1. This site uses cookies. By continuing to use this site, you are agreeing to our use of cookies. Learn More.
  2. Hi Guest, welcome to the TES Community!

    Connect with like-minded education professionals and have your say on the issues that matter to you.

    Don't forget to look at the how to guide.

    Dismiss Notice

Is this a data breach?

Discussion in 'Workplace dilemmas' started by twitterbix, Oct 15, 2019.

  1. twitterbix

    twitterbix New commenter

    I recently had an operation. Before my return to work I emailed my head of department asking to be based in one classroom until I'm properly back on my feet. In this email I detailed how I was feeling and what I didn't think I would be able to manage. The request was sorted. Today I find myself copied into an email to the teachers in the department listing all of the room changes taking place. Instead of being a new email with the list attached, it was a forwarded one. This email is the whole thread going back to my initial email (via 3 other people and their input too). My colleagues can see all of this communication.

    This isn't right is it? How should I approach this?
  2. mm71

    mm71 Occasional commenter

    In the first instance, I'd email the HoD asking if they were aware of what they had done in a nice way, but explaining that I wasn't too happy with all of the previous emails being included.
  3. Lalad

    Lalad Star commenter

    It is a data breach.

    I suppose it depends how you feel comfortable with approaching it.

    In certain circumstances, once an organisation becomes aware of a GDPR breach, it must be reported to the ICO within 72 hours. I'm not sure whether this breach falls within those guidelines, but if you make clear to the HOD that you feel a GDPR breach has taken place, the school would then have to decide whether to report it based on their assessment of the damage caused by the breach.
    jlishman2158 and twitterbix like this.
  4. frustum

    frustum Star commenter

    It definitely isn't right, but it's only you affected, the damage has been done, and nothing can fix that. I think the main thing is to make sure it doesn't happen again. It's something I've seen happen a few times - it's very easy to delete all but the last bit of the conversation thread, but too often people forget that the exchange was originally between two people and it might not be appropriate for others to see the entire history.

    If it were me, I wouldn't be pursuing things as a GDPR breach, but I would be saying "did you realise you forwarded our entire discussion about my operation to the rest of the department?", and I might also see whether something can be put in the staff bulletin or similar reminding all staff to be careful, when forwarding emails or copying someone in on a reply, that only the necessary and appropriate parts of the previous email are included in the new message.
  5. aypi

    aypi Established commenter

    reply to all stating that it is a breach of GDPR, report it as such. I am confident that the american woman did not mean to drive on the wrong side of the road, so why should she face the law?
  6. Rott Weiler

    Rott Weiler Star commenter Forum guide

    Is it a breach of GDPR? Yes.

    Is it a serious breach that needs reporting to ICO? Unlikely. ICO explain here and here that unless there is a significant risk of "physical, material or non-material damage" to you personally it does not need to be reported. Of course I don't know exactly what was in the original emails but from what you've said it seems unlikely there is a serious risk of that.

    Yes you need to complain to the head about it asap to minimise the chance of it happening again (to anyone).

    If you aren't satisfied with the head's response use the school Grievance Procedure to take it further (get union support). Don't accept the head just saying 'sorry'. That's too easy. You want some concrete action taken to remind all staff the GDPR risks of forwarding emails in this way. Some formal guidelines. After all, next time it could be something much more serious (I know of case, pre-GPDR, of a school carelessly circulating details of someone whose life was at risk from a seriously abusive ex-partner and the addressees included a relative of the abuser).
    Stiltskin, strawbs and Lalad like this.
  7. HolyMahogany

    HolyMahogany Occasional commenter

    You know this HOD well enough I assume to know whether this was a stupid and thoughtless mistake, or a show of contempt for your privacy. Regardless of the reasons for doing this, the damage is done. You must raise the issue with the department line manager, possibly the HT?, but you also need to think about what outcome you are looking for, do you simply want an apology and the reassurance that this information will go no further, can the staff already in receipt of this info be polity requested not to share with others. Do you want further action taken against your HOD? Is this person likely to do this again.
    As I said I think it really depends upon your relationship with this person and what you think their motives were. In future I think you will need to state if a message is confidential. It should be obvious but electronic communication has changed the way things are done.
    twitterbix likes this.
  8. averagedan

    averagedan Occasional commenter

    It's not a GDPR breach per se, as it fails the structured data test and is unlikely to cause harm. Also, word of the reason for the move/your illness has probably spread by word of mouth, so unless there are personal details in there which people could reasonably know, it's probably not a data breach.

