Your browser isn't supported
It looks like you're using an old web browser. To get the most out of the site and to ensure guides display correctly, we suggest upgrading your browser now. Download the latest:

Welcome to the MSE Forums

We're home to a fantastic community of MoneySavers but anyone can post. Please exercise caution & report spam, illegal, offensive or libellous posts/messages: click "report" or email forumteam@. Skimlinks & other affiliated links are turned on

Search
  • FIRST POST
    • melymay
    • By melymay 19th Apr 17, 11:41 AM
    • 105Posts
    • 346Thanks
    melymay
    data protection breach
    • #1
    • 19th Apr 17, 11:41 AM
    data protection breach 19th Apr 17 at 11:41 AM
    Just after some advice on what to do next.
    I am a manager in a large company and have just had approximately a month off sick with stress/anxiety bought on by a work related incident. As part of the process of getting me back to work I was asked if I would speak to a therapist from OH to discuss the incident and the proceeding events.

    I returned to work yesterday and in checking admin had to access a shared drive (shared by the management team, admin team and support team) which contains information on members of staff. the protocol is that you have access to the staff that are accountable to you and not your peer group.

    On accessing this file I discovered a very detailed report from the therapist regarding my consultation . . which up until this point I had not seen. The report contained very personal details about the incident and also commented on my mental state.

    Where do I go next with this ?
    Would it be best to put something in writing or speak directly to my superiors ??

    Any information anyone could provide to help me deal with this issue would be gratefully appreciated.

    MM
Page 1
    • sangie595
    • By sangie595 19th Apr 17, 12:45 PM
    • 3,331 Posts
    • 5,516 Thanks
    sangie595
    • #2
    • 19th Apr 17, 12:45 PM
    • #2
    • 19th Apr 17, 12:45 PM
    I'm sorry but I don't understand what your are saying? Just because you have access to your own file, does that mean others do? If so, why didn't you speak to your manager straight away about this and get it moved?

    I'm not clear that this is an "issue" - it can be resolved with one two minute conversation, can't it?
    • Tiddlywinks
    • By Tiddlywinks 19th Apr 17, 1:34 PM
    • 5,323 Posts
    • 18,433 Thanks
    Tiddlywinks
    • #3
    • 19th Apr 17, 1:34 PM
    • #3
    • 19th Apr 17, 1:34 PM
    I'm not clear that this is an "issue" - it can be resolved with one two minute conversation, can't it?
    Originally posted by sangie595
    It is a very big issue if sensitive (medical) data has been stored in a way which makes it accessible to more than the intended / essential reviewer.

    OP - This is a data breach - take screen shots of the file properties to demonstrate the lack of access controls. Print off the report for your own records. Move the file to your personal drive.

    Write immediately to your manager, copying in HR and second line manager, and ask for an immediate investigation.

    It is not an overreaction, sensitive medical data should NOT be stored in a way which makes it accessible to your peers or even to other managers without your consent.
    • sangie595
    • By sangie595 19th Apr 17, 1:55 PM
    • 3,331 Posts
    • 5,516 Thanks
    sangie595
    • #4
    • 19th Apr 17, 1:55 PM
    • #4
    • 19th Apr 17, 1:55 PM
    It is a very big issue if sensitive (medical) data has been stored in a way which makes it accessible to more than the intended / essential reviewer.

    OP - This is a data breach - take screen shots of the file properties to demonstrate the lack of access controls. Print off the report for your own records. Move the file to your personal drive.

    Write immediately to your manager, copying in HR and second line manager, and ask for an immediate investigation.

    It is not an overreaction, sensitive medical data should NOT be stored in a way which makes it accessible to your peers or even to other managers without your consent.
    Originally posted by Tiddlywinks
    I don't disagree. If that is what has happened. I meant it when I said that I am not clear what the OP was saying.

    And if what you are saying is the case you do not move the file. You tell your manager immediately and get them to move it. If you move it there is no evidence that it was ever anywhere else on the drive.

    But I am still unclear exactly what is being said. For example, in my workplace I can see every file on the system. That does not mean that I can open every file on the system. I can open my personnel files. So can my manager. But my colleague can only see that there are files - not what is in them.
    • FredG
    • By FredG 19th Apr 17, 2:00 PM
    • 199 Posts
    • 468 Thanks
    FredG
    • #5
    • 19th Apr 17, 2:00 PM
    • #5
    • 19th Apr 17, 2:00 PM
    I don't disagree. If that is what has happened. I meant it when I said that I am not clear what the OP was saying.

    And if what you are saying is the case you do not move the file. You tell your manager immediately and get them to move it. If you move it there is no evidence that it was ever anywhere else on the drive.

