Gdpr breach

[Whatsthebl00dypoint]

If your child's school sent out an email CC"ing in over 80 parents with their child's name and parent's email addresses, and it was a specific category of children eg. SEN or Pupil Premium, is that a serious breach of data privacy?

I'm considering whether to make a formal complaint to DD's school since this happened the other day as we have not recieved an official apology or explanation how this was able to happen although it was likely human error. I know mistakes do happen but this seems pretty big for them to remain silent over. There was no sensitive information in the email, just a very general one. But it's the fact that the list of children is very specific and not all families will want this information public for obvious reasons.

Yeah they are about not passing on data.

Who is to say that one parent won't decide to use the email addresses to try and sell multi level marketing products at or to harass another parent? It's basic level safeguarding.

You don't know what that data might be used for - that's point - to prevent ANY misuse of your data.

It's not simply about whether little Johnny has issues with their eyes.

You are deliberately and grossly misrepresenting the issue.

It does make a difference that the content of the email has to do with SEN. Health information is considered 'special category' data in the UK GDPR. These categories of person data are considered more sensitive and are given extra protection by the law.

Yes, mistakes happen. It's how the school responds to the data breach that matters.

I am pretty sure this was reported about on the BBC news website. It is a coincidence if not. Is the school in Essex?

its a hard one, and likely a human error. Probably added the names to CC rather than BCC as its not always obvious where to find that.

Once, before the GDPR rules came into force I was reminded of this when I sent out a welcome email to everyone who was coming to stay at our glampingsite in a particular month. Its what I had always done, just copy and paste all the booking emails into one email to send out to guests - Id done it for several years, and a guest pulled me up on it. I really didnt know (as not trained in admin/office protocol) that it wasnt the done thing, and my partner who worked in IT pointed out to me where to find the BCC tab. I now just reply to everyone individually , but it is easy to do, and fortunately it was just unintentionally rude rather than illegal.

This is a breach and the school needs to deal with it.

If they don't sort out their procedures then the next breach could be far more serious.

Cc ing is really sloppy and suggests the person doing it hasn't undertaken their training.

You are right to raise this with the school.

Could you inform the head as opposed to formally reporting?

Most data breaches are human error, that's just a fact, cyber breaches you hear of are dwarfed in numbers by staff mistakes, it's not as if we have a prolific problem of staff maliciously over sharing data, staff are the biggest risk factors and data controllers need to address these issues properly to improve training and processes.

Accidentally CCing not BCCing is easy to do

They sent a recall email so they have done what they needed to do

Also sounds like a lot of parents are using "reply all" if you know they've replied to the question and one complained - this shows a lack of technical unawareness from their side too.

Absolutely it's a GDPR breech and I would expect the school to treat it seriously.

The OP has already said it’s not the same one.

In Essex the school reported themselves to the ICO. That was a really really significant breach.

@ButWhatAboutTheBees recall emails don't really work, they should be emailing the parents and a) apologising because you know...common decency and all that b) requesting the emails are deleted (yes individuals are compelled by the legislation to do that or they can be individually liable)

I've just spoken to someone from ICO for general advice and been told it is a breach of data albeit low risk and quite common (alarmingly!), but it's important how the situation is handled by the school afterward. If they did the recall then they do not need to refer themselves to ICO. However, as someone above pointed out a few parents have been doing 'reply all' so the list of personal details has been sent out repeatedly and this has not been addressed by the school asking parents to urgently delete the emails. Any complaint/concern from a parent should be in writing I was told so if it is investigated there is a paper trail so I'll email the HT instead of a phone call as initially planned. It won't be a complaint but they do owe the parents an apology at the very least.

@Vinrouge4 no we are not the school mentioned in the news.

I'm surprised the ICO have said a recall is enough, recall doesnt work unless everyone is in the same org or using the same email exchange (think thats the terminology) so e.g. someone sending from Outlook will never successfully recall a message from a gmail address.

