Best Practice Update

    You are here:  
  1. Home
  2. Best Practice Update
  3. Data Breach: School sends out names and contact details in a spreadsheet.
A close-up image shows a spreadsheet on a digital screen, with rows of names, email addresses, and phone numbers visible. From the spreadsheet, a large swarm of small, white email envelope icons streams outwards to the right, disappearing into a dark, blurry background filled with more scattered email icons and faint human silhouette shapes. In the top left corner, bold black text reads "DATA BREACH AS SCHOOL SENDS OUT NAMES AND CONTACT DETAILS IN A SPREADSHEET". In the top right corner, a circular logo for "DATA PROTECTION OFFICER BY" is displayed. The overall color scheme is cool blue and white.
Best Practice Updates

Data Breach: School sends out names and contact details in a spreadsheet.

Parents of a school in Birmingham are concerned that a school has accidentally shared a spreadsheet which contained student names for children in Year 7 to Year 11 and parental contact details.

The spreadsheet included their sex, date of births and parents' contact numbers as part of a communication about flu vaccinations.

Since realising the breach, the school has sent text messages apologising for the breach.

The school has tried to contain the breach and have also contacted their MIS provider to ensure the message has been removed. They are attempting to recall the message that was sent via email.

This type of breach is one that Data Protection Education often sees.  It is when data is downloaded from the MIS and usually kept locally and unprotected on a school computer in the office.

While the school is doing the right thing in attempting to contain the breach, subsequent review of the situation is often forgotten in the panic of the situation.  We always advise:

  • Training of the individual and other members of the team about storing and sharing personal data; ensure that they have recently completed their data protection training.  Ensure the breach is logged with details about the individual as often the same person repeats this kind of breach.

  • Keeping data in the system that was designed for it.  Often data is taken out for ease of use, which means many lists appear on the network drive and in email.  This data is not covered by any data retention procedures and does not have the technical security that it would in the relevant system.

  • Duplication of data means that there are many copies of the same list which is impossible to keep accurate and up to date as required by data protection law.  Additional files of the same data means an increase in data for Subject Access Requests, where data is unnecessary and duplicated.  This increases the workload, resource and cost required to complete a SAR.

  • Retention - this kind of data isn't part of the retention schedule which means the organisation is likely to be keeping data for longer than it should be against data protection law.

  • Review your procedures - are there any unnecessary steps or things that people are doing because 'it's always been done that way'.  Often when processes move to the cloud, procedures are not revisited to see if they could be done another way. There may be extra steps that can be removed saving time and valuable resources.

DPE Customers should review:

Records Management Best Practice

Data Breach Best Practice.

The incident was reported by Birmingham Live:  Huge Birmingham school data breach after kids personal information leaked

©2025 Data Protection Education Ltd.

Search