This makes me very uneasy too and as I parent I would be livid if I found out my child’s information was being shared in this way – as you say, it’s way more information than is needed at this stage (even if consent had been gained, it’s not appropriate timing to send across this level of information at the point of enquiring about referral). Was there any security such as password protection? The issue is that it is up to organisations to report their own data breaches; I think you have done the right thing in alerting the organisation. I guess your options are to either go higher up in the organisation to make then aware of their unsafe practices as you haven’t had a response, or call the ICO for their advice on what you can do.
But totally agree, not good practice!