There has been outrage after a Scottish school, Brechin High School, shared the personal data of about 50 pupils with other students at an assembly. The data, concerning disabilities and mental health, was included on a slide about such conditions as autism and ADHD.
The BBC reports that:
The presentation covered how pupils can prepare for prelim exams in January.
It then detailed how exam arrangements for children with additional support needs would be different, and listed individual pupils.
The incident is a flagrant breach of GDPR. The personal data of children is considered sensitive as they are vulnerable individuals – and the same applies to the data of people with mental health issues and disabilities.
To share this data with others is therefore a clear breach of data privacy laws. This incident has put these pupils at risk, as well as being a clear breach of trust. The BBC continues by noting that:
Angus Council said the school’s head teacher was contacting the parents of the pupils whose details were shared.
A spokesman said the incident was “unacceptable” and should not have happened “under any circumstances.”
He said: “We apologise for the obvious upset and concern this has caused, particularly to those young people whose details were shown.
“Inquiries are under way to establish the full circumstances of this isolated incident and whether any individual learning requires to be provided.”
The council said the UK Information Commissioner had also been advised of the incident and “appropriate support” would be provided to the pupils affected.
While it’s positive that Brechin High School has recognised its mistake, this is little comfort to those affected. The damage has already been done, and the ICO will respond accordingly.
The school should look first and foremost into how the incident happened in the first place, and identifying whether its staff had sufficient data protection training. The incident shows that there was a clear lack of awareness around certain issues.
If you’re concerned about your employee’s understanding of data protection, contact us today. Our Staff Training services will improve their knowledge and equip them with the awareness to change their actions, minimising the risks to your business and allowing them to confidently handle personal data.