AIBU to report to federation

[Vedaisawesome]

I am a member of the WI. Meetings have been held over Zoom since March. I do not attend these meetings and have notified the secretary of my reasons why, namely due to privacy and security in that they do not lockdown meetings and also open up meetings to non-members. I explained that due to privacy and security issues I would not participate in these meetings as Zoom was not a secure platform. This month I had to notify the secretary of a change of address due to moving house. This is information which should be held under gdpr and all details secured. I did so via email and after she enquired about where I moved to ( it's a weird move) I explained. To my utter horror I found out that this information which should have been confidential was relayed in the Zoom meeting and later repeated and elaborated on in WhatsApp. I have expressed my anger and unhappiness at this to the secretary only to be met with the response "it just came up" . After saying that this explanation wasn't acceptable and asking to know who divulged my private information and why, particularly as I'm not in the meetings and there is no need to mention anything about me at all, I am being ignored. This was on Thursday. Would I be unreasonable to take this up with the federation rep on Monday as I have no response to my very legitimate concerns about breaches of confidential information.

@blingblangbling

Its worth mentioning that email is not secure or end to end encrypted, so sending your details over email was probably worse than the other things...

Surely, OP would have sent the details in a self decrypting archive and arranged to supply the password via an entirely different channel, perhaps carrier pigeon.

[email protected]

Op this is the contact to make a complaint, I'm not sure how useful they'll be as their privacy policy isn't great and I'm not certain it covers branches, but it would be a start.

Only if the pigeon was fully security cleared and DBS checked finally!

Lakielady

"The WI is well known for being a hotbed of subversives and dissidents!"

You're so right ! - this did occur to me after I'd finished posting

Vedaiswesome
Even if the exact address had been given out on Whatsapp, you made a compliant on Thursday - organisations are permitted under GPDR time to respond. I feel that jumping to the next but one level of management after less than 48 working hours is being very unfair on people you are supposedly friendly with. As I said the secretary is probably mortified; she is permitted time to respond. Have you even thought that she might be considering her response to you?

I sincerely hope you don't live in a small town or smaller - because if you do, I think you will be shocked to know just how much your friends, neighbours and acquaintances know about your business. If you are so concerned about your security I would respectfully suggest you don't join groups such as the WI.

My comment about you using less confrontational language stands.

I have a lot of zoom meetings with various groups including work. Not once has an unauthorised person gatecrashed a meeting.

I really wouldn't think anyone in your group is interested in knowing where you live unless they want to avoid you, which given you are being completely over the top is a distinct possibility.

@Ravenclawgirl

I have a lot of zoom meetings with various groups including work. Not once has an unauthorised person gatecrashed a meeting.

I really wouldn't think anyone in your group is interested in knowing where you live unless they want to avoid you, which given you are being completely over the top is a distinct possibility.

Just because no one has gatecrashed your meeting doesn't mean that Zoom is a secure platform, there's no logic to that.

No one has ever cloned my debit card - does that mean it hasn't happened to other people or that it won't happen to me in the future? Does it mean I shouldn't be aware of the possibility and take precautions?

I don't get what point you're making

I would complain. The WI have to follow GDPR and have failed to do so. They need to follow the regs and ensure everyone's info is safeguarded. Complain to:

ico.org.uk/make-a-complaint/your-personal-information-concerns/

Sorry, I am unclear have you seen the whats app group messages? I would ask you see any message where you are mentioned first.
If it is a case of the secretary gave your full address then I would complain if you are unhappy. However if it is a case that someone else says oh I see Jane Doe's car on my street every morning and number 23 just sold, she must have bought it then you probably just ask them not to discuss your private business. (Probably cause them to discuss you more).

I think YABU and overreacting, and that’s even before you made a big hoo-hah about your move.

It’s the WI. It’s not some sort of secret government organisation.

What exactly are you worried about with unsecured zoom meetings with other WI meetings? Do you have topless meetings or discuss secret things?

If it's anything like ours it'll have been mentioned under correspondence. I.e. "constance has been in touch to say she's moving to Clwyd" someone else says "oh great, I live in Clwyd, I can give her a lift, whereabouts".

Tbh you don't sound like you actually like any of them or how they're run. Maybe find a different type of group. Or why not stand for committee? Haha, but no, don't do that. Please. We don't need the hassle.

I think you're all being very mean to the OP.

Zoom isn't secure. There's been many instances of that being proven. I use it because I'm not fussed about the information I share on it (quizzes with friends) being harvested for alternative purposes. The OP is and that's why we have laws around personal data.

However, if I had shared my personal information via email for the purposes of administering my membership of a group I absolutely would not want that information shared in a non secure way, with people I don't know, for purposes which are way beyond what I shared the information for.

