[Misc] Is this a clear breach of GDPR?

[METALMICKY]

A quick question for all you admin/data controllers out there.

Last week the company I work for sent out a group email confirming that spaces were available on a training course. The email was sent from the administrator's work email address but was addressed to 12 recipients including myself and used our personal email addresses such at Outlook and Gmail. It was simply sent using the ' To ' box as opposed to ' BCC' . Accordingly, every recipient can clearly see the other 11 people's personal email addresses. 10 of those email addresses clearly identify names and surnames as opposed to where people have used nonsense ones that don't in any way identify them.

Just to clarify the company I work for would only ever have and use our personal emails due to the nature of the business, and would normally only ever send similar group emails by using BCC or they have a bespoke group messaging system.

Normally it's the sort of thing I would let slide but on this occasion I have a concern. The most important one being that since that email my inbox has has seen a marked increase in spam and phishing emails. Some of the phishing ones are pretty good ones supposedly being from Microsoft. I can spot them a mile away but I've a concern that some of my older and less tech savvy Co workers could be at risk.

Is this a clear breach of GDPR and what should my company doing about it? Alternatively, have I got it wrong and potentially over reacting?

On occasions Google can be your friend but it can easily mislead or be misinterpreted. Even the ICO web site is a not totally clear which is why I'm putting the question out there

Many thanks for any advice,observations or guidance

 

[Tom Hark Preston Park]

Wouldn't happen in East Germany

 

[SeagullinExile]

Pretty sure GDPR is only breached if your identity is clearly visible. Like a full name and address, or phone number. Email addresses generally don’t do this.

Probably not the best thing for them to do though, especially if people have work email addresses.

 

[Questions]

What was that about hats again ?

 

[dazzer6666]

A quick question for all you admin/data controllers out there.

Last week the company I work for sent out a group email confirming that spaces were available on a training course. The email was sent from the administrator's work email address but was addressed to 12 recipients including myself and used our personal email addresses such at Outlook and Gmail. It was simply sent using the ' To ' box as opposed to ' BCC' . Accordingly, every recipient can clearly see the other 11 people's personal email addresses. 10 of those email addresses clearly identify names and surnames as opposed to where people have used nonsense ones that don't in any way identify them.

Just to clarify the company I work for would only ever have and use our personal emails due to the nature of the business, and would normally only ever send similar group emails by using BCC or they have a bespoke group messaging system.

Normally it's the sort of thing I would let slide but on this occasion I have a concern. The most important one being that since that email my inbox has has seen a marked increase in spam and phishing emails. Some of the phishing ones are pretty good ones supposedly being from Microsoft. I can spot them a mile away but I've a concern that some of my older and less tech savvy Co workers could be at risk.

Is this a clear breach of GDPR and what should my company doing about it? Alternatively, have I got it wrong and potentially over reacting?

On occasions Google can be your friend but it can easily mislead or be misinterpreted. Even the ICO web site is a not totally clear which is why I'm putting the question out there

Many thanks for any advice,observations or guidance

Yes - it's a breach because PII (your email address) has been disclosed without your consent. Quite what they could/should do about it I don't know - other than record it and put in measures to prevent repetition

 

[CoolTed]

I regularly send out group emails to hundreds of recipients and have nightmares about making a mistake like this. Even though my work is not for a company, GDPR rules are clear for all organisations and individuals - no details can be shared unless specifically authorised by the individual - and the consequences of breaking the rules are potentially quite serious.
As I understand it, any organisation that breaches GDPR has a duty to report the matter to the ICO.
I would have thought the best course of action would be for the company to send another email (carefully!) to all concerned, apologise, insist that all copies are destroyed and remind recipients that none of the personal details, addresses, etc. should be shared with anyone else.

 

[Audax]

A quick question for all you admin/data controllers out there.

Last week the company I work for sent out a group email confirming that spaces were available on a training course. The email was sent from the administrator's work email address but was addressed to 12 recipients including myself and used our personal email addresses such at Outlook and Gmail. It was simply sent using the ' To ' box as opposed to ' BCC' . Accordingly, every recipient can clearly see the other 11 people's personal email addresses. 10 of those email addresses clearly identify names and surnames as opposed to where people have used nonsense ones that don't in any way identify them.

Just to clarify the company I work for would only ever have and use our personal emails due to the nature of the business, and would normally only ever send similar group emails by using BCC or they have a bespoke group messaging system.

Normally it's the sort of thing I would let slide but on this occasion I have a concern. The most important one being that since that email my inbox has has seen a marked increase in spam and phishing emails. Some of the phishing ones are pretty good ones supposedly being from Microsoft. I can spot them a mile away but I've a concern that some of my older and less tech savvy Co workers could be at risk.

Is this a clear breach of GDPR and what should my company doing about it? Alternatively, have I got it wrong and potentially over reacting?

