Company sharing my details?

[workQnamechange]

Wanted some others opinions on if this is legal/right/should I be fine with it/should I be like WTF!

I contract at a company that has several sister companies, just opened an email from HR, that asks us all to look at the spreadsheet and check if their is any errors/any comments, was expecting maybe our work numbers and emails. But it's a list of everyones name (both contract and full time employees) home address and home phone and personal mobile numbers, sent out to all the employees of not just the company I work for but all the smaller sister companies too.

When I filled in my starter forms to begin it didn't say anything about sharing the details in this manner and for personal reasons (NC with a family member) I try not to give out my home address much, I've took myself off 192 etc and now it's gone out to everyone over several companies, I'm not sure if I'm being precious or if I should say something (but is it pointless saying anything as the deed has already been done, not like it can be taken back!)

Highly illegal! I would complain most strongly!

It would definitely give me privacy concerns distributing a non-encrypted/unsecured spreadsheet via email. It is a lazy approach to validating employee data and I am shocked that an HR department would commit such a fundamental breach of data privacy legislation (if you are UK based).

I would raise the matter formally, citing Data Protection Act and reminding them of the forthcoming GDPR (which DPA on steroids!)

It will be interesting to know their response!

Thank you for your replies, yes UK based! My jaw was basically on the ground when I opened it up. But started to doubt myself and wasn't sure if I was being dramatic or not.
Going to draft an email now, any pointers on what to say greatfully received, as I'm nornall a bit crap when it comes to writing complaint type emails!

Oooh this is so illegal! I would be FUMMING.

OP, pragmatically you need to think about what outcome you want to achieve, which will influence the tone of your email. Let's face it the damage has already been done, so any action they can take will be damage limitation.

Do you want to continue working in the company? If so, sending them an "all guns a-blazing" email may not be the best approach for the longer term.

• You could start by clarifying that you did not give your consent to them sharing your personal identifiable information within the company and outside the company via its subsidiaries.
• Given the absence of consent, what actions do they plan to take next. - What can they do to reassure you that they take their obligations seriously to protect employees' data at all times.

I bet you won't be the only person to complain.

This is so illegal the person who sent the email could be imprisoned let alone sacked for gross misconduct.

Thanks everyone for the info!
I ended up emailing quite a neutral email as per daisychains advice and had a meeting with my line manager (who's a relative of the CEO of the company) and he basically looked at me like this: "but we've always done it like this since the company started, I don't understand the problem" when I started spluttering about the DPA and how it felt so wrong, he basically dismissed it and shut it down and was like well you can discuss it with the CEO next week but I still dont see the issue
I'm really shocked but also unsure as to how much I can push the issue for similar reasons to daisychains post, as the damage is done and I just feel unsure as to how much I can feel to push the issue.

workQ the company is clearly living in the dark ages if your line manager's only response was "we've always done it like that".

As I suspected, if the HR department is supported by senior management in this type of lazy practice I'm sorry to say you are on a hiding to nothing. Any further action you take is likely to meet with them asking you to clear your desk and not report for work on Monday, or words to that effect (as you are contracting, it will be easier for them to do that). I'd be prepared and maybe start looking for a new role - I expect they probably flout other aspects of employment law too.

It's a battle you are unlikely to win.

Maybe an approach of you trying to help protect them from future action and ad img them they need to take outside advice is they only way they will listen. If you don't want to kick up too much of a fuss (understandably) this approach may work.

Hi op. I've experienced this before. I complained. Got the .

I then explained that in a previous job one of my team had been stalked by another employee, leading to police involvement and legal issues regarding the company's role as enabler in providing the stalker with all her personal data with no commercial reason and without her permission.

They reissued the spreadsheet with my work mobile number under every column, but kept everyone else's full details on it

I am guessing your place hasnt started looking at GDPR. Look ot up. New regulations coming into force next yr. They could be fined £20m or 4% of turnover for stunts like that

Even under current regulations this is a clear breach. Your employer could do with knowing that, even before GDPR, they can be fined up to £500,000 for this. I understand that, under the new Information Commissioner, the ICO is fining more companies and imposing bigger penalties than ever before.

prh47bridge, whist I agree with you strongly that this is a shocking breach, my understanding of how the ICO works is that they don't impose large penalties like that on a single offence such as the one in this thread. They tend to need a weight of evidence over a period of time, through repeated offences.

I expect if the OP were to write to the ICO they would register the complaint but would need all those people on the Excel spreadsheet to write in and complain. As I said in my previous post, it depends how far the OP is prepared to go on this, and how much of a nuisance they are prepared to make of themselves, so to speak. Would be interested to know if your experience is different.

I agree that if this was their only breach the ICO would probably simply give them a slap on the wrist. But a company this careless with personal data may be committing other breaches. Making them aware of their potential liability and the fact that the ICO is being more proactive may wake them up to the issue.