Please read if you use Facebook

[RoloAddict]

So this week we had a new IT manager start in our department at work. Met him for the first time yesterday.. Today was called into a meeting with him along with other staff. He then proceeded to reveal that he'd taken a look at each of our Facebook profiles the previous evening. What he revealed about mine was shocking . By using my Facebook profile and nothing else but good old Google (he proved this by showing us how he did it) he had managed to find out..

My full address including house number!
My DHs full name
My maiden name
Our wedding date
My Dd's names, dates of birth and the sports club they attend.
My stepdaughters name and the school she attended
That I have a stepson.

Needless to say I was horrified. This man was a virtual stranger. We had no mutual friends and I'd never met him until yesterday. I've obviously changed my privacy settings entirely since then. Before I just assumed they were set so that only friends could view them. Can I PLEASE remind and encourage all of you (plus family and friends) to check your settings throughly. We were lucky this time that the person in question didn't mean us harm but it's been a huge wake up call.

The 'IT Manager' was not doing his job well.

You don't know what his job is or what the employee contracts say. OP stated that the public data (so implied consent for him to see, and of course its not May yet) was handed over to them privately in an envelope as an educational exercise.

Even in May, the company will only need consent if they keep a copy of it. There is no suggestion here that the data was retained.

So suggestions that he would be on a formal warning are rather jumping the gun here. He could well have been conducting actions in line with company policy.

The Company has now collected that data and could, until proven otherwise, still be holding electronic copies of it somewhere

There is no suggestion that this has happened. However as I'm sure you know the act applies to data, not just electronic data.

As I'm sure you also know, if the OP cared they could raise a SAR and confirm that the data has not been retained.

It is quite shocking that you can find this out from facebook. However, I am unsure why your colleague was doing this. This is really none of their business. Presumably, it is not in their job description to act as a carer or adviser to you.

This is really none of their business.

Companies need staff to be technically aware enough not to damage company IT through ignorance (e.g. responding to phishing attacks, or installing bits of software which contain viruses), and to be conscious of what information they are sharing, to not give away any confidential company info.
Lots of people have their social media open on work machines, and their general level of awareness of what they're sharing online is a good indicator of how reliably they are able to manage those things.
Acquiring a set of information which is public already is not exactly intruding, and if it seems he found out too much, that is exactly the point the company was trying to make.
He was trying to help staff understand their obligations to protect company assets as well as their own information.

It makes no sense to be indignant and affronted that someone found information the OP had openly available.

Well, that was interesting. I just searched for myself on Facebook and found hundreds of profiles, mainly in America, with my exact name, and they were all about 20. Last time I looked there were three.

Lots of people have their social media open on work machines, and their general level of awareness of what they're sharing online is a good indicator of how reliably they are able to manage those things.

This is bollocks. No company would ask an it person to ensure their staff can use their personal Facebook account appropriately while at work.

I asked my union representative about this today. She agreed that no company should have any influence over how their staff use their personal social media accounts unless they are being used for workplace bullying or during working hours

no company should have any influence over how their staff use their personal social media accounts

Web mail and most social media is blocked at work, except for the PR team who manages the company's social media presence. They come down hard on anyone who badmouths the company if they find out about it, and if your post is public, they'll find out about it.

Heresay, You don’t prove you don’t have information about someone, if someone puts in a request you provide the information you do have about that person.

C8H OP didn't mention being asked for consent. And the wider picture is the processes and policies that should be in place for the collection and retention of employee data** - this should not be ok by Company standards given impending GDPR. The data the IT manager collated on behalf on the company will be somewhere.

As a company, collation of personal data to indirectly educate about company IT policy makes no sense. It's an easy compliance win to just not do it. If the only thing they can rely on is implied consent as it was public already it is weak ground given the underlying intentions of GDPR. I don't know any corporate that would use such a training method, it's unnecessary and risky (and could well upset certain members of staff, over and above compliance issues).

There’s are no pictures of me, I never mention my kids names and I never tell anyone where I’m going, I post pictures when I come back. My son only uses it to DM mates so he can talk to them for free. Be careful out there, saying stuff on Facebook is like shouting stuff in the street. Look into settings to make Facebook more private.

OP didn't mention being asked for consent

She didn't mention it being retained either.

The exercise she describes is a common educational activity in companies (including those few I know which are already GDPR compliant) as part of wider education on security and in particular social attacks.

If the data used is not retained and is public when collected (assuming no huge time gap between collection and educattion) they will not be in breach in May either.

As a company, collation of personal data to indirectly educate about company IT policy makes no sense

Oh but it does - because it works more effectively than a million lectures on security in this space. Everybody thinks they are ok, that breaches can't happen to them. Just look at the posts on this thread! The justification here is security education, there are few companies who don't include compliance with security education as part of the overall contract.