    Is it sensitive and considerate no. A polite word saying "x upset me" often does the trick.
    HolyMahogany likes this.
  9. Rott Weiler

    Rott Weiler Star commenter Forum guide

    Why? The data about OP's medical condition is presumably part of their staff file.
  10. averagedan

    averagedan Occasional commenter

    If they'd shared their staff file then it most certainly would apply but would still fail the harm test. A conversation does not count as structured data, this aspect of GDPR is meant to prevent the likes of FB conducting meta-analyses, etc.
  11. aypi

    aypi Established commenter

    I cant believe the number of posters on here who can put the onus on the victim of the breach to excuse the HOD .
    No-one other than the HOD needs to know the reasons for the room arrangements. Perhaps even the HOD does not even need to know.
  12. averagedan

    averagedan Occasional commenter

    No-one has done that. People have advised to approach it as a quiet discussion between friends and make it clear that you were hurt. No-one has victim blamed as far as I can see.
    sbkrobson likes this.
  13. Rott Weiler

    Rott Weiler Star commenter Forum guide

    I don't agree with either of those statements. GDPR does not allow you to release sensitive personal data about someone and claim it it's exempt because it wasn't in a structured filing system. Nor does GDPR say you can publish sensitive personal data about an individual as long as it doesn't cause them harm, if that's what you mean?
    sabrinakat likes this.
  14. averagedan

    averagedan Occasional commenter

    Then you're wrong to be honest. The structured data test is about collecting data for entry into databases and spreadsheets, the sharing of a conversation does not fit this bill. At no point was the data in the conversation destined to be collected from all staff, entered into a database and kept for a purpose. It's not even close to being considered as structured data.

    The harm test is about preventing small mistakes such as this from snowballing into a legal quagmire in the courts, i.e. this exact situation.

    People really do gold plate GDPR.
  15. averagedan

    averagedan Occasional commenter

    "The protection of natural persons should apply to the processing of personal data by automated means, as well as to manual processing, if the personal data are contained or are intended to be contained in a filing system. Files or sets of files, as well as their cover pages, which are not structured according to specific criteria should not fall within the scope of this Regulation"

    From the GDPR itself - unless you can show that this e-mail conversation is structured according to specific criteria which are common to convos with all staff and entered into some kind of filing system this situation is not covered by GDPR.
  16. Rott Weiler

    Rott Weiler Star commenter Forum guide

    I am not, to be honest. You are giving very dangerous advice and I suggest OP and anyone else should obtain an expert professional opinion before releasing sensitive personal data in the way you think is OK.

    Sharing conversations is irrelevant. The information wasn't disclosed by conversation. An email datanase is in itself a structured filing system. It wouldn't work if it wasn't.
    Last edited: Oct 15, 2019
  17. averagedan

    averagedan Occasional commenter

    An e-mail convo is just that - a conversation without structure. Unless there's a standard form in there, and that form is used to collect data for entry into a filing system for all staff, it's not covered by GDPR and only the data in the form would be covered. I've even posted the relevant part of the GDPR.... This isn't the hill to die on.
  18. install

    install Star commenter

    Did you head it 'in confidence'? It doesn't sound like a data breach to me. Wouldn't personal information be given to the Head/Deputy instead? Did you expect your hod to pass on the information to the Head for you and how would they know what bit is private ?
    Last edited: Oct 15, 2019
  19. Rott Weiler

    Rott Weiler Star commenter Forum guide

    That is simply nonsense and isn't what the commentary you posted says.

    But I'm not going to waste further time debating it with you and recommend anyone wanting authoritative guidance to get expert professional advice. Do you support my recommendation?
  20. averagedan

    averagedan Occasional commenter

    Of course it's not. It's not meant for the collection of data from all staff in a structured fashion, otherwise GDPR would cover notepads.

    Not when it's this simple buddy. Have a nice evening, I agree that we're going in circles here.....

Share This Page