Playgroup breaching data protection act?

somethingcorporate

arcon5 wrote: »

A letter of apology is much better than nothing at all.

How does anybody ever know if they are doing something wrong if people take the attitude of doing nothing? Atleast by making a complain the company are given the opportunity to improve their service an ensure staff are abiding by company policy.

It also gives op peace of mind that their concerns have been heard and they will ensure it won't happen again. So in future this member of staff may think twice before doing it again.

Noble intentions indeed, however, since it has no impact at all on the OP or their kids if I were the nursery I would happily write an apologetic letter to get them to go away but it does not mean anything will change. Unfortunately that is the sceptic in me.

A letter of apology saying something will never happen hardly means that is certain and getting to that stage does not seem a particularly fruitful use of time.

If they feel strongly about it they should put their concerns in writing for peace of mind if nothing else. I cannot see it achieving much.

I am of course referring to the DPA issue and not the poor quality of care by one of the staff.

Flyboy152

fluffnutter wrote: »

You have a right to be cross. I suggest you keep the Data Protection Act out of it; it's specific legislation regarding how, where and for what purpose you hold data, not a means of avoiding tittle-tattle.

Write to the nursery and resolve your issues surrounding the alleged outstanding charge and ask them to remind their staff to be professional and specifically to not gossip or pass on messages via others. Bring up your other issues with this employee by all means, but muddying the waters with spurious links to legislation most people struggle to understand probably won't help.

This is a clear breach of the Data Protection Act and is far worse than a bit of tittle-tattle. How anyone could see at as anything else is beyond me.

Equaliser123

Flyboy152 wrote: »

This is a clear breach of the Data Protection Act and is far worse than a bit of tittle-tattle. How anyone could see at as anything else is beyond me.

Can't see it being a breach at all. Why do you say it is?

Flyboy152

peachyprice wrote: »

It sounds to me that the playgroup leader is dealing with the situation adequately, she is investigating and will discipline the worker (not sure she should have told you that though under the DPA).

Just write your letter stating the facts as they are. IMO throwing in quotes from acts you do not understand in their entirety will achive no more for you than sticking to the facts will and may make you look more than a little foolish if challenged.

It sounds to me that the OP is fairly intelligent and is able make up their own minds about what they do and don't understand. The purpose of her asking the question on here is to be better informed.

Flyboy152

Equaliser123 wrote: »

Sounds like a terrible playgroup. Personally I would have pulled my child out of there much, much earlier.

There is no breach of the DPA. What personal data do you say has been disclosed?

Also sounds like you are getting mixed up about what the issue is. As others have said, you have done your bit. Now let due process take place.

Sorry Equaliser, but I have to disagree with you there. There has been a very clear breach. The playgroup worker disclosed personal data to someone who is not entitled to have it. Furthermore the information was out of date and inaccurate. Two very basic principles of the act. The breach involves Princples 4 and 6 (as well as probably Priciples 5 and 7) of the act.

Equaliser123

Flyboy152 wrote: »

Sorry Equaliser, but I have to disagree with you there. There has been a very clear breach. The playgroup worker disclosed personal data to someone who is not entitled to have it. Furthermore the information was out of date and inaccurate. Two very basic principles of the act. The breach involves Princples 4 and 6 (as well as probably Priciples 5 and 7) of the act.

No - there was no "data" disclosed.

Something was said about the OP which may not have been accurate. Possible slander. Possible breach of confidentiality.

But no data within the meaning of the Act was disclosed.

Flyboy152

somethingcorporate wrote: »

You're getting confused here.

We're talking about the breach of data protection not the quality of care given. These two things are separate issues that need addressing independently. It appears that something is being done about the (alleged) mistreatment but there is little to be gained from pursuing the DPA issue.

