We had an ‘incident’! OK, here’s the story …
In July we hold Meet the Teacher meetings for parents to meet the new staff team and hear about the next academic year. One of our staff was holding a class list with first names with some asterisked (although there was no key indicating what the symbol indicated). A parent managed to take a photo of it with their smartphone and then posted it on social media, a bit like when some photographers have managed to take sneaky photos of team lists being held by football managers. A parent then let us know this had happened so we needed to make a few decisions.
Was this a data breach? Yes.
Did we feel it was seriously compromising and reportable to the ISO? No.
What other action should we take if any? We decided to write a general letter to parents making them aware of the matter. The incident was also shared with the governing body.
Well, that was exciting! Because of GDPR at least we now have protocols for us to refer to when an incident like this occurs.