In June 8 2026, it was reported that a parent, in attempting to enrol their child at East Park Primary School in Hull, received a spreadsheet via an email attachment in response to her application. The spreadsheet contained personal details relating to other children which included admission considerations, special educational needs, details relating to some parents' relationship status as well as their names and other personal information.
"Delete this email immediately and do not open the spreadsheet" was the reply sent in a follow-up email.
Horizon Academy Trust, which operates the school, started an internal investigation to explore what led to this incident. The school reported this data breach to the ICO immediately and informed all the families who were impacted by this data breach.
It is important to keep in mind the data minimisation principle of the GDPR - not every member of staff, spreadsheet, or communication necessarily needs to contain directly identifiable information. As an example: had the admissions data been pseudonymised, replacing the names with reference numbers, the impact of an accidental disclosure could have been significantly reduced.
