AIBU to be hacked off that a colleague inadvertently shared my salary with whole team

[YorkshireTrailRunner]

A Return on Investment report regarding my role and impact, a request to every member of the Core Team by an external stakeholder colleague, has been shared throughout the whole team (22 people) as an example of good practise. However, in doing so, my salary has also been shared. Am I being unreasonable to be a bit hacked off, or am I being precious?

You have no idea why the personal data was shared - what the purpose of doing so was and therefore if a lawful condition of processing exists. You would need that detail before determining whether or not a breach has occurred,

In any event, given the salary for the post is public information, and the OP is annoyed about the ROI more than her salary details - I'd venture it's not GDPR that is concerned at all. The ROI is business information not the OP's personal data and, in the public sector, is highly likely to be disclosable under FOI legislation.

How do you know that they “inadvertently” shared?
Ie have they actually said “whoops”

Salary is not personal data

Job adverts? Often explicitly state role and salary!

How could you possibly evaluate someone's return on investment without discussing their salary? It's kind of a basic part of the equation...

@implantreplace

Salary is not personal data

Job adverts? Often explicitly state role and salary!

Not quite - the salary / salary range for a post is not personal data, but the actual salary an individual is paid is their personal data.

Any information which is about a person, and from which that person can be identified, is their personal data.

I don’t think you should email all 22 people. You should speak to yout manager and hr though about the breach of confidentiality.

Quite simply

Tax payers money
Public sector role
Not personal data

Internally circulated for a specified reason.

Added to which, I don’t think it was “inadvertent”. Unless the OP says they have admitted wrong.

* A Return on Investment report regarding my role and impact,*

Rather then what you’re worried about
I’d be more worried about fact that this report had even been conducted and the potential consequences

I would be annoyed if my salary was shared but it sounds like it was a genuine mistake (and everyone makes mistakes from time to time). I bet the person who did it has probably realised by now and is feeling pretty mortified. You could speak to them tomorrow and ask them if they realised they shared this information when they shouldn’t have. If you report them it will sour relations between you and this person for good and it could cost them their job. Life is too short when you consider everything else that’s going on at the moment.

@BlankaBanka

Everyone saying GDPR breach, can you tell me which part of GDPR you think it has broken?

I agree, amazing how many times this is incorrectly mentioned on MN.

Salary absolutely is Personal Data under GDPR (and more importantly the amended 2018 Act which is the relevant law post Brexit).

Just because information is in the public domain doesn’t preclude it from being PI, unless it was the OP who made it manifestly public, which given her irritation we can assume she did not.

@camdenish

If earnings are kept secret, how can people know they are paid fairly?

Exactly. There should be transparency. In a previous job, I found out I was paid significantly less than a male coworker for the same responsibilities. We had the same educational level. I demanded to speak to the manager right away, and they matched the salary from the next month because they knew they were taking the piss and didn't want me to escalate. But if the coworker hadn't wanted to gloat, I wouldn't have ever known. Their argument: we don't discuss personal salaries.

Everyone saying GDPR breach, can you tell me which part of GDPR you think it has broken?

On the basis of what the OP has stated it’s a breach of Article 6 which allows for the processing of personal data only if a condition a-f apply.

the team is made up of people with very select skill sets and varying experiences, all working on a shared long-term project but with varying degrees of responsibility and remit, so personal earning is a complete unknown and revelation has the potential to cause acrimony and resentment, which would be a shame in a project delivered to support tens of thousands of people.

Bollocks. If the differences in salary genuinely represent real differences in responsibility and remit, there shouldn't be a big issue as whatever you earn should be easily justified. Salary secrecy basically only benefits people who've negotiated themselves higher pay than peers, I know, at one time I benefitted myself. I now choose to be open about my earnings having realised not being so tended to disadvantage my ethnic minority & female colleagues (I'm female myself but white).

@PegasusReturns

Everyone saying GDPR breach, can you tell me which part of GDPR you think it has broken?

