Gdpr breach

[Whatsthebl00dypoint]

If your child's school sent out an email CC"ing in over 80 parents with their child's name and parent's email addresses, and it was a specific category of children eg. SEN or Pupil Premium, is that a serious breach of data privacy?

I'm considering whether to make a formal complaint to DD's school since this happened the other day as we have not recieved an official apology or explanation how this was able to happen although it was likely human error. I know mistakes do happen but this seems pretty big for them to remain silent over. There was no sensitive information in the email, just a very general one. But it's the fact that the list of children is very specific and not all families will want this information public for obvious reasons.

£10k!

Can ICO dictate that, I thought they just fined companies.

Yes it's definitely a breach. And potentially quite a serious one.
There are some similar cases on the ICO website.

Definitely at least alert them to it

That's really sad. But equally people can have very good reasons why they don't want their information shared,.so the school does need to know.

If the school are sensible they will deal kindly with the person who made the breach, recognising mistakes happen

We had the email situation at work not long back. As soon as it was realised a further email was sent to retract the previous and an apology for sharing every employees personal email.

The ICO can fine.

But people can also sue organisations for harm caused as a result of a data breach.

What a stupid comment, just because you don't care doesn't make it not a breach of the rules

I'd contact the school in a neutral way first and see how they react before deciding what to do

This is a good time to suggest school staff receive GDPR training annually.

It is a breach because emails should have been bcc'd. The school would self assess as it being a low value/volume data breach which means it would be on record but not receive fines or action from ICO. Root cause would be human error.

You should make the school aware but beyond apologising and retaining/discussing with the staff member, there is limited action that can be taken.

Have you spoken to the school? Is it possible that they are not aware. E.g. all names were cc'd rather than bc'd in that case they may not have picked up the error.
I have to say I wouldn't really be all that bothered my email address is outthere for many people/companies with they way things are.

Yes absolutely this is a GDPR breach. It happens at our work, like anywhere human error exists. Even if we send an email to the wrong person (internally) we need to report. This incident 100%, the ODPO may want to investigate. They should have reported themselves. Our procedure would include an email apologising and asking everyone to delete the email. Quite poor they’ve not done that yet

https://www.bbc.co.uk/news/uk-england-essex-67698037

I've just read this on the BBC website. Is it that school? Of course YANBU. Posters saying things have got out of hand and that nobody used to worry about stuff like this are so naive.

They need to do the self assessment tool on the ico website and see if they need to formally report themselves. That’s a very basic error from the school, someone probably needs some more training on the practical side of things. Personally I would be contacting the school. Next time they could make a much bigger fuck up!

Don't be ridiculous. This kind of activity is exactly what the law on data protection is for. That's GDPR and the Data Protection Act 2018.

There are lots of things the people used to do that we don't now because the law has changed. Smoking indoors, seatbelts, marital rape. All used to be allowed and accepted, now against the law. Data protection is the same.

OP, you'd be right to tell the school. If they know they should have contacted you all to request deletion, reassure you, offer the opportunity to ask any questions etc. if they haven't realised they need to know so they can do those things, train the person/people responsible, think about their processes for managing personal data and assess whether it meets the threshold for telling the ICO.

I've been a data protection professional for 14 years. I don't think it's immediately reportable to the ICO based on what you've described so far, but I don't know the full content of the email. It could be. That it involves children will be a factor. But at the very least the school needs to know to contain and minimise the impact.

Tell them. You don't need to go in all guns blazing. But they do need to know.

I think you should report it. I would politely contact the school and enquire if they're aware and handling the breach. I would probably report to the ICO too because they can then decide if it's worth investing or not. I love the ICO - they've always been very helpful when I've had to contact them about work matters.

I'm surprised that people think that reporting this is petty. This is personal data and potentially health related data shared with loads of people.

Oh, chill out darling.

If your child is SEN or FSM, then fine, but don't get upset on someone's else's behalf.

So school have breached GDPR but unless someone makes them aware they’ll likely have no idea OP- person sending the email has probably thought they BCC’d rather than CC’d.

I’d give them a heads up but honestly doubt the majority of parents have paid much attention to who else has received the email or cares for that matter.

Lots of messages since I last sent one! Thank hou for all.the responses.

Just to clarify, school is aware. After the email was sent, they sent a recall email soon after. But it was too late as many people had opened it and replied to the question asked in the email. There was one response from a parent making the school aware of the data breach aswell. No apology sent from the school or asking recipient's to delete the emails.

To the person asking if it's the school on the BBC website, no that's not us.

@penjil no you chill out, of course it's my child's name on the list which is why I've made this thread.

It would have been best if you'd just contacted them to say what you noticed and then they could apologise or investigate as they felt fit. I would hope no harm done and the worker will be more careful next time but there may be other issues about sharing particular emails that trigger a greater worry. I am paranoid about using bcc as I've done a similar thing with a smaller group of people by accident. Luckily no one threw the book at me and I avoid bcc if I possibly can. But in school with that volume of people to contact it can not be sent individually.

Cross Post. School know so move on .

@Whatsthebl00dypoint best thing to do would be to go back to school to ask them to reassess the situation as they do not appear to have followed the appropriate process. If you are not satisfied with their response, contact their DPO via their privacy notice as sometimes the operational areas are just poorly trained in their duty so alerting their dedicated DP can help.

The ICO will not be interested until you have exhausted talking to the organisation.

I would follow this up.

It is simply not on for an organisation to share your email address to scores of other people.

It doesn't matter whether it's a school or a company or a whatever. It shouldn't happen, they need to do better. And apologise.

If it's a genuine mistake by the school, just reply to the sender and politely let them know.

If it's a first time issue, it seems quite churlish to escalate it to the ICO.

Human error or not, there’s absolutely no need for other parents to have my email address. That’s sensitive information and I’d absolutely be complaining.

OP, we had a situation like this at work. I work in the film industry and our team leader CC’d customers in an email instead of BCC’ing them. Despite the fact that the email was very basic, so many customers complained because their email address was available for other people to see.

I don’t necessarily think it matters that the content has to do with SEN. I think you need to complain due to the email address issue alone

I understand errors happen, we're all human but the rules are in place for protection. As I said the list is of a specific vulnerable category of school children and disclosing this information can cause lots of potential issues.

I don't want the person responsible to be fired or anything extreme but hopefully it won't happen again. I'll ring up today and see what the school says.

I would definitely have to say something. Especially if my DC might be impacted because of this error. If the school didn't respond appropriately I'd probably complain then. It's not on is it?