You simply need not to retain the data. It would be sensible to do what the manager here did and keep the data private to the individuals (even though they haven't) but its not illegal and won't be in May.

She agreed that no company should have any influence over how their staff use their personal social media accounts

This is a different question. Many companies block access to social media from corporate devices. Many companies will also take action if you bring them into disrepute and that includes via social media. In that sense they can and do influence use.

However the main area of risk with social media for companies is unintentional oversharing and sharing via social grooming. Educating on that issue is common sense.

I can't see that argument at all. Surely people are less likely to pay a fee or search if they are after the information in order to create identity fraud? Why should it be "more" freely available?

They companies that put the information do charge for most of it. You can even pay to see who is searching for information on you! That is how they are making money. The "freely available" information e.g. information on directors is provided by gov.uk.

This information has always been easy to obtain but many people just didn't realise it. I remember being shocked in the 1990s to find my name and address was published in a book that was available in every town library (due to my profession). It makes a bit of a mockery out of the IT managers demonstration though and makes me wonder if he was aware of what is and isn't online without the use of facebook and other social media.

It makes a bit of a mockery out of the IT managers demonstration though

I don't think so. I agree that people are generally how much is public via electoral registers, companies, professional registrations etc.

However the highest area of security and reputational risk for most companies is the additional voluntary information people share on line. In particular where they share without realising how far that sharing goes (often via closed groups or friends with poor security settings).

generally unaware that should be - oh for an edit button

The mention of GDPR is just clouding the issue. The IT manager did a very effective job in alerting people to their own naivety. More so that a glib Powerpoint slide show of examples of how a fictitious person might be exposing their personal details online.

The IT manager was just scratching the surface and doing nothing illegal in researching the information. GDPR doesn't protect your personal data if you don't do anything to protect it yourself.

In a job in a previous life (too long ago now) we had reason to employ private investigators. The data they were able to unearth on our employees via their own contacts, through what by today's standards would certainly be illicit means, was gob-smacking. Nowadays they wouldn't need to resort to many of those illicit means as too many people just put that information out their in their online profiles.

"My full address including house number!
My DHs full name
My maiden name
Our wedding date
My Dd's names, dates of birth and the sports club they attend.
My stepdaughters name and the school she attended
That I have a stepson"

Hopefully any company worth it's salt would know most of this information bout their employees anyway. I know absolutely everything about Julie (not her real name) in my office without having to bother searching through Facebook.

Hopefully any company worth it's salt would know most of this information bout their employees anyway.

Your children's sports clubs?? Gosh they are interested.

The point of the exercise was not to show that the company could find this information but that absolutely anyone could find this information and a great deal more.

The IT manager did a very effective job in alerting people to their own naivety. More so that a glib Powerpoint slide show of examples of how a fictitious person might be exposing their personal details online.

^^This.

My Facebook security settings are locked right down. Some people don’t bother and their lives are there for all to see! Even my fb friends can only see a small portion of my stuff!

What he did may be legal but it was also rude, invasive and borderline harassment. I can’t believe that this falls within his job description. It would be different if he had asked your permission first, but he didn’t. I would have complained about this, in your shoes. (But my FB account is private, anyway.)

What he did may be legal but it was also rude, invasive and borderline harassment. I can’t believe that this falls within his job description.

I do believe that alerting staff to the dangers of inadvertently exposing personal details online is part of his job description, and if not in his job description, then more a moral obligation given his expertise.

There's loads of ways to find out things about people other than FB. Part of my job involves googling some detective work on people's background, nothing sinister but it's surprising what you can find out about people. Unfortunately all social media is banned at work otherwise I'm sure I'd find out a huge amount more.

At my DSs or maybe it was DDs school, as part of a lesson they tried to find out as much as they could about their parents online presence. My FB is locked down as much as possible so my DS was pretty disappointed. There is a way to turn off possible searches of your FB profile to all search engines which is presumably why he found nothing.

I do occasionally google my name to see what I can find and nothing ever really comes up. I must lead a very boring life

What he did may be legal but it was also rude, invasive and borderline harassment.

No it really wasn't. If you put a load of information about yourself on public social media you really cannot complain if people read it.

If he had wanted to harass rather than educate he would have found more embarrassing items and made a public announcement of them.

It's not just fb. There used to be a MNetter who could discover people's real life names and addresses just by putting together the snippets of information they posted here. And unlike fb, MN has no privacy settings. Anything posted here is public for anyone to read.

The MNetter in question offered to do this as a demonstration and some posters volunteered to be the subjects. They confirmed that she (I'm assuming it was a she) had told them by pm what she had discovered.

And people post here not just details about their own lives, but their children, their children's friends, their husbands/partners, their mothers and mothers in law, their sisters, their friends, their neighbours, their co-workers.... all without permission. If you can be identified, then everyone you post about can be identified, through you.