Parents are calling for an investigation into a Norfolk school after an email containing confidential details of students' mental health was mistakenly sent to all pupils.

Wymondham High Academy has confirmed a staff member accidentally sent a message containing information about children who were referred to its wellbeing services with anxiety to the entire school.

Staff said they were looking in to what had happened, but parents are calling for the school to refer itself to the Information Commissioner's Office, the organisation responsible for investigating data and privacy breaches.

The email contained the names of every pupil that had been referred for support with anxiety.

The message was intended for staff members. However, it instead landed in the mailboxes of the school's 1,500 pupils.

The school said it had since recalled the message and has contacted the families of the children affected by the breach to explain what has happened.

One parent, whose child was not listed, said: "A school's first priority is the safeguarding of the children in their loco parentis care, even before education.

"In these days of GDPR and with 21st century IT systems to prevent it, there is simply no excuse for a data breach

"I hope the academy has referred itself both to the ICO and relevant safeguarding authorities."

Headteacher Jonathan Rockey said: "The senior leadership team within the academy is aware of the breach.

"This was an internal email sent by a member of staff to recipients within the academy community.

"However, the email should not have been distributed in the way that it was, nor should the information have been shared in this way."

Mr Rockey confirmed that the incident is being investigated as a data breach.

He added: "Our data protection officer is investigating the incident and is helping us determine the next steps.

"The academy has already contacted the parents and pupils directly impacted by this, as well as taking action to both recall and limit the distribution of the mail.

"The academy does not intend to make further comment at this point, as an investigation is currently under way."

A spokesman for the ICO said that as of Thursday, the incident had yet to be reported.

An ICO spokesperson said: “Organisations must notify the ICO within 72 hours of becoming aware of a personal data breach, unless it does not pose a risk to people’s rights and freedoms.

“If an organisation decides that a breach doesn’t need to be reported they should keep their own record of it, and be able to explain why it wasn’t reported if necessary.”