GDPR breach?

[Piesforteaagain]

I go to a sports injury clinic for treatment.

today I get a text from an unknown number to me saying it’s the person I normally see there and they have left and are now working locally to me if I would still like to see them.

I’ve been in contact with the clinic and yes that person is no longer working there and I tell them I’m not happy about this contact and this person contacting me. The receptionist rang me back a bit later to say that my personal data is safe, the person who owns the clinic has asked her to ring me and assure me all is ok.

I’ve blocked the number that text me. I’m not sure whether to leave it at that or what to do.

I used to work in an environment where GDPR was pushed down our throats and I’m annoyed this person just thinks they can nick my phone number.

If this person had legitimate access to your details whilst they were working at the clinic, it is difficult to see what the clinic could have done to stop them from taking your phone number. I would leave it.

It is definitely an innapropriate use of your personal information. You've not consented to being personally contacted by staff members and don't let this clinic try and say this is ok. Are they and NHS clinic or private? Even if private, most private clinics will have similar rules about this kind of thing.

transform.england.nhs.uk/information-governance/guidance/personal-data-breaches/

Personally I think it's mountain out of a molehill.

Do you not like the person that was treating you? If they're good, I'd much rather keep seeing them than a random new person.

GDPR is going too far.

It’s not really a fault of the clinic if this person’s stolen their customers data is it. The person would have legitimately had access to it when they worked there so the clinic haven’t done anything wrong. It’s the person who contacted you that’s in the wrong really. I’d just reply, tell them you don’t want be contacted by them anymore and move on.

Ignoring the lazy misogynistic name calling GDPR isn't based on a comparison with a huge website selling data

It sounds like there hasn't been a breach in this case but the OP is entitled to be annoyed about unsolicited contact in this way

Annoyed? Get a grip

The business has taken it seriously and has even rung the OP back to make sure she's ok. I am quite sure they will be taking it up with their ex-employee, who has stolen data belonging to the business.

As you know it is a gdpr breach but while I agree it's annoying it's one of those things that is on the same level as cars blocking the pavement or eating grapes while you're shopping before they are paid for.
If I didn't want the contact I would personally have replied to say please delete my number and it's against gdpr to take personal information from other people's systems, and also against pecr to contact someone without any consented or legitimate reason.
Then leave it at that.

I get very tired of people shouting “GDPR!” or “data breach!”

That doesn’t mean anything by itself. It’s as technical a legal infringement as, say, going at 70.5mph on a motorway or pasting a photo off the internet onto MN.

Before GDPR we’d all just have said “I don’t think your ex-employee should have been in touch with me. Thought I’d tell you.” End of.

Just say you're not interested and move on

Jeeez, some people are so desperate to complain. Yawn.

I dont know what you mean, why isn't she allowed to be annoyed?

It's a mild reaction to something, not everyone is comfortable with people having their contact details that they don't know about

Something similar happened to me. An ex employee who I had bought a hospitality package from contacted me from their new company abut similar packages. I contacted the original company and they apologised and said they would be ensuring their ex employee knew they had breached both GDPR and the stolen company information.

Most companies have a clause in their contracts that states they are not allowed to contact customers and have to wipe all data upon leaving. It is up to the company now to pursue this with their ex employee. The ex employee has actually committed a criminal offence in using your data in this way. The ICO has chosen to prosecute in the past although the case I saw referenced involved the theft of medical data which was passed onto a third party.

Depends on whether you were a client of the salon or of the person that left. Some practitioners can take their clients with them if they move to another salon or go private. Depends on the T's & C's.

V good point. Might not be a breach at all.

And even if it was a breach… “a criminal offence”? 🙄

No we wouldn't - we would have said "x person called me and the only place they could have got my details is the clinic. I didnt agree to that, and I'm pissed off"

TBH, I wouldn’t have contacted the clinic at all. I’d have texted back “No thanks. Kind regards”.

Yes, a criminal offence. The ICO has already prosecuted a couple of individuals who stole data from their former employees. One stole patient data, another stole client data in order to set up in competition.

In R v Short (May 2018), Daniel Short had previously worked for VetPro, a veterinary recruitment business, but he left in October 2017 to set up in competition. After he had left, VetPro became concerned that he might have taken their data with him. Mr Short said that he had, but that it was for the purposes of his own ‘record of achievement’ only. VetPro weren’t satisfied and reported the matter to the ICO.
The ICO’s criminal investigations team confirmed that the personal details of 272 individual had been taken from VetPro’s data base for his own commercial gain.
The matter went to Exeter Magistrates’ Court and Mr Short pleaded guilty, leaving him with a criminal record – not the greatest start to his new business venture. He was fined £355 and ordered to pay costs of £700 and a victim surcharge of £35.
Mr Short was prosecuted under s.55 of the Data Protection Act 1998 (which has now been replaced by s.170 of the newly introduced Data Protection Act 2018) for the offence of “unlawfully obtaining personal data”. Although it’s not a very well known area of the law, it is very easy for employers to report any such concerns to the ICO, who then deal with the investigation and, if relevant, prosecution in full.

you wouldn't - I would

Fair enough. It still wouldn’t have been a complaint - however strongly expressed - that would have invoked legal rights though. Nowadays people reach for GDPR at the drop of a hat, as if it’s a big deal legally. In situations like the OP’s it really isn’t.

Thanks for all your responses.

I am annoyed (I can be if I wish)

I chose not to respond as I didn’t want to engage and start a dialogue.

Ive voiced my annoyance with the ex employer (I’ve been told they will be spoken to, and if they’ve contacted more than just me then my anonymity’s secure).

TBH it doesn’t matter the size of the business imo, laws are made and procedures put in place for reasons. Professional people should be professional.

A small local business is being ripped off by an ex employee and I am allowed to be annoyed on their behalf.

thanks all. Over and out.

I get that it’s technically a criminal offence. But what the OP described is so minor that it’s like speeding by 0.5 mph. In fact it’s even more minor than that: driving at 0.01 mph over the speed limit. I don’t know R v Short but it sounds like a more substantial misuse of personal data.

If you want to get all case law, have a look at Rolfe v Veale. It’s a civil case that was dismissed on the basis of being so trivial that it was a waste of time. And it was probably less trivial than the OP’s complaint.

You're fully entitled to be annoyed.

Yes, it's potentially a GDPR breach and it's also likely a breach of any anti-competition clause in the contract for the ex-employee. Whether or not it's a GDPR breach depends on a few things, which can't be determined from the information you have available. On the face of it, they have your name and telephone number and that's sufficient to meet the relevant data definitions. But it's not serious. If they also have details of your treatment records (beyond date/time and what they can recall from memory) then that would be getting more serious.

In reality, there's not much you can do about it. Block and move on.

It would also depend on wether the person was an actual employee. I have noticed some people use ‘employee’ when talking to clients, but use it incorrectly.

If they were self employed and renting space you are the client of the person who carried out your service, so your data is accessible and they can use it for business purposes.

The place of business may not want to go into that with you. Because at the moment you think that person has done something wrong and feeling sympathetic to them and may return to them, instead of the person contacting you.

Wow this happened to me and I didn't for a minute think to complain. In fact, I was glad as the therapist I saw was lovely and really
Good and all I was told was she had left and they were unable to pass her details so I was glad she contacted me.

It sounds like you didn't like her?