Have they broken data protection laws?

[Zoflorabore]

Hi all

I will try to be as concise as possible without leaving any information out.
This has been playing on my mind.

My mum has worked for a local council run facility for over 25 years. It's not my local one but all of the staff know each other as it's quite a small borough.

I took out a gym membership for my 15yr old ds at the beginning of last year for our local leisure centre.
There were problems from the start with the finance company taking the amount out on wrong dates, taking the wrong amount etc and towards the summer I got into a financial mess and missed a few payments so ds didn't go back from around September.
I made a few token payments to reduce the debt and it currently stands at just under £70.
I have bi polar and other MH issues and massively struggle handling financial affairs. I explained this to the finance company who then passed the debt back to my local centre who to be fair have been very nice about it and said I can pay it off and then ds can go back on a "pay monthly" plan.

My ex mil also works at my mums centre and I had a phone call a few months ago from ds's dad asking why the gym membership was in arrears. He said that his mum had been at work and one of the bosses had pulled my mum up at work in the small reception office where they were both on shift and told her that I owed X amount. This happened several times over a few months.

I hadn't spoken to my mum for a few months and recently made contact with her and she told me the same. She told the manager that it was nothing to do with her, rightly so and that I'm a 40 something year old woman.

I feel that my finances shouldn't have been discussed to my mum and with ex mil in the same room even though I have a good relationship with her too, isn't it a breach of the new data protection laws?

I obviously don't want to make things difficult for my mum or ex mil but I am annoyed that this has happened.
Any thoughts as to what I should do please?
Thanks if you've got this far. I also have severe anxiety and OCD and am wondering if I'm making too much of it in my head.

Wow! You have every right to object to the details of your financial affairs being dusclosed and discussed with a third party.

It's a breach of data protection and GDPR and very serious indeed. The Council will have strict rules and policies which have been ignored in this case.

Do you have any records of what happened to provide evidence?

Yes, they were wrong to speak about your account in this way and you should complain.

When was a "few months ago" - Gdpr came into effect at end of May. Would either of them have had access to the membership information in the course of their duties?

I wouldn't get hung up on GDPR - it sounds like a data protection breach and you should complain about it anyway. Yes, it's serious and inappropriate.

While GDPR came into effect from May, prior to that they were still required to abide by the UK Data Protection Act.

By discussing your personal financial matters they have breached both, so it doesn't matter if it was before or after May 2018.

Formal complaint to the Council (they will have a designated person, previously their title will have been the Data Protection Officer or DPO, it could be the same or they may have changed it since GDPR came in) and also report the matter to the ICO (Information Commissioners Office).

Local Government have always been shit at complying with the old DPA and I can't see them improving under GDPR so they need to be reported every time they breach the laws.

Thanks everyone for replying.
It was after May as I was up to date until then.

Yes they would both have had access to our account but not the same information as the finance person who deals with the membership. It would have only been basic information that both my mum and ex mil would know anyway such as date of birth, address etc.

GDPR was actually in effect two years prior to May 2018. It's just since that date prosecutions come under that rather than the Data Protection Act.

But any complaint or prosecution will rest on evidence so without that a complaint won't go far. With evidence it will be taken v seriously and prosecution can follow. Although the council will probably offer you an out of Court settlement before the case came to Court.

It was not allowed under previous DP legislation . Nothing to do with GDPR timing.
Complain to ICO.

I'm not sure what evidence I would need, I don't have any i suppose other than my exdp, ex mil and my mum all knowing how much my arrears are.

I just don't want to cause trouble for my mum at work but even she agrees it's totally wrong.

Would it be ok if your gym had a chat with me about your arrears? Or someone random off the street? No?

There's your answer, unless you have given specific! permission- they are in breach

Did you join because your mum works for them? Was it a perk to her job? was her job relevant at all?

Whoever the boss was should never have discussed this with your mother let alone within earshot of others who were in the room.

Completely unacceptable

No there was no perk of the job, discount etc. The membership is open to anyone.

I need to speak to my mum today as I want to take it further.

Yes, that is definitely a breach of data protection law.

Whilst staff working in the office would have necessarily known the details of the debt, they should not have disclosed that information to a third party.

It's possible that they would never have known this information unless they randomly happened to deal with it. In any case, the organisation needs to know that this numpty is behaving in this way because the maximum fine for breach of GDPR is £20m now and they would be very lucky to get away with a low level breach before it escalated into something critical and attracted a huge fine. I don't mean to be dismissive of your situation OP. It should not have happened. But you will be doing them a favour if you alert them to the situation by reporting it.

That doesn’t sound right.

What would you like to do about it? Would you like to report it?

I think I would if I was in your position, although it would very much depend how resilient I was feeling at the time.