Playgroup breaching data protection act?

Flyboy152

fluffnutter wrote: »

The OP doesn't like the way she's been treated by this particular staff member. She also has a long history of distrusting her and being wary of the way she deals with children.

Why can't she stick to these facts without resorting to trying to bend very specific legislation? The DPA was not designed to prevent gossiping members of staff trying to pass on messages, and it's disingenuous to cry foul and try to argue that this nursery worker has 'broken the law'.

It was designed to protect data subjects from unlawful disclosure. This is nothing to do with "gossip." Telling a member of the public that a data subject has unpaid debts, that her child will no longer be attending the playgroup and that there are unsettled contractual obligations, is not mere "gossip" and shouldn't be be demeaned as such.

I think anyone who has to enhance their arguments with spurious connections to laws they know little about appears silly and foolish. Any solicitor well-versed in the DPA, or even a switched-on data commissioner, would rip the OP's arguments to shreds within a matter of seconds if she tried to argue this individual was breaching the DPA.

With what?

I think you'd do wise not to counsel her on parts of the act, quite frankly; your advice is dubious (for starters this woman won't be deemed the data controller).

How so? The woman does not have to be the data controller to be in breach of the act. The act does not apply to data controllers only, it applies to anyone who has access to the data.

If you believe you can cleverly interpret the act in the OP's favour, trust me, they'll be those far more clever than you interpreting in quite differently.

Really? :wall:

Equaliser123

Honestly, there is no breach here. If the person in question had handed over, e.g. account data, address details, etc then yes. But that didn't happen insofar as we can tell. All that was said was an inaccurate statement.

Check the definition of 'data' under the Act. What was said was not specific enough to fall within the definition.

Definition is as follows:

(1)In this Act, unless the context otherwise requires—

• “data” means information which—
  (a)
  is being processed by means of equipment operating automatically in response to instructions given for that purpose,
  
  (b)
  is recorded with the intention that it should be processed by means of such equipment,
  
  (c)
  is recorded as part of a relevant filing system or with the intention that it should form part of a relevant filing system, F1. . .
  
  (d)
  does not fall within paragraph (a), (b) or (c) but forms part of an accessible record as defined by section 68; [F2or
  
  (e)
  is recorded information held by a public authority and does not fall within any of paragraphs (a) to (d);]
  
  
  

Flyboy152

fluffnutter wrote: »

This is complete supposition and can not be inferred from the information we have on this thread.

If this woman has, during the course of her work, legitimate reason to know who is, and isn't, signed up to the nursery, and moreover is also entitled to know who has, and hasn't, paid for the service (she works with the accounts for example), then there has been no breach of the DPA.

There is no way of knowing that at this stage and is why I wrote "probably." But, she clearly breached the act, when she disclosed this information to someone else who wasn't entitled to have it.

The act doesn't cover malicious, or misguided, actions by individuals.

You really ought to stop now, you are making things a lot worse.

It specifies that no one should have access to data if they have no legitimate reason for it, but how do we know who should have access to this data?

Such as the member of the public this employee disclosed the information to.

Do you really think that the OP's friend is entitled to that data?

It's perfectly possible that this nursery worker has every reason to know that the OP has left and (as far as the nursery's concerned) left owing money.

And is reason why I wrote "probably." But it is unlikely that a playgroup "worker" is the company secretary, data controller or accounts assistant. The employee might be entitled to have that information, but the OP's friend definitely wasn't.

If she then gossips at the nursery gates, that is a matter for internal disciplinary action, not an ICO investigation.

It is up to the ICO whether they investigate or not. But this was not simply "gossip," there is a chasm of a difference between "gossip" and what this employee has done.

Flyboy152

Equaliser123 wrote: »

Honestly, there is no breach here. If the person in question had handed over, e.g. account data, address details, etc then yes. But that didn't happen insofar as we can tell. All that was said was an inaccurate statement.

Check the definition of 'data' under the Act. What was said was not specific enough to fall within the definition.

Definition is as follows:

(1)In this Act, unless the context otherwise requires—

• “data” means information which—
  (a)
  is being processed by means of equipment operating automatically in response to instructions given for that purpose,
  
  (b)
  is recorded with the intention that it should be processed by means of such equipment,
  
  (c)
  is recorded as part of a relevant filing system or with the intention that it should form part of a relevant filing system, F1. . .
  
  (d)
  does not fall within paragraph (a), (b) or (c) but forms part of an accessible record as defined by section 68; [F2or
  
  (e)
  is recorded information held by a public authority and does not fall within any of paragraphs (a) to (d);]
  
  
  

And this information falls into those definitions, particularly definitions (a), (b) and (c). Possibly, if this "playgroup" is considered a school, as defined by the act, definition (d) as well.