On occasions Google can be your friend but it can easily mislead or be misinterpreted. Even the ICO web site is a not totally clear which is why I'm putting the question out there

Many thanks for any advice,observations or guidance

I've worked directly on GDPR implementation in my role, and currently handle GDPR requests within my team on a regular basis and therefore still quite close to it.

This is, 100%, a breach of GDPR. See my replies to others below for next steps for yourself...

Pretty sure GDPR is only breached if your identity is clearly visible. Like a full name and address, or phone number. Email addresses generally don’t do this.

Probably not the best thing for them to do though, especially if people have work email addresses.

Incorrect. A GDPR breach is made when *any* data that could be used to identify a person (the data itself does not need to make this identification itself) is used incorrectly. This includes email addresses (under all circumstances, regardless of whether the email address actually identifies that person by name - it is unique to the individual and therefore constitutes PII under the regulation). Have a read here: https://ico.org.uk/for-organisation...n-gdpr/key-definitions/what-is-personal-data/

(Worth noting as well, that how companies use email addresses they have obtained is further protected by other regulations such as PECR [in relation to email marketing] and the Data Protection Act [there are some small differences between the DPA 2018 and GDPR].)

Yes - it's a breach because PII (your email address) has been disclosed without your consent. Quite what they could/should do about it I don't know - other than record it and put in measures to prevent repetition

It's actually pretty simple: they should be self-reporting themselves to the ICO, with an explanation of what the breach was, and how it happened. The ICO will then determine what happens next. [MENTION=1737]METALMICKY[/MENTION] should invite the company to do so immediately, and if they do not I believe he/she can make the report themselves as a victim of the breach.

 

[AIT76]

I had similar recently.

I'd booked a working trip to a plant overseas. The next day I received an e-mail from the Travel Security Manager with a copy of the 'traveller awareness briefing' attached. No problem whatsoever with that, however the mail wasn't only addressed to me, but five other unconnected travellers and cc'd to five others in, I assume, the security department.

Within the body of the e-mail was a list of all the travellers names, dates / times / flight numbers, and mobile phone numbers.

So five employees travel plans and contact details have been shared amongst ten people who have absolutely no business knowing.

I've flagged it to the generic company data protection contact e-mail, but as other have said don't really expect anything more than a 'soz, we won't do it again'.

 

[METALMICKY]

I've worked directly on GDPR implementation in my role, and currently handle GDPR requests within my team on a regular basis and therefore still quite close to it.

This is, 100%, a breach of GDPR. See my replies to others below for next steps for yourself...





Incorrect. A GDPR breach is made when *any* data that could be used to identify a person (the data itself does not need to make this identification itself) is used incorrectly. This includes email addresses (under all circumstances, regardless of whether the email address actually identifies that person by name - it is unique to the individual and therefore constitutes PII under the regulation). Have a read here: https://ico.org.uk/for-organisation...n-gdpr/key-definitions/what-is-personal-data/

(Worth noting as well, that how companies use email addresses they have obtained is further protected by other regulations such as PECR [in relation to email marketing] and the Data Protection Act [there are some small differences between the DPA 2018 and GDPR].)





It's actually pretty simple: they should be self-reporting themselves to the ICO, with an explanation of what the breach was, and how it happened. The ICO will then determine what happens next. [MENTION=1737]METALMICKY[/MENTION] should invite the company to do so immediately, and if they do not I believe he/she can make the report themselves as a victim of the breach.

Thank you. That's a really comprehensive and helpful.

The other issue here is that the 2 man admin team responsible for the breach have been a pain and useless all summer. Lots of poor communication and shed loads of badly worded, inaccurate nit picking emails with the ridiculous over use of bold, underlined and exclamation marks! In short a tad aggressive and unprofessional.

 

[Audax]

Thank you. That's a really comprehensive and helpful.

The other issue here is that the 2 man admin team responsible for the breach have been a pain and useless all summer. Lots of poor communication and shed loads of badly worded, inaccurate nit picking emails with the ridiculous over use of bold, underlined and exclamation marks! In short a tad aggressive and unprofessional.

On reflection, there is a possibility that it isn't a GDPR breach - but that would require you to have signed a contract stating that you are happy that personal email addresses are used for business purposes and under what circumstances those emails might be disclosed to other staff within the business. Ideally, though, given that personal email addresses are in use they should be doing everything within their power to prevent unauthorised dissemination of those email addresses.

 

[Half Time Pies]

I've worked directly on GDPR implementation in my role, and currently handle GDPR requests within my team on a regular basis and therefore still quite close to it.

This is, 100%, a breach of GDPR. See my replies to others below for next steps for yourself...





