Gdpr breach at work?

[Ereerenownow]

I've written on here a couple of times about issues at work but now a new problem has arisen, I think.
I an a private person and don't for example celebrate my birthday at work (though I obviously have a great time with friends and family).
Our office is big and busy and many people from different departments hot desk there. One young girl who uses our space has vague links to nhs via her community counselling work. She isn't employed by the nhs but has the logo on her lanyard as well as her charity's logo.
We are relatively friendly and have often chatted briefly in the kitchen while making a cuppa etc. One time she asked my age and birthday and i very politely said that i don't discuss those things at work. It was no big deal and we moved on to talk about other things.
Well this week she approached me with a wink and said, I know how old you are and you look great for your age and I'll give you a card on your birthday now.
I haven't told anyone else in the team my birthday and I don't believe myself and this lady have any friends in common...I am not on any social media.
I suspect she has access to at least some nhs files and databases and I'm worried that she has used her logins to access my records.
She's lovely but quite gossipy and I think she's capable of telling others in my team.
She also very vaguely alluded to a recent health issue I've had but didn't tell anyone about.
I admit given recent events at work, I'm slightly sensitive so I don't want to cause any problems if non exist.
Can I check to see if she's accessed my private nhs records? Am I just being paranoid?

Well surely your line manager knows when your birthday is as it'll be in your HR records.

Maybe she just asked and your line manager told her, not knowing you want it to be such a big secret...

If and when she gives you a birthday card I would ask her outright how she knows, then explain to her that if she's broken GDPR rules she may face disciplinary action.

The

Have you ever been registered with companies house? That has a DOB on it.
Electoral roll?

Googled your name and see what comes up?

They wouldn’t share this info.

Doesn't that just show month /year?

1. Doesn’t matter why you don’t want to tell people when your birthday is, that’s your personal information. 2) her demeanour indicates that she got it by improper means. I would report to the DPO to investigate. Alternatively you can say to her - “I didn’t appreciate your comment about knowing my date of birth, I’d like to know how you found that out so I can make sure that information remains private” and see what she says.

to me it’s really obvious she’s looked you up which is an obvious data breach!

OP’s colleague sounds deranged.

You're both weird. You're completely weird for making a point not to tell people how old you are, it's not really 'personal info' it's just normal office chit chat, and she's weird to be looking it up. Only her weirdness has potentially crossed a serious line though and you should report if you think she's been accessing your info that she shouldn't.

Maybe she made a point to find out (who knows how) because you were so weird about it?

I'd ask her again. Give her a chance to explain. You are potentially making a very serious accusation so please be sure before you take this further. If she has looked up your information then that shouldn't be ignored.

They might, on our HR system where we book our holidays, it has a shared calendar and it has who is on leave, birthdays (not dob) and work anniversaries.

She could of said she was making a birthday calendar to celebrate her colleagues, and someone in HR has given her a list but included the year of birth not just the date and month

Ha ha. My work sent around a list with everyone's DOBs on.
Not a huge deal as we often need each other's DOBs to arrange access to things anyway.

OP's own attitude to her age is also a bit silly though.

Your year of birth is Public Record, so you can find this out on Ancestry, also tells you which part of the year you were born in (in monthly quarters).
Once you have that, you can do other searches, on Ancestry that can find you if you appear in any family trees (or other places) that may well have your D.O.B on.
It’s not an overly-difficult thing to find out, once you have someone’s name.
…. and just because you think you have a low online profile, don’t presume there is nothing.

Do you have HR at work? I'd mention it to them, that you are uncomfortable with a colleague going out of their way to find personal information about you, especially when you clearly stated your boundary. That in itself is inappropriate.

They should ask her how she found out too.

Posters saying to report the issue - FFS why put someone’s career on the line if it resulted in a potential data breech. From the sound of it there was no malicious intent and she was probably just being friendly.

There was a (over a somewhat trivial issue) potential disciplinary issue where I work recently and my colleague took their own life.

I would be very cautious about reporting issues to management level to escalate when the issues can be resolved before it reaches that level.

Surely, the most simple resolution is just to ask her. I doubt the ICO would opening a complaint.

This is so bizzare.

They more than likely wouldn't, but if this person has used any company resource to dig for the information, that should be taken further.

Aye, but there is absolutely nothing to suggest that she has, unless as a counsellor she has the highest level of access to the NHS data systems....which I doubt. She more likely has a common acquaintance with the OP and had the OP just asked, she would also know by now. It's all just very overly dramatic...and I'm a DPO!

If she has accessed your records without reasoning then that right there is breach of confidential data.

In my line of work, anything we access on the system can be seen behind the scenes. If someone accessed a friend's details on the system and that friend got wind of it, the company would be able to check and the employee would be rightfully disciplined and likely sent on their way with their P45.

I would hope the NHS has something like this in place, especially given the sensitive nature of the records they hold.

This sounds like a situation for people who enjoy a bit of drama. Absolute nonsense.

Just request an audit of who has accessed your records, having the d.o.b plus alluding to a recent medical issue makes it sound like she has. You don't need to name her because if she has accessed her name will flag itself up.

Agree with PPs - the whole situation is batshit!