches are reportable. The school would have to assess the likelihood of risk before reporting to ICO. If the risk is low then they would log it in house and address remedial measures/containment etc.

Again that's assuming they know an error occurred. There is no harm in raising it to their attention