Hello, my name is XXXXX XXXXX it is my pleasure to assist you with your question today. What information about the employees has been included?
Does the information make sense
ok, a lot of personal data, which is indeed highly likely to have been a data protection breach. This is because personal data covers any information from which a person is readily identifiable and having all these details would certainly make individuals identifiable. So posting these details for a purpose different to what it was obtained for, would be a breach. You could argue that the reason you forwarded the information was for a legal purpose, that being the TUPE transfer, but the subsequent distribution of this information is unlikely to be justified
Thats what we thought. We believe in the first instance that the client should have removed the names before placing them n an open web portal. We were partly culpable in sending names when we could have put ID numbers, however we were acting in good faith and we have had five of the nine or so names provided express their concerns. Where do we take it from here as we have highlighted this problem in a formal letter to the client
have they removed the names now?
Yes they have with a rider that everyone deletes previous copies of the excell spreadsheet that contained the full names
ok and what would you like to achieve in this situation?
Well I am not sure to be fair and how can we quantify any loss? so the other side is what happens to the client? slapped wrists or a fine? it may just be a case of we told you so and you are not very good Mr Client or do we ask for a written apology or a reason why it happend? at least they might get the message that they have cheesed off a number of people
it is not you that would be pursuing the matter in the circumstances, it is the individuals whose personal data was breached. Also they cannot really take legal action unless they have suffered identifiable losses as a result of this. The only thing you can do really is to report them to the Information Commissioner's Office, which deals with data protection breaches and they could issue a fine if they believe it is necessary. For you personally as a company, you can refuse to deal with them in the future if you believe you cannot trust them
As it happens I am one of the individuals and I may not get a job out of it at the end of the day, the operatives and office staff will TUPE and be either retained or made redundant much like myself. I think the best appproach may be tell them that they were in the wrong and we may be look at reporting them to the ICO once I speak to our management team! they are not a bad lot just a bit incompetent and think they can ride rough shod at times
Ben thanks for the advice and I am much clearer now in my own mind as to how to take this forward is there any other recommendations you can add or have we explored all our options
well the issues here are twofold - was there a breach and if so you can report it to the relevant body, that being the ICO, which can undertake its own investigation and issue a fine if necessary. Then have you, as an individual whose data has been breached, suffered identifiable losses as a result of that breach and if you have, you can consider pursuing them through the civil courts
Okay its something to think about going forward, thanks for the advice, we will see how things pan out and I may be back for further advice
Cheers XXXXX XXXXX regards John
Oh one final question are these things limited with any time constraints do we need to act in any time frame with a drop dead date
You are most welcome. Please take a second to leave a positive rating for the advice I have provided as that is an important part of our process. Thank you and feel free to bookmark my profile for future help:
to report to the ICO - no
To claim for damages - 6 years from the date of breach
Cheers XXXXX XXXXX good day bye for now!!!
Rating to follow
Many thanks, XXXXX XXXXX best