This is a clear case of breaching GDPR and yes OP you should report it to the federation as your first line of complaint hasn't been taken seriously.

I don’t understand why the address was repeated and elaborated on in the WhatsApp group? What was the context?

I'm not sure it is a clear case of breaching gdpr it really depends on exactly what was said in the meeting or on WhatsApp.

If they've shared the data appropriately within the organisation I don't see what your complaint would be?

I'm not sure what the concerns are of having none members on the zoom meetings? Anyone can be a visitor at a WI meeting and quite a few are also opened up to the whole community.

I'm on a WI committee and we take GDPR very seriously. I suspect because most of the committee is young enough to still be in employment and has knowledge of it through work.
However, we are all volunteers who give up our time. No payment, no perks, just hours spent organising things and doing paperwork. I say mention it to them that you're not happy but then cut them some slack. What is federation going to do anyhow? Fine them? Fire them? There certainly isn't anyone else lining up at ours to do all the donkey work.

The OP doesn't know if her complaint has been taken seriously or not. She made the complaint on Thursday and wants to report to the level up but one by Monday. They haven't had time to respond. Even if they had blatantly made a big announcement that she was moving, they still are permitted time to respond.

OP I suspect you're not a committee member for your local WI?

I have been on a committee for another volunteer-run organisation and in my experience, most members have no idea at all of the input that goes on behind the scenes so that you can have your weekly/fortnightly/monthly meetings. Many of these volunteers also have very full lives, possibly work, childcare, caring for relatives. Thinking of the traditional demographic of the WI I suspect many may have been shielding, and probably struggling practically and emotionally over the last few months.

I also understand the GDPR issue, having been on the shitty end of fraud myself.

But we are all working in whatever way in a new world, and adapting meetings online (again, the demographic of WI suggests a group of potential 'silver surfers, struggling with new technology, but I know that many folk have utterly embraced the new-fangled technology ).

If you consider this to be such a severe breach (I mean, it is a breach if your information was shared unnecessarily, but you haven't given any context for your rather extreme reaction) then why don't you volunteer to become the data protection officer on the committee? That way you can ensure all members and volunteers are aware of the GDPR responsibilities and implications.

Or you could just leave it to the obviously incompetent volunteers that don't care about data protection and shouldn't be trying to keep your WI afloat, providing support for all the members during what has been an unprecedented time

@DPotter

The OP doesn't know if her complaint has been taken seriously or not. She made the complaint on Thursday and wants to report to the level up but one by Monday. They haven't had time to respond. Even if they had blatantly made a big announcement that she was moving, they still are permitted time to respond.

Going on her posting style here they're probably still trying to get to the bottom of what she's trying to complain about.

@lifesalongsong my house is blocked on Google at my request, it's not just a random blocking or something that was there already. My old house was blocked too. Google will do this if you request it for valid reasons.

YABU

You sound seriously paranoid in general!

You have to give the organisation time to investigate and respond (two working days is not long enough!) to your complaint.

If actual address wasn’t disclosed then I’m not sure it’s even a GDPR breach since it’s not identifiable information.

You don’t sound like you actually like the WI or it’s members so maybe it’s not the club for you.

Why ask “if you are being unreasonable” if when people are stating that you are you argue back and say your not?

Are you just looking for an argument OP?

So all we have to do to find your address is go on googlemaps and look for a gap where a house should be - result.

If there is a reason for your hysterical reaction you may get a more positive response by saying so, no need to give details.

What does "blocking" out your house on google maps achieve? If someone knows you live at 33 The Avenue, they'll still know where that is because it's between 31 and 35! How very odd!

OP

I'd like to think an organisation the size of WI would have an Information Officer. I'd suggest you raise it with them first of all, because it sounds as if your local group could really use some guidance on GDPR obligations and a brush-up on good practice.

FWIW I don't think you're being in any way unreasonable. I'd be hopping mad if this happened in my line of work, but thankfully my place is good at keeping on top of these things. A much smaller org than WI, so easier to manage in many respects, but if tiny places can stay on top of their obligations then the WI really have no excuse. There are damned good reasons why my home address shouldn't be divulged to anyone without my consent, but regardless of your own circumstances, GDPR still applies. What's to stop this happening again to another member of your group, who might well have crucially important reasons for maintenance of data privacy?

Just because no one has gatecrashed your meeting doesn't mean that Zoom is a secure platform, there's no logic to that.

Zoom patched the exploit that anyone can gatecrash a meeting after spamming meeting id's

The host has to physically allow someone to join the meeting now, and as others have said, if the OP is that concerned about GDPR I hope she didn't send it using a free email address.