Am I overreacting about safeguarding?

[bestbefore2020]

A couple of weeks ago, my children's primary school accidentally sent out student information forms containing pupil's names, numbers, addresses, medical details and other confidential information to the wrong families. The Head did not tell parents that this had happened. I found out about it 48 hours later from a woman in the playground who had received my daughters information. I have complained to the school, but the Head says she didn't contact parents as she was acting on advice given to her from the county lawyers (would they suggest this? Really?).

I feel we should have told as as soon as the school were aware that a mistake had been made. I know the data release is a serious safeguarding issue in itself, though of course mistakes happen. I'm really cross however, that the school decided not to inform parents as soon as they knew. Should they have done? Or am I making a mountain out of a molehill?

It would be interesting to hear what other parents (including those who are maybe heads or governors themselves) think. Is there a procedure that should be followed after a data breach? I am thinking of taking my complaint further but don't know if I have grounds.

The incorrect use or dissemination of confidential information is a breach of the Data Security Act. The Office of the Information Commissioner is where you complain and they do have guidelines for data use and collection in schools. Why was information sent to the wrong families? What was the school doing sending this type of information to any family?

I can see where you are coming from regarding safeguarding, but exchange of information is legal to facilitate safeguarding but only under agreed circumstances and obviously information only goes to those people who need to know. Nothing has actually happened to your child so it is not an actual safeguarding issue as I understand it.

The school is hiding behind the Legal Department and probably is hoping the matter will go away. The Information Commissioner has a report about school data security on their web site and it appears your school has failed to keep data secure, even if it is human error. I would complain to the Information Commissioner but surely the school should apologise and withdraw the information it has circulated erroneously, as a minimum!

FGS why would you take it further? How have you been harmed in this incident? Yes it shouldn't have happened, but I fail to see the point in 'taking it further'.

I don't think you are over reacting - medical information?!

Remember what happened when HMRC lost discs with child benefit details? Everyone got a letter about that

It would depend on how sensitive the information was, cansu. If it contained very detailed sensitive information about the op's family that was not generally known about, then it could be very harmful indeed.

I think that the reason I want to take things further is yes, some of the material was incredibly sensitive - and it's not the first time something like this has happened. The head and governors discourage anyone from making a complaint, so what I see as bad practice is allowed to continue, and no one is held to account.

I don't know whether your complaint would be upheld but of course you can complain. They released confidential information about your daughter and didn't have the courtesy to let you know, I would be unhappy too!

Have you thought about making a complaint to Ofsted? It doesn't sound as though their admin systems are particularly robust or that they care.
It is a horrible breach of your privacy and to try and sweep it under the carpet shows a lack of respect towards parents and children. They could have at least acknowledged their mistake and apologised.

Yes ICO will be interested

I would make a formal written complaint to the head teacher that you were not informed of this lapse in both the data protection act and by default safeguarding.
At the same time I would also copy the letter to Ofsted as it does show a lack of control and poor admin systems. It is possible that the head is hoping this will all go away and has not even taken advice from the legal people at the LA or it is possible that the legal people have given this advice. But either way it needs to be raised as a formal complaint, which can then go further to the governing body if the head's response is not satisfactory. You might not get any where but you need to do it for your own sake.

Thanks, everyone, that's all really useful.