Incorrect. A GDPR breach is made when *any* data that could be used to identify a person (the data itself does not need to make this identification itself) is used incorrectly. This includes email addresses (under all circumstances, regardless of whether the email address actually identifies that person by name - it is unique to the individual and therefore constitutes PII under the regulation). Have a read here: https://ico.org.uk/for-organisation...n-gdpr/key-definitions/what-is-personal-data/

(Worth noting as well, that how companies use email addresses they have obtained is further protected by other regulations such as PECR [in relation to email marketing] and the Data Protection Act [there are some small differences between the DPA 2018 and GDPR].)





It's actually pretty simple: they should be self-reporting themselves to the ICO, with an explanation of what the breach was, and how it happened. The ICO will then determine what happens next. [MENTION=1737]METALMICKY[/MENTION] should invite the company to do so immediately, and if they do not I believe he/she can make the report themselves as a victim of the breach.

Its a breach of data protection as his email address was shared without his consent, however I don't think it would be reportable to the ICO as its low risk? Its just an email address and it's being shared with others that work within the same company.

 

[thedonkeycentrehalf]

You should have a nominated Data Protection person in your organisation who deals with this. You should raise your concerns with them and they should then have processes to follow including raising to the ICO if deemed appropriate.

 

[Audax]

Its a breach of data protection as his email address was shared without his consent, however I don't think it would be reportable to the ICO as its low risk? Its just an email address and it's being shared with others that work within the same company.

Depends on the nature of the work and the relationship between those staff. Given there's circumstantial evidence that the breach has resulted in a detrimental impact on the OP (increase in spam / phishing emails) it's possible that either a) someone on the recipient list has been the source of a further breach, or b) there have been, unknown to the OP, further breaches within the company resulting in their email address being compromised.

 

[Half Time Pies]

Depends on the nature of the work and the relationship between those staff. Given there's circumstantial evidence that the breach has resulted in a detrimental impact on the OP (increase in spam / phishing emails) it's possible that either a) someone on the recipient list has been the source of a further breach, or b) there have been, unknown to the OP, further breaches within the company resulting in their email address being compromised.

Or it could be a complete coincidence of course!

They would need to risk assess it but I would doubt it will end up as reportable, they will probably end up giving the person who sent the email a GDPR refresher and give the OP some guarantees that it won't happen again!

 

[CoolTed]

On reflection, there is a possibility that it isn't a GDPR breach - but that would require you to have signed a contract stating that you are happy that personal email addresses are used for business purposes and under what circumstances those emails might be disclosed to other staff within the business. Ideally, though, given that personal email addresses are in use they should be doing everything within their power to prevent unauthorised dissemination of those email addresses.

My understanding is that authority to share details has to be pretty specific and cannot be wrapped up in a generic document, such as an employment contract, T's and C's, etc.
Sometimes, with my communications, there is a need for recipients to, in turn, communicate among themselves. In these cases, I obtain their agreement to share their details but make it clear that such authority is only for that specific purpose and will soon lapse accordingly.

 

[Audax]

My understanding is that authority to share details has to be pretty specific and cannot be wrapped up in a generic document, such as an employment contract, T's and C's, etc.
Sometimes, with my communications, there is a need for recipients to, in turn, communicate among themselves. In these cases, I obtain their agreement to share their details but make it clear that such authority is only for that specific purpose and will soon lapse accordingly.

Hence why I said "under what circumstances" as part of what you quoted . That part produces the specificity that is required.

 

[Bakero]

My company has just sent out a an email with a link to a Google Doc containing the personal phone numbers of all staff members. Is this permissible?

 

[hans kraay fan club]

My company has just sent out a an email with a link to a Google Doc containing the personal phone numbers of all staff members. Is this permissible?

Only if each of the people listed had given their permission for their name and number to be shared around the company in such a way. Otherwise, absolutely not.


Reading the rest of the thread - the OPs incident is pretty minor and honestly, I could not see any point in making a fuss about it. Some of your colleagues were given your email address?

However, the example that [MENTION=2809]AIT76[/MENTION] has given - that one is HORRIFIC, and you'd be well within your rights to make any level of fuss. They've shared a load of your personal information with 10 people unknown to you, including your home address, and the dates your house is empty!

 

[Bakero]

Only if each of the people listed had given their permission for their name and number to be shared around the company in such a way. Otherwise, absolutely not.


Reading the rest of the thread - the OPs incident is pretty minor and honestly, I could not see any point in making a fuss about it. Some of your colleagues were given your email address?

However, the example that [MENTION=2809]AIT76[/MENTION] has given - that one is HORRIFIC, and you'd be well within your rights to make any level of fuss. They've shared a load of your personal information with 10 people unknown to you, including your home address, and the dates your house is empty!

Thanks for confirming. I'm not that bothered personally but other staff might be and the owner is always banging on about Data Protection.