Is disclosure of full name a GDPR breach

[Hartleyhare1206]

Hi fellow mumsnetters

Would like to pick your brains if I may?

I work in a public facing organisation - think bank, leisure centre, shop etc

There are approx 15 members of staff with 4-6 staff members on the “shop floor” at any given point in time.

As is the case with most public facing jobs, we have multiple regular customers that we see anywhere from daily to monthly. Most of us have worked here for a decent length of time so know who the regulars are.

One regular customer in particular appears to have latched on to me with what seems like a grudge and regularly shouts to anyone who will listen that “some staff” are unhelpful. Fine. He is entitled to his own feelings towards me.

What doesn’t seem fine is that a colleague has given him my full name. Don’t know who - my attempts to find out have been met with red faces and silence - nothing I can do about that now anyway - but I’m not happy. Especially as several other customers were in ear shot - at best it makes me sounds like a bitch (which I’m genuinely not - my professional reputation between me, my colleagues, managers, the wider organisation and customers is honestly great!) At worst, it’s made me quite identifiable to other service users as I live in the same area that I work, and my address or personal social media etc could be found.

I don’t wear a name badge and no personal staff details are in print anywhere on our website or the shop floor so it really has to have been provided by a colleague.

Sorry for all the waffle - what I essentially want to know is whether I’m unreasonable for thinking my colleague has breached GDPR and whether it’s something I can legitimately raise with my manger/the wider organisation? Bonus points if anyone knows what outcome I could reasonable expect?

Thanks so much for your time and patience this far!

Name is one of the protected PII data types so technically yes, especially if it was full name. People can have name badges, but Bob is a lot less identifiable than Robert P Bultwood |||

Id be raising it to management. Not only for GDPR, but safety of women colleagues. If a stalker was to come in and ask if Samantha was working, are they trained to know not to share colleague data, times shift patterns etc?

its a concern

What the hell are you playing at? I'll see you in court!

My thoughts too.

Have raised it with my manager and specifically quoted the phrase “GDPR breach” and “personal safety”

Doesn’t appear to have landed well though and was Met with a sigh and an eye roll….

And yes, full name. Customer said “that bitch Hartley Hare with the short dark hair is vile and unhelpful”

Breaches of GDPR depend on the context of the processing of personal data. Is a name personal data? Yes. Can someone's name be shared in some circumstances? Yes. You're correct in pointing out name badges worn in some employment contexts - or you write a letter or an email to a member of the public and your name is on there, or a website may list staff, or you could be in a published policy as so-and-so responsible for XYZ. That's all an expected part of the employment.

There isn't a hard and fast rule of sharing the name of a colleague is always right or always wrong, it depends on the circumstances of that employment and your expectations. If there is a work policy of confidentiality, because you deal with dangerous people e.g. like prison officers not sharing personal details and addresses and things, then you expect your details not to be shared. Or e.g. in my employment, if someone asks how many times has Jane been subject to formal disciplinary action and I told them, that's personal data no one expects to be given to other people.

In a public-facing space, sometimes names are used between colleagues and the public overhear you, so it would be difficult to argue your name is a protected piece of information. And generally with our public-facing staff, if a member of the public asks for someone's full name we would share it for accountability. Because it's no good saying "Linda took my call and told me XYZ I wish to complain" if we don't know which Linda it was.

And just a by-the-by, even if you can argue that someone you work with has shared your full name with a customer and you think that was unreasonable, there isn't any "action" you can take for that sort of GDPR breach. You don't know who it was so can't get much from complaining to your employer, and it's not something the ICO can do anything about - for all you know it was someone acting in a personal capacity rather than a professional one, and the regulation of personal data processing is a professional thing it can't control what people say to other people in their own time. The most you can really push for is trying to get your employer to have a formal policy of some sort that no one can ever tell a customer a colleague's name? (just writing that down sounds a bit weird!)

There is a reason a lot of people in public-facing jobs don't use their real/full names on social media!

That’s a really helpful and measured reply, @givemushypeasachance. Thank you for taking the time to post 💕

No problem if you've got a shitty customer who is targeting you for harassment and being unpleasant with you when you're just trying to do your job, that's another issue entirely and one your employer should sort out - and I hope they do!

Side, side issue - a number of years ago the Downing Street correspondence team had a bunch of imaginary people working there. Letters would be signed by people using effectively "code names", so my name might be Michelle but all my correspondence would be signed as Dawn, and that was intended to protect the people working there from unreasonable folk who didn't like what they were being told in these letters, and basically security concerns. Maybe that could be brought back, have a work stage name!

https://www.bbc.co.uk/news/uk-politics-13364121

😆😆😆

@givemushypeasachance that’s interesting!

We are supposed to wear name badges with our first names on (I just don’t!). It is also made clear that we are not obliged to give out our surnames and nor should we give anyone else’s out either. Staff can be identified by first name and job title as there is a relatively small amount of us working overall and an even smaller amount of us per shift. So a customer saying they dealt with “Hartley” on Wednesday morning (for example) would be enough for me to be identified by my managers if needed. Equally I’m the only member of staff with my name/post and grade in the entire organisation, which is well known by colleagues (jokes that I’m unique and special, etc!) so it’s well known that my first name should suffice.
Equally, as we are predominantly a female team and as such mindful of safety - we had a female staff member stalked/followed around town, to the supermarket and then propositioned in a seriously explicit manner for example - that all of my colleagues really should know better.

Totally agree that senior management should take staff safety more seriously but they’re rather flippant - hence me hoping being able to cite a GDPR breach, and the weight that carries, would have more gravitas! That genuinely is my sole motivation here - I’m not trying to work out if it’s worthy of me going off sick on full pay, or suing them etc!

Where I live everyone would already know your first, middle and surname as well as that of your parents and grandparents 😆