We’d like to remind Forumites to please avoid political debate on the Forum.
This is to keep it a safe and useful space for MoneySaving discussions. Threads that are – or become – political in nature may be removed in line with the Forum’s rules. Thank you for your understanding.
📨 Have you signed up to the Forum's new Email Digest yet? Get a selection of trending threads sent straight to your inbox daily, weekly or monthly!
The Forum now has a brand new text editor, adding a bunch of handy features to use when creating posts. Read more in our how-to guide
Data Protection Query
jkkneast
Posts: 6 Forumite
Hi
I've recently been doing some work with a local community group, they are a decent sized organisation with a number of premises.
I've sent quite a few bits of personal data and work related things to and from their registered business email address, which is .@theirdomain.com and is only accessible from within their building.
However, I was really concerned to hear that the Administrator I deal with has been forwarding all my emails to her personal home email address for her reference. Whilst this may not be the end of the world, I have no idea who has access to that email address, no idea what her security is like and I'm concerned my details (a lot of personal stuff and a chain of emails with colleagues)
When I raised this I was brushed off and told 'well, I've been having problems with my laptop at work' so I send everything home, whats the problem.
I've also since received a number of spam type emails from the user.
Where do I stand in terms of data protection
(apologies if wrong board)
I've recently been doing some work with a local community group, they are a decent sized organisation with a number of premises.
I've sent quite a few bits of personal data and work related things to and from their registered business email address, which is .@theirdomain.com and is only accessible from within their building.
However, I was really concerned to hear that the Administrator I deal with has been forwarding all my emails to her personal home email address for her reference. Whilst this may not be the end of the world, I have no idea who has access to that email address, no idea what her security is like and I'm concerned my details (a lot of personal stuff and a chain of emails with colleagues)
When I raised this I was brushed off and told 'well, I've been having problems with my laptop at work' so I send everything home, whats the problem.
I've also since received a number of spam type emails from the user.
Where do I stand in terms of data protection
(apologies if wrong board)
0
Comments
-
-
I believe this to be a clear contravention of the DPA
which covers the storage and retrieval of your personal information
they should have informed you and sought your agreement if the data was being forwarded to a different e mail account.
However breach of the DPA as far as I am aware is a civil matter so you would only have the remedy of suing them - however if you mention this to them , it "should" flag up this breach to them and force them to behave appropriately0 -
Email is inherently insecure, any information you sent was transmitted in plain text across the open internet through any number of intermediary servers.
By sending it as an email I would say you consent to it's storage as email. They haven't processed it outside the company and not made it any more or less secure than it was originally.
Their email will NOT only be accessible inside the company building as you state. By it's very nature for it to accept email it must be connected to the public network and therefore is accessible via a public network.
I would just voice your concerns about data security in general and suggest that personal data is not emailed in the first place.0 -
By sending it as an email I would say you consent to it's storage as email. They haven't processed it outside the company and not made it any more or less secure than it was originally.
Surely they HAVE processed it outside the company if the addressee has sent it to her PERSONAL e mail account " at home"0 -
It's still not been processed for a purpose outside that for which it was provided.
If she had sent it home to work on the data in pursuance to her duties for the company then it is still being processed within the remit of the reason it was provided. Now if it was sent home so she could use the data for some other spurious purpose then yes you would be correct that is has been processed outside the company.0 -
but the DPA covers the storage and retrieval of information too so if the OP is unhappy that their personal info has been sent to and presumably stored on someones home computer system - potentially a web mail based serve then I do believe the OP to be rightfully concerned.0
-
Concerned yes and that concern can be expressed. But it was intially sent by email so it is now no less secure than it was originally. The same person has access. A web based email system.... all email is internet based so there is no difference. It is on a server regardless, it has travelled in plain text regardless.
It does cover storage and retrieval yes you are correct. It does not stipulate what that may be though. In fact until there is a breach of data then no crime is committed in that respect. The only caveat that the OP might have is that the data might be stored outside the EEC and so the company might find it hard to ensure that the physical location of said data is subject to similar rules as the DPA. Likewise though the data is likely to have originated outside Europe if the OP used a web based email interface at some point....0 -
OK
I bow to your greater knowledge of internet storage/transfer/retrieval
however as an example of good working practice - it is not - the OP has the right to expect some level of security, even something as simple as the information being stored on a computer in a locked/secure/alarmed building.
we have no way of knowing that the home where the information has been sent and stored has the equivalent level of security as the offices.
my assumption would be that the home is possibly more likely to be the target of an ad hoc burglary with the home computer being stolen/resold/pawned than the business premises are.
so if it were MY information - I too would not be happy with the cavalier manner in which my concerns had been dealt with.0 -
I agree with you there, and like I said the OP should maybe raise their concerns but I'd avoid spouting "Data Protection" initially at least. A lot of the general public resort to just saying that's against the DPA (and a lot of companies for that matter) when it is absolutley nothing to do with the DPA.
The OP might simply request that all personal data is removed from any and all email systems without delay (including trash cans) and subsequently stored in a secure manner in order to protect the company in the case of theft etc.
(BTW - I lecture in Data Security at degree level (Level 4/5) )0 -
I would never have suspected !
also isn't the Government secure internet (GSI) a completely secure method of transmitting e mails ?
if not - maybe you should let them know!0
This discussion has been closed.
Confirm your email address to Create Threads and Reply
Categories
- All Categories
- 353.6K Banking & Borrowing
- 254.2K Reduce Debt & Boost Income
- 455.1K Spending & Discounts
- 246.7K Work, Benefits & Business
- 603K Mortgages, Homes & Bills
- 178.1K Life & Family
- 260.7K Travel & Transport
- 1.5M Hobbies & Leisure
- 16K Discuss & Feedback
- 37.7K Read-Only Boards