The playgroup worker was in possession of data that she probably was not entitled to have and disclosed that data to another person who was definitely not entitled to have it. There appears to have been a breach of the act, because the data controllers seem not have adequate organisational safeguards in place to prevent the disclosure. If the worker was able to have access to that data, the company should have trained the worker in her responsibilities under the act and ensured that such a disclosure would not have been possible. They have failed to protect the OPs data, as per their responsibilities under the Data Protection Act 1998 and it is imperative that they understand the consequences of their omissions, otherwise it is likely to happen again.

OP, you need to take direct advice from the Information Commissioner's Office, they will give help and advice on the definitive interpretation of the act and will ultimately decide whether this a serious breach worthy of their attention.

Flyboy152

Equaliser123 wrote: »

No - there was no "data" disclosed.

Something was said about the OP which may not have been accurate. Possible slander. Possible breach of confidentiality.

But no data within the meaning of the Act was disclosed.

There was data disclosed. Much of it was inaccurate and out of date, but nonetheless, it was still data (yes, data within the meaning of the act) which was disclosed.

fluffnutter

Flyboy152 wrote: »

This is a clear breach of the Data Protection Act and is far worse than a bit of tittle-tattle. How anyone could see at as anything else is beyond me.

Flyboy152 wrote: »

Sorry Equaliser, but I have to disagree with you there. There has been a very clear breach. The playgroup worker disclosed personal data to someone who is not entitled to have it. Furthermore the information was out of date and inaccurate. Two very basic principles of the act. The breach involves Princples 4 and 6 (as well as probably Priciples 5 and 7) of the act.

Flyboy152 wrote: »

The playgroup worker was in possession of data that she probably was not entitled to have and disclosed that data to another person who was definitely not entitled to have it. There appears to have been a breach of the act, because the data controllers seem not have adequate organisational safeguards in place to prevent the disclosure. If the worker was able to have access to that data, the company should have trained the worker in her responsibilities under the act and ensured that such a disclosure would not have been possible. They have failed to protect the OPs data, as per their responsibilities under the Data Protection Act 1998 and it is imperative that they understand the consequences of their omissions, otherwise it is likely to happen again.

OP, you need to take direct advice from the Information Commissioner's Office, they will give help and advice on the definitive interpretation of the act and will ultimately decide whether this a serious breach worthy of their attention.

The OP doesn't like the way she's been treated by this particular staff member. She also has a long history of distrusting her and being wary of the way she deals with children.

Why can't she stick to these facts without resorting to trying to bend very specific legislation? The DPA was not designed to prevent gossiping members of staff trying to pass on messages, and it's disingenuous to cry foul and try to argue that this nursery worker has 'broken the law'.

I think anyone who has to enhance their arguments with spurious connections to laws they know little about appears silly and foolish. Any solicitor well-versed in the DPA, or even a switched-on data commissioner, would rip the OP's arguments to shreds within a matter of seconds if she tried to argue this individual was breaching the DPA. I think you'd do wise not to counsel her on parts of the act, quite frankly; your advice is dubious (for starters this woman won't be deemed the data controller). If you believe you can cleverly interpret the act in the OP's favour, trust me, they'll be those far more clever than you interpreting in quite differently.

fluffnutter

Flyboy152 wrote: »

There appears to have been a breach of the act, because the data controllers seem not have adequate organisational safeguards in place to prevent the disclosure.

This is complete supposition and can not be inferred from the information we have on this thread.

If this woman has, during the course of her work, legitimate reason to know who is, and isn't, signed up to the nursery, and moreover is also entitled to know who has, and hasn't, paid for the service (she works with the accounts for example), then there has been no breach of the DPA. The act doesn't cover malicious, or misguided, actions by individuals. It specifies that no one should have access to data if they have no legitimate reason for it, but how do we know who should have access to this data? It's perfectly possible that this nursery worker has every reason to know that the OP has left and (as far as the nursery's concerned) left owing money.

If she then gossips at the nursery gates, that is a matter for internal disciplinary action, not an ICO investigation.