Deliberate data protection breach

[Workissueshelp]

Posting for traffic.

In a nutshell, DH’s manager at work has emailed another member of staff a letter that was sent to dh about an up and coming disciplinary matter. The email joked “I thought you’d enjoy this as you don’t get on” then it said make sure you delete this message.

This letter had our address on, not to mention the fact that dh was having a disciplinary action taken against him. (Off for work related stress)

Dh will not work for them anymore and will resign shortly. Horrible company who have made DH’s life a misery after going over on a TUPE.

We only found this out after requesting a subject access request.

Do you think if we report this, they will treat the data protection seriously?

It’s so depressed at the moment, he just wants it to end. I am sure as the fog starts to clear, he will make the right decision.

Please explain how you think this has breached GDPR.

Phone instead of emailing the ICO. They will be helpful and you may be able to use their ruling if you take it further.

If your husband gets paid sick leave he should take some of it plus go and get legal advice from a solicitor before resigning.

I think it’s breached GDPR as my husband did not consent to them giving out his address and details about his up and coming disciplinary action.

Yes Patti, that is what we’re concerned about. There are so many gaps in the paperwork we have received.

@Workissueshelp that’s not how GDPR works. That’s not a breach. Your dh doesn’t have to consent for information to be shared within the company.

No but there has to be a valid reason for sharing some ones data and you have to have procedures in place to protect against unauthorised and excess sharing of data.

I would be very surprised if that didn't breach GDPR

Actually there is a current question as to if employers do need your consent as one of the under pinning principles of the legislation is consent must be given freely which a contract of employment can conflict with.

But that is separate your dh employer is a data controller and has to have robust processes in place to prevent unauthorised and excessive access to employee s data by data processors ie your dh manager.

Your manager or hr can't just share your home address with joe blogg on the floor above you just so he can have a nosey!

No but there has to be a valid reason for sharing some ones data and you have to have procedures in place to protect against unauthorised and excess sharing of data

Yes, there must be a lawful basis under Article 5 for sharing-there are 6 lawful bases, none of which would apply to this disclosure.

sorry, Article 6!

The person that this was shared wigh had no business knowing. He is the same level as DH in a completely different department and site to dh now.

Shared around with HR and higher managers I get that, but not just to say ‘ha ha look at this’

Your right that it's a data breach. There was no lawful basis for the sharing of that personal information as the person receiving did not need to know.

I'm guessing their HR dept are a bit shit?

Could be worth asking acas for advice. Is he in a union? And see if any of your insurance policies have free legal advice - I have one that doesn't mind what subject you call them about - it's repeatedly been worth its weight in gold.

Yes it's a data breach and where I work would be treated as a very serious one! Not only was it intentional but it also has caused harm to the data subject!
That person has absolutely no need to know that information about your husband and the person who shared it obviously knew it was wrong as they said to delete it.

I'd call back the ICO if the workplace haven't dealt with it. The ICO are swamped right now though so it could take months to get a conclusion.

Is he Union??

Yes he’s in a union. He’s called and waiting for a call back.

The union finally got back to him and confirmed that seriousness of the breach.

We will be raising another grievance with the new evidence.

Also in the paperwork relating to the subject access request, we received a few emails being passed around where every time it relates to my DH’s being off the sick is always typed as “sick.” Or sick!!!! To me this doubts they believe my dh is genuinely ill which upsets me so much because he has and is going through hell.

GDPR is new but data protection legislation has been in place since the 80’s and this is a clear breach. I’d report it to the employer (who will probably sweep it under the carpet), so you might also want to report it to the ICO (who also probably won’t do much but may remind the employer of its obligations to train its staff properly).

PlainVanilla Please explain how you think this has breached GDPR
Because It sounds like none of the lawful grounds for processing data in that particular way (ie passing data onto another person within the organisation simply for entertainment purposes) have been met.
Seems very clear to me.

Re consent - express consent by the data subject is one of the lawful grounds for processing data but by no means the only one, but none of those other grounds are likely to apply here either.

OP Sounds like what the subject access request has thrown up, as well as a cavalier approach to data privacy, is that your husband’s grievance and or disciplinary procedure have been compromised/pre-determined. You need good legal advice from an employment lawyer.

Ooh! Your DH could have a bloody field day with that!

With just the bits you have shared here you have data protection issues, blatant unprofessionalism and workplace bullying, possible constructive dismissal, maybe discrimination (depending on your DHs reasons for being "sick"!!!! that could be more serious) for a start.

Union
ACAS
Letter to HR to state intent then
ICO
and back round all of them as the case continues!

That data breach is very real. Firstly the address and secondly the disciplinary action. Nothing a member of staff should have any access to without a very specific reason. "Shits and giggles" not being anyk kind of reason! It shows that at least one manager holds confidentiality and the law in total contempt. Let alone that he is obviously a bullying gobshite!

I hope your DH manages to pull it all togther so he feels vindicated at the end of this. Good luck.

Faithless12 that’s not how GDPR works. That’s not a breach. Your dh doesn’t have to consent for information to be shared within the company.
You are correct that the data subject doesn’t have to consent in order for his data to be shared wiithin an organisation but the organisation does still have to have at least one lawful ground for processing even within its own body of staff.Passing it on for entertainment/gossip doesn't count!

It's a breach, not because your dh didn't consent (consent not usually valid in a work context anyway) but because there was no need for the colleague to have the info so it was unfair and unlawful to share it (breach of first principle). This would have been a breach under DPA 1998 too, not just since 25 May. We've had the right to lawful and fair processing for over 20 years. Glad you've contacted ICO. You can still complain to them after his work's response.

Thank you everyone for your replies.

Dh is feeling more positive this evening (thanks to the power of mumsnet)

He knows what they did was horrendous, but a few posts have mentioned bullying and dh said he didn’t know any of these emails existed until we got the subject access request paperwork through, so is struggling to understand how it could be classed as bullying.

We’re both not thinking straight at the moment.