    But I am still unclear exactly what is being said. For example, in my workplace I can see every file on the system. That does not mean that I can open every file on the system. I can open my personnel files. So can my manager. But my colleague can only see that there are files - not what is in them.
    Originally posted by sangie595


    IT Geek here. Definitely sounds like the OP's personal health docs are sitting in a level of a shared storage area that can be accessed by people other than those authorised to access.


    Sangie's advice is sound, leave it exactly where it is. If you move it you may lose any date stamps that support your claim as to when it was saved in the shared area. What do the properties say? You'd have a pretty good inkling who saved it there if the user who last modified it is in the file properties.
    Last edited by FredG; 19-04-2017 at 2:07 PM.
    • melymay
    • By melymay 19th Apr 17, 2:58 PM
    • 105 Posts
    • 346 Thanks
    melymay
    • #6
    • 19th Apr 17, 2:58 PM
    • #6
    • 19th Apr 17, 2:58 PM
    Thanks all,

    Yes the file was stored in a shared drive that could be accessed by the entire management team on site as well as some admin and support staff whom I am responsible for managing.

    On finding the file I took a copy of the link and sent it to my site manager - who is on leave - and asked another senior manager to remove the file and email a verification that it was she that relocated the file to its more secure location.

    I managed to get in contact with the site manager late last night who ensures me this will be investigated, but I am nervous of the detailed content of the information being communicated to others in my organisation. As the report contains details of my mental health issues and actually names individuals that contributed to my being signed off from work, I'm worried about future repercussions this may have in my work life.

    My details have been out there for about a month for anyone to access and despite my breach I want to ensure that procedures are in place so that this does not affect anyone else.

    Thanks again for your advice,

    MM
    • sangie595
    • By sangie595 19th Apr 17, 3:08 PM
    • 3,331 Posts
    • 5,516 Thanks
    sangie595
    • #7
    • 19th Apr 17, 3:08 PM
    • #7
    • 19th Apr 17, 3:08 PM
    Thanks all,

    Yes the file was stored in a shared drive that could be accessed by the entire management team on site as well as some admin and support staff whom I am responsible for managing.

    On finding the file I took a copy of the link and sent it to my site manager - who is on leave - and asked another senior manager to remove the file and email a verification that it was she that relocated the file to its more secure location.

    I managed to get in contact with the site manager late last night who ensures me this will be investigated, but I am nervous of the detailed content of the information being communicated to others in my organisation. As the report contains details of my mental health issues and actually names individuals that contributed to my being signed off from work, I'm worried about future repercussions this may have in my work life.

    My details have been out there for about a month for anyone to access and despite my breach I want to ensure that procedures are in place so that this does not affect anyone else.

    Thanks again for your advice,

    MM
    Originally posted by melymay
    In that case yes, that should not have happened. But you have reported it and it has been dealt with. Beyond that, what do you wish to do about it? You can report it to the Data Commissioner if you wish, but that won't change what has happened and it probably won't do much other than annoy the employer. You could put in a grievance, but again, it doesn't change what has happened already. So what do you want to happen here?

    In relation to the incident that cause your sick leave, is this the subject of any action?
    • xapprenticex
    • By xapprenticex 19th Apr 17, 7:30 PM
    • 1,109 Posts
    • 1,010 Thanks
    xapprenticex
    • #8
    • 19th Apr 17, 7:30 PM
    • #8
    • 19th Apr 17, 7:30 PM
    the protocol is that you have access to the staff that are accountable to you and not your peer group.
    Looking at that, i doubt the admin and support workers have people accountable to them (they are not managers) so maybe they are the exceptions who can access everything so as to update and maintain the system.

    It looks like that rule is for managers like yourself if you know what i mean.

    I may be wrong of course.

    Oh yeah no data protection breach here, so dont wave that one about at work, breach of company policy, i can agree especially if all managers can see it too.
    Last edited by xapprenticex; 19-04-2017 at 7:41 PM.
    • Tiddlywinks
    • By Tiddlywinks 19th Apr 17, 9:24 PM
    • 5,323 Posts
    • 18,433 Thanks
    Tiddlywinks
    • #9
    • 19th Apr 17, 9:24 PM
    • #9
    • 19th Apr 17, 9:24 PM
    Oh yeah no data protection breach here, so dont wave that one about at work, breach of company policy, i can agree especially if all managers can see it too.
    Originally posted by xapprenticex
    No - there is definitely a data breach.

    Medical data (amongst other topics) falls within the 'sensitive data' category and MUST be treated with the utmost security and protection.

