You don't need to be an 'investor' to invest in Singletrack: 6 days left: 95% of target - Find out more
Quick one for experts...
Email sent from parent to organisation regarding their child. Personal details etc inside it.
Staff of organisation shows email to a large number of people, who are nothing to do with said organisation.
Was that a GDPR breach?
Yes - go look at the ICO website.
I'm not an expert, but I think that's a no-brainer. Yes.
Not enough info to be conclusive. It would depend whether showing to the other people was in support of the original purpose for which the data was provided.
Eh, they shared your personal data without permission.
On the basis of your post I can’t even see a case for legitimate interest either. What’s the circumstances of the group shown the personal data, what is their role?
Depends slightly on whether the details allow the child to be identified by using them. Name, address etc. Also when you say “showed” do you mean put on a projector in a room full of people for example or was the email forwarded?
Likely a GDPR breach though and needs reporting by the organisation who shared it within 72hrs.
Was there a reason for them to do so?
If they've dropped a bollock and done it accidentally, it's almost certainly a breach. If they believe there's a safeguarding issue and they've sent details to Social Services then it almost certainly isn't. Without knowing more about the situation I'm into the realms of guesswork and might as well copy and paste from the Internet.
The TL;DR version is that consent is generally required; data processors have to have valid cause to share data (likely "disclosure by transmission" in this case); and they must limit the data shared to what's essential for the process intended. What constitutes "valid" is a little more complicated, there's half a dozen reasons considered acceptable.
Too little info imo.
What were the details - what was the purpose of sharing and in what medium?
Will partly depend on the relationship between the 2 organisations.
They may have a data transfer or processing agreement.
If they don't and there was no justifiable reason such as safeguarding then it sounds like a breach to me.
Without going into details could it also result in a negative impact on the child as that might make it more serious
I would say definitely a breach and proceed on that basis whilst accepting there *may* be a legitimate reason for the email to be shared with people outside the organisation; unlikely, I think, but...possible.
In your position (assuming this is you and your child) I would immediately ask recipient of initial email why it was shared and request them to demonstrate that does not breach GDPR; full response required by return - not just a 'holding'email.
If response is not acceptable to you, report to ICO by either you and/or organisation as GDPR breach.
As a general comment, it's concerning that many people who should be fully conversant with GDPR aren't and don't appear to be concerned by their non-compliance.
As a general comment, it’s concerning that many people who should be fully conversant with GDPR aren’t and don’t appear to be concerned by their non-compliance.
I couldn’t honestly recall a peer organisation getting pinched in court
Might have to spend some time looking for court cases https://www.farrer.co.uk/news-and-insights/english-courts-further-restrict-data-breach-claims/
My guess is “if” there are a lack of actual consequences people will slack off
Edit, the ICO has a section on action taken https://ico.org.uk/action-weve-taken/enforcement/
Thanks all. Yes, us. Has definitely had negative impact on us, more so even than offspring. Same incident is now about to have impact on younger child.
Contents of email were shown around pub. Nobody present had any business seeing it. The party responsible does not, in my opinion, appear to be very competent with data, security, or IT. My opinion only. Personal expectation is that they are totally unaware of their obligations on this front.
Sadly, this is found out very retrospectively. Not sure if there is anything to be done about it now - although the knowledge of it being a breach may well help when trying to stop further issues developing with the same person and younger sibling.
Ok based on that, definitely report to the ico, things like that are utterly inexcusable and should be punished.
Plus i would send in a subject request to the company as it might shed light on what was done, plus it will take them ages to fix.
Do you have evidence? As might be worth talking to a lawyer too
A lot wrong there. For a start anyone handling/holding sensitive data has an obligation to treat it as such. From what you say it’s almost certainly in contravention of GDPR and quite possibly a police matter also in regard to the individual sharing the info. Showing an email around a group in a pub is not the same as forwarding on an email by mistake.
Contents of email were shown around pub
You f***ing wot mate
The party responsible does not, in my opinion, appear to be very competent with data, security, or IT
No 💩
As above, report that. Ask to see their Data Protection Impact Assessment too.
While it's a breach don't assume anything (substantial) will happen to the individual (or organisation) and I certainly wouldn't be spending my own money attempting to 'make a point'.
Good luck though.
As many have said, definitely complain I'd be staggered if there were circumstances that meant what you've described was compliant.
As above, ask for the data protection impact assessment for the processing activity and the controls they have in place to mitigate the risks.
You could also:
Ask what their data protection/information management/records management policy is.
Ask what awareness and training their staff have to complete and how frequently.
Ask for the privacy notice, this should have been available at the point the information was collected.
Ask to see their ICO Acountability Franework tracker or other means that they use to demonstrate their GDPR compliance.
