It’s a Tuesday morning and the Year 8 maths teacher bursts into the staffroom, laptop clutched to her chest.
“I think I’ve just emailed the wrong attachment to a parent,” she says, eyes wide.
For most people outside education, this might sound like a small blip. But for those working in schools, it’s the sort of stomach-dropping moment that makes your mind race: What was in the attachment? Who has it now? Is this serious enough to tell the ICO?
Schools hold a vast amount of personal information; names, addresses, contact details, attendance, health data, safeguarding records, and that makes them particularly vulnerable to data breaches. And while many incidents are small and easily contained, others need urgent reporting to the Information Commissioner’s Office. The challenge is knowing the difference.
Step 1: Understanding the data involved
The first question to ask is deceptively simple: what kind of data are we dealing with?
Some breaches involve ordinary personal data like names, class lists or email addresses which, while still important, generally pose less risk. Others involve special category data, which is far more sensitive: health information, details of a child’s learning needs, or safeguarding reports.
Imagine a staff member sends an after-school club schedule to parents but accidentally leaves all the parent email addresses visible. Annoying, yes, but unlikely to cause real harm. Compare that to the SEN register being emailed to the wrong organisation, revealing medical diagnoses and support plans for vulnerable pupils. The stakes are suddenly much higher.
Step 2: Thinking about the potential harm
The severity of a breach isn’t just about what data is involved, it’s also about what could happen as a result. Could the information be used to cause embarrassment, distress, discrimination, or even physical harm? Does it involve a vulnerable individual, like a child under safeguarding measures?
A staff meeting agenda posted in the wrong place might cause mild irritation. But a safeguarding referral accidentally sent to multiple parents? That’s a different matter entirely as the potential for harm is clear and significant.
Step 3: Considering scale and exposure
One child’s name sent to the wrong person may still be a breach, but the risks are magnified when the same error involves dozens of pupils or is shared beyond the school’s control. And it’s not always digital slip-ups we need to worry about.
Take the example of a lost unencrypted USB stick containing last term’s exam results. If it’s dropped somewhere in the school car park and quickly recovered, the risk may be minimal. But if it goes missing on the bus home and could be accessed by anyone, the potential for wider exposure grows, and so does the severity.
Step 4: Deciding whether to contact the ICO
The ICO must be informed within 72 hours if a breach is likely to put someone’s rights or freedoms at risk. That’s a deliberately broad test, because context matters.
If the breach involves non-sensitive data, was quickly contained, and presents no realistic risk of harm, you might decide that ICO notification isn’t necessary. Though you should still keep a detailed internal record. But if the breach involves sensitive data, a vulnerable person, or uncontrolled exposure, the safer route is to report it.
Picture two incidents happening on the same day:
- In the first, a parent receives the Year 9 timetable in error, showing pupil names and subjects. They tell the school immediately, delete the file, and confirm it’s gone. Annoying, but low risk.
- In the second, an educational psychologist’s report containing detailed mental health notes for a pupil is emailed to the wrong parent. Sensitive data, real potential for distress, and no certainty it will be deleted. This needs reporting, and quickly.
When a breach happens in a school, the instinct is often to fix it quietly and move on. But the law, and more importantly the duty of care to pupils and families, means you can’t afford to guess.
Assess the nature of the data, the potential for harm, the scale of the exposure, and the likelihood that harm could occur. Then decide whether the ICO needs to know, and if you’re unsure, err on the side of caution.
Because at the heart of every spreadsheet, email, and USB stick is a child or family who trusts you to keep their information safe. And that trust is worth protecting above all else.
