Colleagues used my details to find the deeds on my house. Data breech

[ThisJadeLeader]

I recently quit my job, toxic work place I had worked there for 7 plus years. It didn’t go down very well with my manager or rest of team.
I worked in a small HR team so we had access to everyone’s details.
i stupidly left some private information in a private file on my desktop which has been accessed by IT and my old boss.
The document was a mock tenancy agreement for my house.
When I moved into my house a few years ago I just said we had bought it as it was a new build and I couldn’t be bothered explaining someone had bought it on our behalf and we would be renting from him (non of their business)
Since then my old manager told me she knows I don’t own my house as the HR team done a search and the deeds weren’t in our name!!!
Isnt this a GDPR breach that they have accessed my address purely to do a private search which is nothing to do with work? I get the deeds are public records (which you have to pay for so I just find it so weird) but they would need to get my address from my HR file to perform the search in the first place??

My thoughts exactly. What does it matter whether you own it or are renting?

I don’t get why they even care??

As someone who works in data protection I’d say it is a data breach. The breach isn’t your personal data per se, but actually that of the third party who owns the house. Whilst the data of the homeowner is available for a fee, there is no legal reason for them to access (process) this data from an UK GDPR perspective. It’s also a minimal breach on the grand scheme of things.

An earlier poster referred to legitimate interest, but in your case it would more likely be related to processing data as part of a contract, or within the scope of something similar. From there you need to work out what, if any, risk there is to the owner of the property from your former work colleagues knowing.

There is the other concept of a breach involving the fact that it’s not you that owns the property, but that’s a more vague avenue to pursue.

You have nothing to lose by reporting a breach to the ICO and waiting for their review of the outcome. Give them as much information as you can about the incident. If they come back and determine that there is a breach, then you can use that to further bolster any advice that ACAS may have for you, or you could challenge them legally. But I’d be wary of trying that as the threshold to prove any harm against yourself from any breach is high, and the tribunal isn’t sympathetic on word of mouth; harm
needs to be well documented and usually clinically.

if nothing else, reporting the breach will give you some closure on the incident and you can feel like you’re sticking it them a little bit now you’ve left.
https://ico.org.uk/for-organisations/report-a-breach/personal-data-breach-assessment/

This. They sound utterly mental, and as if they have nothing much else to do.

Firstly, this is a breach.
They have access to your home address for the purpose in which it is required as your employer. Nothing else. Within the HR team they should have segregated access - I.e an HR for HR person who is the person who has access to your files. Nobody else needs it.

Secondly, nobody can use your data for the purpose of stalking or harassing you. That is a data breach.

You can report them to the information commissioners office if you already have sufficient evidence.

They have a phone line on the website which you can use to get advice on appropriate next steps. Here’s the link for help: https://ico.org.uk/make-a-complaint/