They should also have a Record of Processing activities that records all instances of personal data processing and the prearranged/planned sharing, etc.
If they are a public authority then you could use the FOIA to request/learn the above if they aren't forthcoming. You might also want to drop a couple of questions in about the number of breaches they have recorded, reported, etc.
Showing it around down the pub is the same as putting it on the front page of the Daily Bugle.
Whatever the subject is it will have been...misunderstood, misinterpreted or otherwise distorted.
Go hard in pursuing this.
Piemonster - the most recent post by monkfinger fully vindicates my last post.
My guess is “if” there are a lack of actual consequences people will slack off
Edit, the ICO has a section on action taken https://ico.org.uk/action-weve-taken/enforcement/
/blockquote>Agree. I've just been through the last 6 months of cases and almost all were about telephone sales calls, only 2 were GDPR, and one of those only came to light because the company was later cyber-attacked.
However, this one may be relevant here: https://ico.org.uk/action-weve-taken/enforcement/christopher-o-brien/
I'd doubt there'll be a relevant DPIA here, but it won't hurt to ask. I would ask for a Subject Access Request though; there may not be anything on this particular incident (was it literally someone showing a phone round a pub?), it might turn up other useful information that could help, if you wanted to take it further. And yeah, do ask how this action is compliant with their data handling policies.
Do you have evidence?
Word of mouth report from someone who was there. No hard evidence.
No money will be spent. I would be happy if highlighting this breach lights a fire under said organisations arse and results in them pulling their finger out and sorting the actual problem.
Thank you all for responding.
I’d doubt there’ll be a relevant DPIA here, but it won’t hurt to ask.
Kinda why I suggested asking for it …
Is a DPIA a legal requirement or just 'nice to have'?
Asking for a 'friend'.
It depends on the circumstances, if there’s a high risk then you “must” do one. Otherwise it’s “good practise”
You must do a DPIA for processing that is likely to result in a high risk to individuals. This includes some specified types of processing.
This also includes if there are a large number of individuals in scope of the processing, or if they are children, vulnerable, or health, sexuality, Religious or Race info processed.
Thanks, not me but our local parish council are sticking CCTV and ANPR cameras everywhere.
I'm a DPO, and am spending a lot of time considering getting out of data protection. IMO, companies are not even remotely trying in a lot of cases. It seems to be a keep your head down, hope nothing goes wrong, panic and try "fix" everything if there is a complaint.
I was reading this judgement from Italy yesterday: https://www.garanteprivacy.it/web/guest/home/docweb/-/docweb-display/docweb/9833530 €100,000 fine.
Summary was that they used outgoing email logs to try find a person who leaked internally sensitive information. One factor in the fine was that no DPIA was done on the email logging. The company said they considered it low risk so didn't do one, but actually the email logs had special category data (union, doctor, HR regarding health email), and other risky data so a DPIA was absolutely required.
A huge number of people completely misunderstand the extent of personal data.
CCTV and other forms of surveillance require additional effort to remain compliant.
Yes, then they have to do DPIAs, and as a public body they are required to have a DPO and there should be privacy notice on their website detailing the use of the personal data.
A huge number of people completely misunderstand the extent of personal data.
It’s bad enough trying to get people to understand that processing personal data isn’t just about marketing/comms.
I’m really glad the ICO exists, I will quite often just cite them directly with a quote and link in response to someone piping up with “I think we can”.
Contents of email were shown around pub. Nobody present had any business seeing it.
😳
I'm struggling to imagine that scenario. I'm assuming you mean it was shown around that individual's collection of friends/associates whilst they were sitting in a pub? Or was there some sort of meeting at the pub? Not just generally passed around to total randoms - that would (regardless of gdpr) just be plain weird. I'm assuming what made it worth sharing was other aspects of the content - I can't imagine much 'pub bants' could be had from sharing gdpr relevant data.
Is this 'organisation' a school by any chance, and the email shared with teachers from other schools?
Thanks regarding the camera stuff.
My guess is “if” there are a lack of actual consequences people will slack off
Having worked for organisations that were hit with very large fines (usually for a mistake by a well meaning but poorly trained individual, that then went seriously wrong - data sent (outside policy) unencrypted for example, with good intentions, but then lost in the post), the fines can be impactive and in my experience led to better training, data controls, policies etc to prevent the same or similar happening again.
