Data protection breach

[sunflower85]

Hi guys, just looking for a bit of advice please.

My daughter is at preschool and a number of months ago we as parents had to complete an assessment on our child, covering items such as how we felt their progression at preschool was going, areas that need to be worked on, and also any other non school related issues such as behaviour at home and development in non curricular areas.

I had filled this out at length and in great detail. I have recently found out that the form I completed was released in its entirety to the parents of another child at the school with a similar name.

I have never at any time been informed of this breach by the school.

A couple of weeks have passed and I have stewed about this to the point where I feel that I want to have a word with the school about it, I’m not so much angry about the breach as I totally appreciate that accidents happen but I’m upset that they did not inform me.

My question is, we’re they legally obliged to tell me?

They only have to tell you if there is the breach is likely to result in a high risk to your rights and freedoms. Without knowing the contents of the assessment it is impossible to be sure but it doesn't immediately feel like it is something they are obliged to tell you.

They probably will have to report it to the Information Commissioner.
Whether they have to tell you depends on the nature of the information.

This page on the ICO website explains it:

ico.org.uk/for-organisations/guide-to-data-protection/guide-to-the-general-data-protection-regulation-gdpr/personal-data-breaches/

This is what it says:

When do we need to tell individuals about a breach?

If a breach is likely to result in a high risk to the rights and freedoms of individuals, the GDPR says you must inform those concerned directly and without undue delay. In other words, this should take place as soon as possible.

A ‘high risk’ means the threshold for informing individuals is higher than for notifying the ICO. Again, you will need to assess both the severity of the potential or actual impact on individuals as a result of a breach and the likelihood of this occurring. If the impact of the breach is more severe, the risk is higher; if the likelihood of the consequences is greater, then again the risk is higher. In such cases, you will need to promptly inform those affected, particularly if there is a need to mitigate an immediate risk of damage to them. One of the main reasons for informing individuals is to help them take steps to protect themselves from the effects of a breach.

Example

A hospital suffers a breach that results in an accidental disclosure of patient records. There is likely to be a significant impact on the affected individuals because of the sensitivity of the data and their confidential medical details becoming known to others. This is likely to result in a high risk to their rights and freedoms, so they would need to be informed about the breach.

A university experiences a breach when a member of staff accidentally deletes a record of alumni contact details. The details are later re-created from a backup. This is unlikely to result in a high risk to the rights and freedoms of those individuals. They don’t need to be informed about the breach.