School GDPR

[Nemop21]

Hi, any advice is most welcome. I'm concerned that my child's school has shared their GCSE sitting plan PDF in a mailshot to all the parents. The pdf shows, time,date duration of exam, along with their full names, tier (foundation or higher), room exam will take place.
Is this concerning? Upon emailed the school about this they have emailed asking all parents to delete the email! But what about the pdf that would be downloaded and saved on their devices, saved on cloud? That issue still remains right? What can I do?

Well done for raising that. Obviously a serious mistake. I’d make sure the Head is aware of the data breach. The school should report themselves to the ICO.

It is a data breach. They should have asked recipients to double delete it and delete from downloads etc.

Obviously, they can't change the fact that the breach has occurred. They will need to do a risk assessment to determine what action needs to be taken next (if any). That might include reporting to the ICO, depending on the details of the breach. Unlikely, I would have thought, but impossible to say without knowing more.

You've asked what you can do - in relation to what, exactly? Do you have particular reasons for being concerned, and if so, what are these?

I guess you could ask the school for details of the risk assessment that they have undertaken in relation to the breach, if that would help?

This is a massive double data breach I think. It clearly breaches data protection by broadcasting others children's information to parents. But I think it would also be confidential in terms of the exams.

Hi, as a parent ofcourse I am concerned as my child's data is out there on devices, emails, info that can be downloaded, printed, etc.. lots of concerns here. I have emailed the school but they did not reply back to me directly in reply to my email but sent a blanket email to all parents just saying to delete the email.

My concern is that as a parent what can I do now with the school if and when they contact me? What should I be asking? How secure is my younger kids data now who's attending next. Hope I'm making sense.

Thanks for all your replies. Greatly appreciated in the absence of the schools support who have gladly finished for the day but left a parent concerned.

Of course it is a concern that the data has been breached, but what you might need to do now depends on the specific risks that you perceive.

As stated above, you could ask the school for information about how they have assessed any risks arising from the breach, and what they intend to do to mitigate these risks, whether they think they need to report it to the ICO etc. You could ask them what steps they are going to take to reassure parents that a similar breach won't occur in future.

Like I said, they can't undo the breach, so you need to think about what your specific concerns are (ie what do you think might happen as a result of other parents having access to this info about your child) and what actions you want the school to take to mitigate these risks. Bearing in mind, of course, the fact that any actions that they might take would need to be proportionate to the specific risks identified.

If you don't think that the school are taking the breach seriously enough, or if you think that their risk assessment has failed to consider the likely risks, then you can seek advice from the ICO if needed. Bear in mind, though, that data breaches are very common, and while they can cause problems, they usually don't lead to any actual detriment.

Thankyou @MrsBennetsPoorNerves for your kind assistance in this matter. I will take your advice on board when I contact the school tomorrow.
This is not the first time it has happened. Last time they cc-d all the parents in an email and when I and other parents complained they sent a sorry email again to all the parents breaching data protection again on the same email! 🙈😅
But this time it's my childs details so I dont think I should stay quiet about it and let it slide on a reply of "it was sent in error".

I agree data breaches are common, and especially in the evening when a mailshot is sent and teachers are hurrying to end the day - maybe no compliance check/assessment done before pressing the send button! However, not from a school who is sending emails to parents about "online safety" 🤔 🙄

You can ask them to review their gdpr policy and staff training and check they've reported the breach to the ICO. That this is the second breach is key in my opinion and suggests a lack of training.

The data breach is fairly low risk. Some risk of emotional distress due to students being embarrassed but little chance of identity theft, financial loss etc.

It sounds like awareness of data protection isn't really embedded into the culture of the school. Not great, but again, probably not unusual. Most schools have limited resources and many probably struggle to make GDPR compliance a priority.

If you are concerned that there has been a series of breaches and you feel that they're not really taking it seriously, I guess you could put in a formal complaint and escalate it to the governors if you aren't happy with the school's initial response. However, if you value your relationship with the school, I think I would possibly be more inclined to go down a less formal route of emailing the head teacher to express your concerns, in a constructive manner, about whether they have the resource and the training to be able to ensure that pupil/parent data is adequately protected, acknowledging how difficult this is on top of everything else that they're juggling and asking what they can to to reduce the risks etc.

I wouldn't be overly worried about the breach by the way. As @ThesebeautifulthingsthatIvegot has indicated, the actual risk is pretty low.

Also, just to note that not all data breaches have to be reported to the ICO. It depends on the level of risk. If it is a large amount of data and/or a serious risk, it has to be reported but it isn't always crystal clear and there is an element of judgement involved.

@MrsBennetsPoorNerves ok yes, I see. It's a pdf with around 150 kids names. Hope other parents have/will raise concern and training issues re online safety amongst school staff as well.

Thankyou once again. I feel more reassured from this forum than the school who is yet to reply to me 🙄😆

This isn't about online safety. It's about data protection. You come across as wanting to catch the school out. They can want their students to stay safe online while being undertrained/non-compliant in GDPR.

Did your email require a reply? When did you send it?