A quick look through the ICO site gives this Excel sheet of fines for example - there are plenty of fines paid in excess of £100k
If I’ve understood correctly MrMF sent an email to someone (perhaps a teacher) about MFjnr which contained MFjnr’s personal details. The recipient has then gone to the pub and passed that email around a groups of friends (presumably along the lines of “you won’t believe the entitled email I got today” or worse “look at this young person and laugh about whatever the sensitive info is”). One of the people in the pub happened to be an associate of MrMF who has then relayed events to MrMF. If that’s the sort of scenario then whilst GDPR may have been broken it sounds more like a professional conduct issue.
id also say that whilst whistleblower friend is better than the those who do nothing - if they didn’t challenge it at the time (regardless of knowing who MrMF is) or report the misconduct internally (I’m guessing that they are in the same professional sphere as the original email recipient) then they probably need to think about their own professional responsibilities.
so a GDPR fuss may make the organisation look at its processes and protocols (eg should their staff have access to email on personal devices, what training they do, etc) it won’t stop intentional misconduct. I’d say, image GDPR didn’t exist - would you still find the behaviour wrong? Is the recipient in a profession where you should just be able to expect decent behaviour? Would you be upset if the recipient were struck off / fired for their misconduct? Would you be concerned if the whistleblower got their arse kicked for coming to you rather than raising with professional standards body?
Eg if this was a teacher I’d be on the phone to the head today seeking an urgent meeting about the conduct of one of their staff, but I wouldn’t be going in ranting about GDPR and DPIAs, if one of their staff has acted in a manner that they would not expect. GDPR and DPIAs are more useful when it is the organisation policies that are at fault rather than an individual being a ****.
Complain about professional ethics, plus GDPR especially as this is a minor's data.
Raise it formally with their DPO, and if there is no response or you get fobbed off, raise it with the ICO with all correspondence.
A data breach has 72 hours to decide if it of high enough impact that it needs to be logged with the ICO, so they will have to respond now and over the weekend else will be in breach. Based on what you have said, this should be high risk to the data subject, and as such is a reportable breach.
Largely in agreement with Poly there in both suspicion and intent. However, without more info from the OP, which they would understandably not want to share, it's very difficult to know.
Poly's superposition might be spot on - or it might have been a far more 'professional' (used with caution) conversation where one teacher was asking for advice about how to deal with a situation with others - it went too far and a 'scenario' (which we share all the time) became personalised when the specific email was viewed by others to clarify the scenario's nature and therefore lazily making the person identifiable. We really don't know without more info.
To the OP - is it the fact that your 'case' or your situation or in fact you were discussed with others that's most upsetting you? Is the GDPR issue just a way to 'weaponize' or formalise the complaint?
A breach of personal data is a breach, no matter what the intent behind the complaint is. If you have a disgruntled ex-employee who uses DSARS and complaints against their old company, you still have to deal with them and respond appropriately.
If you have all your ducks in order, then responding does not cost anything except some time. If you don't, then expect an escalation and possible fine, but that is not the ex-employee's problem, it is the companies problem for not being compliant.
This, at its fundamental level, is a possible breach of someone's human rights and should be investigated as such.
If I’ve understood correctly MrMF sent an email to someone (perhaps a teacher) about MFjnr which contained MFjnr’s personal details.
Or an email to an out of school club, demanding why, lets say, one of the coaches was arguing with him about mopping up Johnny's urine yet again and refusing to coach Little Johnny if he carries on peeing himself.
The recipient has then gone to the pub and passed that email around a groups of friends (presumably along the lines of “you won’t believe the entitled email I got today” or worse “look at this young person and laugh about whatever the sensitive info is”).
Or passed the email around the group of coaches present and asked 'what the hell are we going to do about this bloke. He treats our club like a creche, his child is a brat and they constantly pester us.'
One of the people in the pub happened to be an associate of MrMF who has then relayed events to MrMF.
'Hey dude, I here that Johnny still pees himself whenever he 's on the mats.'
'How did you here that?'
'Oh, um, in the pub after class last night.'
^^ That's not what happened, but it's as close as some of the guesswork on this thread.
I’m assuming you mean it was shown around that individual’s collection of friends/associates whilst they were sitting in a pub?
Correct. Along with a biased sob story.
@poly - very much as you post.
@convert - yes, exactly.
I'm basically dismayed at the fact this matter (a) wasn't sorted at the time (b) wasn't kept within the organisation (c) affected both us and the eldest in numerous small ways and (d) is now affecting the youngest and (e) safeguarding concerns arising from all the above as the organisation tried sweeping it under the carpet, giving us a lecture about how awesome they are, and hoping we'd go away.
Obviously it's complex and I've only painted the most wafer thin picture here.
If I can weaponise the GDPR angle it helps a lot to highlight the piss poor conduct of the individual in question.
Sounds like the appalling management typical of so many young people’s clubs, like football, for example, and there is zero accountability unfortunately. I think GDPR is likely your best tool although if there are safeguarding concerns then speak to your local social services and/or the police.
Perhaps excercise your “right to be forgotten” and insist all data is deleted followed by a SAR to ensure it is.