AIBU to think writing confidential HR notes on a train is inappropriate?

[Elphabababa]

I am on a train in the UK.

Someone on the seat in front of me is writing up meeting notes from work. All clearly visible through the gaps between seats. I am slightly long sighted mind you.

I have seen that:

• She works in HR for company X
• The meeting was for an employee named Y (I can see his name and job title), following him raising a grievance about a GDPR breach of his data within work.
• Subsequent notes of the meeting about this grievance.

She's still typing her notes now.

AIBU for thinking that people should be very mindful of what work they complete in public places? And that this is inappropriate, and if Y found out that these notes were being written in full public view, they would have a further grievance on their hands?

Or am I a nosey parker?

(Or both?)

Not quite relevant to GDPR but nosey Parker’s, DD when studying became aware of a bloke who would look over her shoulder at the station every morning at whatever she was reading. Getting quite fed up with it, as she was studying for a medical qualification, she located a photo of a severely diseased male penis! His reaction the next day resulted in him never standing near her again!

And I concur with the other posters who advised it should have been raised at the time. No she shouldn’t have been doing it but also was entitled to assume nobody would peer through the seats and read her screen. We always used to put a warning page in confidential papers regarding awareness of reading them in public.

People are being so glib on here, what if it were your HR meeting notes being typed up in public? it’s a massive breach. Anyone with anyone else’s data is duty bound to protect it. Names were used and can identify the person. HR is all about confidentiality. If this woman has not had data training it’s the company at fault. The minimum is a privacy screen if she has to work in public. Report.

spell edit

Alright… let’s put it this way. If a random member of Joe Public phoned a company and asked sensitive questions about one of their employees and a member of staff just gave Joe Public the information they were asking for over the phone then who would be at fault? The nosey member of the public or the member of staff for giving out that information?

Same as the commuter train from Limerick or Cork to Dublin that gets in at 10am . You get off in Hueston and there's like 20 people you know professionally at the barrier going to meetings in Dublin. If one had been sitting behind you whilst you had confidential information open on your lap top it would soon be common knowledge.

It’s kind of worse when it’s work related stuff. Op this person may be over worked rushing to get home to kids or caring for an elderly parent. I’m sure they ‘d rather sit there with a coffee and read a book or something. Either gently tell them you can see it or stop looking.

I often, in the course of my work, inadvertently came across private information that I should not be party to. I kept my mouth shut, and minded my own business

If she works in HR on GDPR cases, then she shouldn’t need to be reminded of what confidential means.
In my book, I’d see that as (gross?) incompetence.

I’d definitely contact him. I sometimes work on the train and don’t have a privacy screen and make bloody sure no one’s contact details are visible. Ironically apart from my own as I need to type my email to log in!

And people look ALL THE TIME. Sometimes the formatting makes mine look more juicy than it is and I can practically hear the creaking of eyes from the bloke next to me and who knows maybe behind too. A train isn’t a private place!

You’ll be surprised how many people peer over seats/ look through gaps on the train. I once caught someone sat behind me Ona train trying to read a WhatsApp conversation I was having with my bf

Well you shouldn't. You should at least let those that have made you privy to the information know.

Not once have I said it's fine for the person to be doing this on a train, have I? No, not once. But if you have done proper GDPR training then rather than post online and ask others about it, you would address the person directly to halt the potentiality for information to be seen by people who shouldn't see it. You would do it on a hospital ward, you would do it in a bank. Halt it at at the source. Up to you if you want to report it afterwards, but the obvious thing to do, if you are trained, is to make the person aware. That's GDPR 101.

On the fence re. this, but I was on a train, going home from work, where someone was doing something similar but on a phone, so impossible to ignore. She even mentioned the name of the person. I didn't know the person but it was inappropriate to have what effectively was a dismissal conversation in front of strangers. So as I left the train, I commented to the individual that I knew who she was talking about and she should have carried out the call in an appropriate location. I hoped my comment worried her and perhaps would influence her actions in the future! Trains are not mobile offices!

You're so wrong it's not worth trying reason with you, but I hope for your organisations sake you aren't able to access data out of a secure environment. Data breaches are a huge issue taken extremely seriously as they can lead to enormous fines.

But keep arguing against many repeating the actual responsibilities under the legislation.

If she has confidential information she is not entitled to assume nobody would look if she access it in public.

I was on a train recently and a teacher was doing a virtual staff meeting discussing strategies for pupils. With camera off, but we could all hear her side of the conversation. She was really loud and it was all about really personal specific pupil problems.

A GDPR breach is a GDPR breach. It is not the op’s or any other member of the public riding on that train to have training on GDPR and how to address it just in case someone happens to have confidential information on full view. Are you seriously telling me that the op, along with other members of the public on that train should have the responsibility of addressing the issue with the person who is breaching the data? Seriously? What if it happened to be a child passenger who saw it instead of the op? Would the onus be then on the child to address this with HR woman? I think not!

I know full well how serious data breaches are - I had to deal with a hospital data issue where the trust was fined to the tune of £250,000. All I have said is to address it at the time if you're someone who is remotely sensible. How can you argue with that logic? Then any legal fallout follows. Report after if you need to. But to just sit there and spy on someone and only post on here, rather than let the woman know at the time is honestly ridiculous. I'm not arguing against responsibilities, but you are rather proving that common sense isn't all that common.

I didn't say it was the OP's responsibility. I was pointing out the fact that if she had just tapped her on the shoulder and said that information could be seen, then that would help negate the potential for it to be seen by others and/or misused. There is no child in this, you're just being silly now. Report after the event if you wish. But why is it so hard for you to understand that a heads up to someone would be better than just sitting there and doing nothing until after?

This is beyond parody - what a shit company. I would report them to their ombudsman or similar (depending on the sector)

My manager was aware of this and trusted me not to gossip. I was in a role where discretion was expected.

Wow your arrogance knows no bounds.

Anyone who undertook and actually understood the training knows I'm correct. You're making yourself look ever so silly now

It is NOT the op’s responsibility as a member of public riding on a train to tap her on the shoulder and tell her they could see the information, anymore than it would be the responsibility of an elderly couple on the train off on a day out or a child passenger! Don’t be so ridiculous!

Even working in events - so not especially sensitive personal data, just names and email addresses - I was SO careful if I was working on the train. This is ridiculous

There's no point intervening in the actions of people who are fundamentally stupid, careless, and selfish. It's a waste of time. Someone thick enough to be waving confidential info around on the train isn't going to have a data protection revelation from a stranger tapping them on the shoulder.

Rarely have I read so much self-righteous crap!