Best Practice Update

    You are here:  
  1. Home
  2. Best Practice Update
  3. School shares sensitive pupil information as part of an FOI response
Image of a small child with their hands over their face. Cartoon envelopes and letters being sent going past child's face. Blue text: School shares pupil data as part of an FOI response. Data Breach text in black. Data Protection education logo.
Best Practice Updates

School shares sensitive pupil information as part of an FOI response

🚨  Pupils' sensitive data was shared 'by mistake' by Wellsway School in response to an FOI.  🚨
The data of hundreds of pupils was shared with two parents in response to a Freedom of information request when the couple requested information about the use of the school's withdrawal room.

An FOI is a request under the Freedom of Information Act which allows any individual or organisation to make a request to a public authority for information they have recorded.  It does NOT involve sharing any personal data.

In this instance a spreadsheet was shared which contained names, dates of birth, child protection orders and whether pupils are eligible for free school meals - data that is considered special category.  Special category data is considered sensitive and covered by Article 9 of the UK GDPR. When processing special category data, you must always ensure that your processing is lawful, fair and transparent and complies with all the other principles and requirements of the UK GDPR.  Sharing special category data 'by accident' is considered a serious data breach, as it requires extra care and specific conditions for processing under the UK GDPR and Data Protection Act 2018.

The Wellsway School data breach was reported to the ICO 👉 BBC Report: Pupils' sensitive data shared by mistake
  Knowledge Bank Support & Guidance
Our advice is:

💡 Keep data in the system where it was designed to be kept (data protection by design and default).  Removing lists and sensitive data from secure systems generally results in data breaches as they are not covered by security.  It will also mean that they will likely not adhere to other UK GDPR principles such only keeping the data you need for as long as you need.
Information Security Best Practice
💡Ensure all staff understand the difference between a Subject Access Request and a Freedom of Information Request - a SAR shares personal data of the requestor, an FOI shares no personal data. Ensure staff know how these types of requests may be received and what to do if they receive one.
Subject Access Request Best Practice
Freedom of Information Best Practice
💡Have your DPO check any responses to FOI requests that you send out!  Ensure they are reviewed - if you share a spreadsheet, for example, it may have data hidden in other worksheets.  Always get someone to check what you are sending out.

💡Should a data breach occur when someone sends out the wrong information - act immediately!  Contact your DPO for further advice.

Data Breach Best Practice
💡Train staff regularly about how to keep all data safe and understand what extra security is needed for special category data.  Those that handle large volumes of special category data should have extra training.
Data Protection Training Courses

Does your organisation follow best practice for keeping data in its original system?

Invalid Input

Great, it sounds as though your organisation has an understanding about the importance of keeping data safe and secure by keeping in its original system.
For further help and guidance and access to the full checklist, please contact This email address is being protected from spambots. You need JavaScript enabled to view it..



As a controller you are responsible for keeping any personal data safe that you collected. Understanding about data duplication and data security can prevent data breaches and protect your data.

Harry the Hacker loves to take data that isn't protected!

Clipart cartoon with headphones on Please contact us for more help and advice about data protection compliance and cyber security standards: This email address is being protected from spambots. You need JavaScript enabled to view it. including the full checklist and best practice. 

 

Try asking the data protection lead in your organisation, or SLT digital lead or contact your DPO:

We can provide help and guidance with data protection compliance, cyber security standards and records management: This email address is being protected from spambots. You need JavaScript enabled to view it. including the full checklist and best practice.
©2025 Data Protection Education Ltd.

Search

  • News