Similar thing happened at dd's school in the summer. SEN dept administrator sent out an email about dates for end of year record of outcome meetings. Parents were bcc'd so it showed every parent's email address. It didn't go to all parents, just those who have children with sen at school. If it had gone to all parents I would've said something as my daughter doesn't tell anyone she has sen and wants to keep it private.

In any case, the administrator sent a second email almost straight away, not apologising but saying the last email had been sent in error and please delete it. She was new and had only been working at the school a couple of weeks, so I just put it down to that and human error. Had no idea it was a breach til reading this post tbh!

Yes, it's a GDPR breech. They shouldn't be sharing parent email addresses with everyone. I would report it to them and let them address it.

It's very likely a junior admin person who hasn't had sufficient training or did something in a rush without thinking, but it's important that it's flagged up so they can learn from their mistake. We've had the same happen at work (not me personally, but with another staff member whose job involves less data protection stuff). It was a helpful learning experience.

I'm hoping the school will have reported itself to ICO as per the rules, but just an apology would be enough for me. They cannot just gloss over this mistake as if it didn't happen

This kind of breach does not require reporting to the ICO. However, and internal record should be made by the school, and parties informed.

I would speak to the school and see if they realise how serious it is and take it from there.

I had this with the GP once - they sent out asthma review forms and CC'ed all the patients rather than using Bcc. Obviously asthma isn't the most sensitive of medical conditions, but still really shouldn't have happened. I replied to the email and then had a call from the practice manager. I was satisfied they realised how potentially serious it was and so I left it there.

I left teaching 3 years ago. We weren’t allowed to use names in email then. It had to be initials only. Sounds like the school are behind the curve in safeguarding.

It was introduced to stop this sort of thing happening.

It involved special category data (health) and data relating to children. So a double whammy.

breaches should be reported if there is a risk it could affect the rights and freedoms of the individual. I'd suggest sharing identities of minors who have SEN could potentially be such a breach as it has breached confidentiality. At the very least, those affected should have been informed separately.

I'm really surprised at that ICO officers response tbh.

This is absolutely a serious data breach on the basis that it includes information about

1. Children
2. vulnerable people
3. medical information (special category data)
4. disability information

The school has a duty to take care of your and your child’s personal data, including training all staff (which the message clearly hasn’t got through!)

Personally I would be writing to the governors about this, including 1. Factually what happened; 2. Why this is a personal data breach; and 3. The effect on you and the children (embarrassment, loss of trust in the school etc.)

Ask them for a report on how they have dealt with the incident. At a minimum, they should have:

1. recorded the incident in their breach register
2. conducted an analysis of why the breach occurred
3. implemented measures to prevent recurrence such as staff training, reviewing software etc.

This isn’t ok- don’t let it drop!

Was the email message very specific about a named individual with SEN?
Or was it a generic email that was CCd to all instead BCCd?
Because the latter, sharing only email addresses, will be considered low risk. Bearing in mind that some of the email addresses will be anonymised and/or be names that do not correlate with a specific child’s name, information gleaned from it will be minimal.

@MandyMotherOfBrian not necessarily, it's the context, if the context is that the list is clearly for those with specific needs then you are essentially divulging special category data, if it was a generic school letter sent to the whole school that would likely be lower risk despite being more people because the context is lower risk. There was a similar breach involving HIV patients, "cc-ing" breaches can be very high risk, or low risk, you can't define them by the type alone, you need the context.

Yes exactly, and if they made a CC error they may have also made a list error - it might have gone to everyone, therefore no one can be identified as a particular category. But only the investigation will reveal that, which should be carried out regardless of the risk level of course.

@MandyMotherOfBrian from what OP says it sounds like a list error but a specific list, she mentions 80 people, so it doesn't sound like the entire school but a list for a purpose which in itself divulges information. Obviously only an investigation can confirm that but I suspect OP has been able to glean that much.