Equaliser123

Flyboy152 wrote: »

And this information falls into those definitions, particularly definitions (a), (b) and (c). Possibly, if this "playgroup" is considered a school, as defined by the act, definition (d) as well.

But the information wasn't specific enough to be within any of those categories.

Flyboy152

Equaliser123 wrote: »

But the information wasn't specific enough to be within any of those categories.

• The subject owes money.

• The subject has withdrawn their child.

• The subject has to pay more money for the coming term.

These three pieces of data fall into those three (possibly four, depending on designation of the "playgroup") definitions.

(a) The data would have been held on computer.

(b) There would have been a clear intention to hold any of the data on computer.

(c) The would have been a record in a filing cabinet, if not a clear intention to do so.

It would be inconceivable to imagine that a "playgroup," no doubt regulated by OFSTED, would not have kept these records on a computer or in a filing cabinet.

Equaliser123

Flyboy152 wrote: »

• The subject owes money.

• The subject has withdrawn their child.

• The subject has to pay more money for the coming term.

These three pieces of data fall into those three (possibly four, depending on designation of the "playgroup") definitions.

(a) The data would have been held on computer.

(b) There would have been a clear intention to hold any of the data on computer.

(c) The would have been a record in a filing cabinet, if not a clear intention to do so.

It would be inconceivable to imagine that a "playgroup," no doubt regulated by OFSTED, would not have kept these records on a computer or in a filing cabinet.

Sorry, going to have to agree to differ on this.

The Information Commissioner is reluctant to get involved in any 'one off' breaches in any event so getting them remotely interested in this is a non-starter.

Flyboy152

Equaliser123 wrote: »

Sorry, going to have to agree to differ on this.

The Information Commissioner is reluctant to get involved in any 'one off' breaches in any event so getting them remotely interested in this is a non-starter.

I somewhat agree, but then if one doesn't report them, they will never know how many breaches there have been.

However, if they receive a complaint they have to investigate. That investigation could be as much as looking up to see if there have been any previous complaints and writing a letter. Often that is enough for a data controller to change their behaviour. For example, we had an issue with a small company and in the great scheme of things wasn't very important (although it was to us at the time) and they were very helpful. They wrote a letter to the company and the company changed their procedures.

Equaliser123

Flyboy152 wrote: »

I somewhat agree, but then if one doesn't report them, they will never know how many breaches there have been.

However, if they receive a complaint they have to investigate. That investigation could be as much as looking up to see if there have been any previous complaints and writing a letter. Often that is enough for a data controller to change their behaviour. For example, we had an issue with a small company and in the great scheme of things wasn't very important (although it was to us at the time) and they were very helpful. They wrote a letter to the company and the company changed their procedures.

I think your idea as to what the ICO does is optimistic. They have never been particularly interested in smaller issues and simply don't have the resource to investigate something like this.

AsknAnswer2

I commend you for taking this one step further, and from what little you have said about your other concerns in regard to the playworker, somebody needs to do it.

I used a childcare setting a while ago and discovered some things were happening that shouldn't have been in a way which placed my child in danger. I also discovered that several parents had removed their children over the years because of these issues. I complained to the setting and when nothing was done, I took it further and complained to the authority responsible for its regulation. The authority were unable to uphold my complaint because the care setting denied the practices. It was my word against theirs.The authority did say that they believed what I said to be factual but believing it wasn't enough as they required evidence or an admission. They were unable to speak to parents who had left who could corroborate the practices because of the time that had passed since they had used the service. My point of view was that it was because of the time involved that they should be able to speak to those parents as it showed that the practices had been ongoing over a substantial period, and weren't just recent which made the issues even more serious. They told me that if the other parents had come forward at the time then that would have given my complaint more support and they would probably be able to uphold it. As it stood I was the only person to complain at that point - though they said my complaint would be kept on file for future reference.

I don't like this attitude where people think if they remove their children, the problem is solved. It's not - it just continues with other children. If those parents had complained at the time, my child may not have been placed in the position that they were because action may have been taken at an earlier date and the details of the complaint on the website which would have meant that I would not have selected that care setting. I know that I couldn't sleep at night if I hadn't taken it further and something happened to a child as a result of a bad practice. So although I wasn't happy with the outcome, at least I know I did everything I could rather than simply remove my child and do no more. And I'm happy that someone else is prepared to do this.

The only thing I would suggest is that in addition to this complaint, you complain to the regulatory body too about all the concerns you have.