On the basis of what the OP has stated it’s a breach of Article 6 which allows for the processing of personal data only if a condition a-f apply.

You can't possibly reach that conclusion on the basis of the information available.

I can easily think of grounds of which condition 6(1)(f) would be applied to the sharing of personal data within internal reports for reasons of sharing good practice within a team.

@implantreplace

* The OP's personal data was shared without her consent or without a lawful reason (legal obligation or vital interest). My understanding is that constitutes a breach.*

The salary for her role was shared
She occupies that role

There is no breach

One’s salary is not “protected” information. Not in private sector and sure as heck not in public

The OP is the only person doing that role. If there were lots of people doing the role I would agree with you.

@camdenish

If earnings are kept secret, how can people know they are paid fairly?

Exactly. Other countries are much more sensible about this, although it still doesn't necessarily mean their gender and racial pay gaps are better than ours...

As for GDPR - report away. The ICO won't care, they don't deal with one-off incidents like this.

Return on Investment report regarding my role and impact

The fact that the external stakeholder has asked for this report already indicates people are questioning the amount you are being paid. I can imagine why you are mortified, I'm guessing you've negotiated yourself top whack and know full well others doing comparable if not identical roles will feel the gap between their and your pay isnt justified.

@grapewines

Something similar happened to me when I had a part time job as a teenager. A new starter was paid more than me for the same job, when I'd been doing it for over a year. It was a mistake and the company had to give me a backdated pay rise. For this reason, I don't think that it's right to keep salaries hidden. They should always be transparent and justified.

Why on earth would you be so upset about people knowing your salary unless there's something to hide?

@camdenish

If earnings are kept secret, how can people know they are paid fairly?

Doing the same job doesn't automatically mean you should be paid the same. Doing the same job to the same standard does.

I recently moved to the public sector - it is a shock to find out that others know what you are paid..

There is a dead hand of bureaucracy that means no-one can ever make decent jumps in pay, I think.

There seems to be an expectation on changing jobs between employers that you have to disclose what you previously earned, and then are 'allowed' a small incremental change.

How is anyone going to make decent (and I mean many K) improvements between jobs under this arrangement?

@JustAnotherSod on the basis of the circulation to peers as an “example” rather than senior leaders as a decision making tool, combined with OPs shock at the disclosure, it seems unlikely there was a legitimate interest in sharing the data, but of course it is possible.

Legit Interests is extraordinarily subjective but if they were relying on 6(1)(f) I would expect to see and LIA and for her employers to have the courtesy of forewarning her. The fact they did not do the latter, suggest they did not do the former which would again point towards a breach.

But the OP is not so worried about the privacy elements so I guess it’s moot.

@YorkshireTrailRunner

Further to clarify, I have no intention of making this a GDPR data breach and certainly not suing anyone, I simply wanted some input as to whether or not I was over-reacting before emailing the project lead to suggest a change of policy where, should potentially sensitive data be shared, the individual(s) concerned be consulted prior to publishing

You are being really reasonable about it. You absolutely should email the project lead. Even if it just stops it happening to anyone else.

[quote PegasusReturns]@JustAnotherSod on the basis of the circulation to peers as an “example” rather than senior leaders as a decision making tool, combined with OPs shock at the disclosure, it seems unlikely there was a legitimate interest in sharing the data, but of course it is possible.

Legit Interests is extraordinarily subjective but if they were relying on 6(1)(f) I would expect to see and LIA and for her employers to have the courtesy of forewarning her. The fact they did not do the latter, suggest they did not do the former which would again point towards a breach.

But the OP is not so worried about the privacy elements so I guess it’s moot.[/quote]
I absolutely agree that, if indeed they were replying on 6(1)(f) that there would be a LIA - all I was doing was highlighting to the thread that nobody has enough information on here to determine if a personal data breach has occurred.

Indeed it is moot though for the OP - its just frustrating to see yet another thread where the reality of data protection law is hugely misrepresented!