Two employees being made redundant and both apply for new role in the business .
Both submit DSARs .
Due to a cock up that I still can’t get my head around employee A’s interview notes are shared with employee b as part of the DSAR .
It is immediately rectified and deleted, however employee b has read them . We deemed it as not high risk enough to report to ICO however because of the circumstances we tell employee A that employee B has seen them . Employee A not happy and insists we should report to ICO as she believes it will make her working life difficult as she got the job and employee b did not
Employee b is being made redundant and no one else had access to the doc . Any advice?
DSAR disaster!
Share
Barry Moult
I agree with Hellen.
Make sure you document your reason and rational of not reporting it. If questioned at a later date, you are not relying on memory for your decision.
Also make sure you document lessons learnt and communicate to the relevant staff.
The last point Hellen made is a good one. Revisit your process, no matter how good you think it already is.
HellenB
This is the kind of situation that makes my blood run cold.
However, let’s look at this in purely legal terms:
A breach would need to be reported in this instance if it was likely to have a severe impact on the rights and freedoms of the individual.
As A was not made redundant it could be argued that the disclosure of the information did not detrimentally affect the outcome of the process. Hence their rights are unaffected.
B is covered by the terms of their contract with regards to confidentiality and therefore should not have disclosed the contents of the notes to anyone.
It would be appropriate to discuss with A why the disclosure of the document would make any difference to their treatment in respect of the redundancy, since the fact that they were retained an B made redundant would be common knowledge.
A should be fully supported and monitored by HR to ensure that there is no effect from the disclosure of this document.
Finally: no SAR disclosure without proper signoff in future.
Chris Roberts
Picking up on the great points made by my fellow contributors.
1. Documenting your decisions is vital. Never put yourself in the position of trying to remember. You might get the decision wrong at the time, or case law may in time make your the wrong one.
2. Improvement. Errors happen, What compliance systems and regulators want to see is evidence of improvement. Don’t have the same mistake twice or more, that’s a recipe for sever action.
3. Technology – Systems – People. People remain a significant weakness in organisations. Training training and more training is required as only Knowledge makes people better.
Good luck.
Stephen Lark
This is a more common occurrence than you may think so please don’t feel too bad. I deal with at least one of these type of incidents a month eg wrong information such as job offers sent to the wrong people.
You do not need to report it but document the decision for future reference.
It is not difficult, or expensive, to remove the human factor and prevent this happening again. Utilise technology that ensures only the intended recipient can open the communication, and/or that documents are checked and classified automatically.
For the sake of accuracy, the breach would not have to be reported to the ICO if it is unlikely to impact the rights and freedoms of the data subject. The serious impact consideration is only used when considering notifying the affected data subjects. So if it is likely to have an impact it needs to be reported. A lot of weight will be on the actual disclosed content of the interview notes. The organisation is also exposed to civil action for damages as per Lloyd v Google et. al.
I would go through the ICO self-assessment breach tool and document the outcome. If the affected subject complains you need to be transparent and demonstrate your process and decision making.