    Here is a quote from the ICO's guidance for employers:

    'Keep information about workers’ health particularly secure. This might mean allowing only one or two people to have access to it, for example by password-protecting it, or keeping it in a sealed envelope in a
    worker’s file.'


    'Remember that, as an employer, your interest is mainly in knowing whether a worker is or will be fit to work. As far as possible it should be left to doctors and nurses to have access to and interpret detailed medical information for you.'

    Click here for guidance

    Placing a medical report on a shared drive is NOT correctly handling sensitive data. Full stop. No excuses. It is a data breach.

    The ICO has a helpline:

    https://ico.org.uk/global/contact-us/
    • xapprenticex
    • By xapprenticex 19th Apr 17, 10:44 PM
    • 1,109 Posts
    • 1,010 Thanks
    xapprenticex
    Im not seeing what you're seeing. the drive is secure as only select people can access it, if i can go there and access it too then its not secure but as stated by op, only managers and those who maintain the drive have access. maybe you're hung up on the 'shared' aspect of it, its only shared between those who are cleared to have access to it.

    so no data protection breach imo.
    • LittleVoice
    • By LittleVoice 19th Apr 17, 11:01 PM
    • 8,437 Posts
    • 6,020 Thanks
    LittleVoice
    Im not seeing what you're seeing. the drive is secure as only select people can access it, if i can go there and access it too then its not secure but as stated by op, only managers and those who maintain the drive have access. maybe you're hung up on the 'shared' aspect of it, its only shared between those who are cleared to have access to it.

    so no data protection breach imo.
    Originally posted by xapprenticex


    But the "select people" are more than have a need to see it and therefore it is a data breach. Most (if not all?) of those people would have no need to see what was written and should not have been given access, which access they had been given by virtue of the fact that it was placed in that drive.


    In my opinion you are wrong on this one.
    • Tiddlywinks
    • By Tiddlywinks 19th Apr 17, 11:22 PM
    • 5,323 Posts
    • 18,433 Thanks
    Tiddlywinks
    Im not seeing what you're seeing. the drive is secure as only select people can access it, if i can go there and access it too then its not secure but as stated by op, only managers and those who maintain the drive have access. maybe you're hung up on the 'shared' aspect of it, its only shared between those who are cleared to have access to it.

    so no data protection breach imo.
    Originally posted by xapprenticex
    The SENSITIVE personal data was stored on a shared drive accessible to individuals who did not have a need to process (use / read).

    The employer therefore failed to exercise adequate security over said data.

    Mis-use (making SENSITIVE data available to unauthorised employees) and lack of adequate secure storage has caused significant distress to the data subject.

    https://ico.org.uk/for-organisations/guide-to-data-protection/principle-7-security/

    The employer has failed to apply the required data handling principles as required by the DPA.

    Principles

    Also, Codes of Practice here

    Key points and possible actions
    • The collection and use of information about workers’ health is
    against the law unless a sensitive data condition is satisfied.
    • In general employers should only collect health information
    where this is necessary for the protection of health and safety,
    to prevent discrimination on the grounds of disability, to satisfy
    other legal obligations or if each worker affected has given his
    or her explicit consent.
    • If consent is to be relied on, it must be freely given.
    That means a worker must be able to say ‘no’ without penalty
    and must be able to withdraw consent once given. Blanket
    consent obtained at the outset of employment cannot always
    be relied on.
    • Consent should not be confined to the testing itself, it should
    also cover the subsequent recording, use and disclosure of the
    test results
    .

    I spent many a late hour having to interpret possible breaches of the Act and can say that the ICO's interpretation of secure handling would not include placing sensitive personal data onto a shared drive.

    If you want further reading then look on the ICO's site at all of the Decision Notices.
    • melymay
    • By melymay 20th Apr 17, 10:21 AM
    • 105 Posts
    • 346 Thanks
    melymay
    thanks all,

    Have a meeting this afternoon when I get to work so hopefully I will get some answers and will ensure this breach is investigated.

    MM
Welcome to our new Forum!

Our aim is to save you money quickly and easily. We hope you like it!

Forum Team Contact us

Live Stats

248Posts Today

3,779Users online

Martin's Twitter
  • Byebye! I'm about to stop work & twitter, to instead spend glorious time with Mrs & mini MSE. Wishing u a lovely summer. See u in 10 days.

  • WARNING Did you start Uni in or after 2012? The interest's rising to 6.1%; yet it doesnt work like you think. See https://t.co/IQ8f0Vyetu RT

  • RT @JanaBeee: @MartinSLewis Boris is the anomaly (coffee), the others are versions of normal (beer). Lots of same candidates = vote share d?

  • Follow Martin