14 October 2025

“What’s the Problem?”  Why Privacy Still Gets Dismissed

By Jess Pembroke, Director of Information Law Services

Recently, I came across a troubling post on social media. A parent was calling for support after discovering that their children, along with all other pupils from nursery age upwards, had been added to a social app by their Academy Trust. This app included discussion forums, direct messaging, and photos of the children. The parent had raised concerns with the school, only to be met with a dismissive response: “What’s the problem?”

This reaction struck a chord with me. As someone who advocates for a pro-privacy approach, I’ve often encountered pushback rooted in the notion of “If you’ve got nothing to hide, what’s the issue?” or “I’m fine with it, so why should anyone else care?”

I remember visiting a small gym once and being asked to scan my fingerprint if I became a member (for access). When I declined, the staff member looked genuinely baffled and said, “no one else had a problem with it”. The idea that someone might have concerns about handing over biometric data seemed completely foreign to them.

In my view, there are several interconnected issues here:

1. Privacy Is Still Seen as Someone Else’s Job

While areas like safeguarding and health and safety have made strides in encouraging personal accountability, data protection is still largely viewed as something for the IT department or the Data Protection Officer to worry about. This mindset limits people’s ability to identify privacy issues or leads to action only after incidents such as data breaches have occurred.

2. A Narrow Understanding of Data Protection

For many, data protection is synonymous with data breaches. The only time it hits the headlines is when there’s a cyberattack or a major leak. This limited view obscures the broader purpose of privacy and the wider principles of transparency, data minimisation and data rights (and more). Organisations need to make sure the wider elements of data protection are incorporated in training and awareness raising.

3. Organisational Blind Spots

Organisations often become so focused on their goals whether it’s boosting student engagement, streamlining communication, or showcasing innovation that they lose sight of the need to consider privacy. In the case of the Academy Trust, I’m sure the intention was positive. I personally think many of us can be too quick to sacrifice personal data, especially to technology service providers, in pursuit of efficiency or innovative service delivery.

4. Failure to Consult Service Users

Perhaps most concerning is the lack of consultation with those affected; the parent in question wasn’t alone, as they stated others had raised similar concerns.

A Data Protection Impact Assessment (DPIA), when done well, includes meaningful engagement with stakeholders. This Privacy by Design approach means identifying risks early and adapting accordingly, if consultation had taken place, the Trust might have realised the potential concerns and adjusted their approach. This would have saved them time dealing with parents, reputational damage and potential regulatory action (as the parents have stated they have engaged with the ICO, and potentially legal assistance).

I genuinely hope as a society we can move away from treating privacy as a niche concern and start embedding it into everyday decision-making, after all it is our personal data.

Interested in expanding your Data Protection knowledge? Enrol now on our Advanced Certificate in Data Protection dates in November or contact us about in-house training options.