Is This A Breach of GDPR?

[LetGoLetThem1234]

(General Data Protection Regulations: GDPR)

I joined a new small company recently.

During casual conversation one of my colleagues said they had seen my CV.

To be clear: they were NOT involved in any way in my recruitment.

They do not need to see my CV (or any other personal information e.g. proof of right to work in the UK, my NI number etc) in the course of their duties.

They have no payroll responsibilities.

However, I am aware they have access to the drive where confidential information is most likely to be kept.

I am unhappy that my personal information has not been kept safe, and that potentially other members of staff may also had access to it.

My concerns are around the identity fraud etc

Is it unreasonable to expect that my personal information should only be used for purpose it was given?

Is it unreasonable to expect access to personal information be restricted only to those who need that information to fulfil their work responsibilities?

YABU - You are wrong, this has not compromised data protection rules.

YANBU - You are correct, this looks like the rules regarding data protection have been ignored.

I will be writing to my manager about this.

I just want be sure that I have understood GDPR before I do anything.

Would they have been involved at any stage of the recruitment process? I'm often asked to stepping to help screen CVs, shortlist candidates or interview when others are off sick, evenif I'm not directly linked to the vacancy. Although I can't recall seeing any kind of information that would allow me to commit identity theft or fraud. What's on yours that would allow that?

Same here, I've also reviewed CVs for potential team members although never been the hiring manager nor HR.

No, as I said above: they were not involved in any way with my recruitment.

Edit for typo

CVs aren’t confidential documents though. You send it out to loads of people. 90% of the info on it is publicly available on LinkedIn.

it’s perfectly normal practice if you are hiring to ask other colleagues’ thoughts on CVs. And you sent it to the company with the explicit purpose of them viewing it.

It depends on the information on your cv. I think so if it includes your address and phone number.

If you believe this person have no reason to access the information, then this person has breached data protection rules by choosing to access sensitive information that they had no reason to. Whether the company has comes down to whether it is reasonable and proportionate that he has access to the part of their system for storing CVs.

I don't understand how people can miss such a clear part of an op.

Anyway, is there any information available on your company intranet (if there is one) about how they handle data/information? They may even have a 'data champion' or equivalent that you could contact.

I'm no expert but it does sound wrong to me that it's accessible by anyone outside the recruitment process. That kind of information is sensitive so it should be handled accordingly.

It's funny because I did start to write that I don't think so but at the end of the day, there is a lot of PII on a CV so I changed my mind as I typed.

We are a small team and it’s important that new members are a good fit for all of us - therefore we review all cvs as a team to see who we feel would be a good fit for us as a unit

The business should have access restrictions on data. It could be the cv was stored incorrectly or that access is too broad.

Just raise it with your manager in a professional manner i.e concern about security as this could be a symptoms of wider issues, such as not applying appropriate access controls on data.

I'm not sure what your cv said but generally this information can also he available on other sources such as LinkedIn. Perhaps you had email address and phone number but it's unlikely NI or rtw was there. If so it should only be in a folder accessible by very few staff.

Just to clarify OP, do you know this from them or have you assumed that because they weren't on a panel etc?

Asking as I screened CVs last week for a role outside my team as a dig out. I'll likely never cross paths with the successful candidate but there was nothing improper in it.

Also, even if it's a bit dodge I would take a helpful tone if you decide to raise it with your manager.

Are you certain they weren’t involved in recruitment at all?

new recruits at my work wouldn’t necessarily realise that I receive all applications into a generic mailbox and upload them to a folder for the recruiting manager, and am sometimes asked to review applications and shortlist.

OP voluntarily sent the CV to the company for the purpose of them viewing it.

Whether the person works directly in recruitment is neither here nor there in terms of them having a reason to view it legitimately. Lots of people who aren’t involved might be asked for an opinion, and it’s not a GDPR breach to do so.

”Kate, we are hiring for Elsie’s maternity cover. You worked with her on the Hong Kong project. Which of these CVs do you think matches up best with her?”

”Fred, these are the candidates for the receptionist post. Your client Donald Trump is an evil bugger and comes to the office often. Do you want to have a look at the CVs and see if there are any you think might be able to withstand him best?”

If OP knew definitively that the colleague had sought out the CV for their own gratification then that’s different, but there’s no evidence of that based on the OP?

I know you’ve said they weren’t involved but how do you cateogircally know? In our team a number of us review cvs to shortlist but might not then be the interviews so to the candidate we don’t look involved but in the background it has been a joint decision to shortlist

Ageee with PP, you don't know that they were not involved at all in recruitment and also I've had scenarios where post recruitment I've sent a CV of a new joiner round to another manager "Joe Bloggs, CV attached, is joining the team next week" sort of thing.
CVs are very different to NI, RTW etc so if you've put that on your CV then that would be odd. If it's not on your CV, I'm not sure why you'd think they had access to it.
As an added, if there's a shared folder with lots of confidential info, I'd definitely raise with HR to say you may want to check who has access to this folder

@InigoJollifant Are you certain they weren’t involved in recruitment at all? Yes. Absolutely certain.

I will definitely take on a helpful tone - they have also been showing copies of passports to other staff members to laugh at...

Well that changes things slightly. Yes this is definitely very unprofessional and a breach of GDPR.

That tips the balance over!

What are you planning to do about it ? Put in a complaint / grievance about a well established staff member, at the small firm you gave just joined ? Good luck passing that Probation

I just feel uncomfortable at how free and easy they are with information

Not planning on complaining but just bringing it to management's attention.

They provide no eGDPR training whatsoever. 🤷‍♀️

They are behaving inappropriately and may need training if they don't know/realise this is inappropriate. Speak to your manager. This is potentially gross misconduct depending on what the company policies state. If your manager dismisses your concerns then is there a whistle blowing policy?

Just seen your update OP. Then the company needs to quickly appraise itself of the law. Are they registered with the ICO?

I don't know.

If the employee categorically did not have anything to do with the recrutiment process and have found your CV due to snooping then I would expect that to fall under gross misconduct.

It would absolutely be a breach of data, majority of CVs will have name, address and DOB. All details which help a fraudster apply for credit.

The company should be securing sensitive data and they have massively breached this if that employee should not have access to it.

If it is found they have breached GDPR then they are legally obligated to notify the correct authorities, it's also comes with a huge fine for such a breach.