Data Protection Issue at Work

LegacyUser

Hi All,

I looking for some advice on a serious issue I have encountered at work. We have a shared resource drive which is accessable by all members of staff for sharing information and for data storage (documentation, programs etc).

I notice that very sensitive information is able to be accessed by everyone in teh company. C.Vs and salary information. I have made the HR Director aware of this issue in the form of an email and I have asked that it be removed promptly and additional safeguards to be out in place to ensure it does not occur again. I did this a number of days ago.

However this information is still there a few days after it being reported. I had a look at our HR policies and we have a Data Protection policy it looks as if it has not been followed.Its state that our information will be kept secure etc we that we are registered with the Data Protection Commissioners Office.

Im assuming that management should follow the Data Protection Commissioner Office code of Practice following a breach like this since our HR policies clearly state we are registered with them?


http://www.dataprotection.ie/docs/07/07/10_-_Data_Security_Breach_Code_of_Practice/1082.htm


Taken From the website:

· the amount and nature of the personal data that has been compromised;

· the action being taken to secure and / or recover the personal data that has been compromised;

· the action being taken to inform those affected by the incident or reasons for the decision not to do so;

· the action being taken to limit damage or distress to those affected by the incident;

· a chronology of the events leading up to the loss of control of the personal data; and

· the measures being taken to prevent repetition of the incident.

gerrycollins

well at least you have reported it.

why not follow up your reporting of it with a reminder to HR and cc the email to you head of IT or the administrator of you netwok?

LegacyUser

I dont work in an administrator role where i currently work but I be have quiet a lot of IT experience. In our company its the data controllers responsiblity to secure this info. For example accounts have their own private drive in which only members of the accounts group can access and view info so I dont understand why HR cannot do the same.

Regardless the info I saw is extremely sensitive and its obvious that HR arent following their own policies. C.V. from job applicants who applied for role unsuccessfully have not been deleted etc etc.

Jim2007

course_of_action wrote: »

Regardless the info I saw is extremely sensitive and its obvious that HR arent following their own policies. C.V. from job applicants who applied for role unsuccessfully have not been deleted etc etc.

Here is the thing, all the data protection references you have given relate to a company or organisation of some kind loosing control of it's data, so far I have not seen any evidence of this! You have no evidence of disks being been lost, employees taking the data of site, members of the public being able to access the data and so on...

While I fully agree with you in that it does not look good and I certainly would not be happy about it, it does not mean that just because an unauthorized employee of the company was able to access certain data that the company has broken the law!

I'm just pointing that out because I think you need to be very careful when you start making those kind of statements. I would suggest that once you have informed the person designated as the data protection office in your company, the data owner (HR) and your immediate supervisor then you have fully met your obligations.

Good luck with that,

Jim

LegacyUser

Thanks for the replies so far.

HR didnt address the issue immediately after it was reported by me. Being honest I fear regards my own personal info due to their laid back approach to this issue.

The Code of Practice I have referenced in my previous post doesnt state weather or not if it has to be an unauthorised person outside of the company or an unauthorised employee and thats what im trying to asertain?

What I would have expected was:
-That the info would have been taken down immediately,
-Those effected (employees and persons who were unsuccessful in their job applications)would have been informed regards the extent of the leak, at least reassured that it had been addressed and the info was no longer available and
-More stringent protocols put in place to stop it occuring again.

But to date only the info has been removed a number of days after it being reported.

dudara

While I appreciate your concern about data privacy, I think that you may be over-doing this whole issue. As a previous poster has pointed out, there has been no data leak and they have removed the data in question.

Mrs OBumble

Just because data is no a shared drive doesn't mean that employees with access should look at it.

Be very careful, because the finger could be pointed back at your for snooping around in places where you knew you shouldn't be. (By analogy: just because your neighbour doesn't lock his front door doesn't mean it's ok for you to wander into his house.)

In reality, a clueless HR person probably doesn't know how to make the data accessible to the small group of people who should have access to it, and no one else. Individual drives are kinda useless, because very few files need to only be seen by one person.

You'd be better of expressing your concerns to whoever manages you IT: they're more likely to understand the problem and to suggest/implement solutions.

LegacyUser

Thanks for the advise. I had a legitimate reason for being in that location as I was doing something with my job entailed could have easily said nothing and not have reported it to those reponsible.

My aim is ensure that it doesnt occur again as I wouldnt want my personal information available to anybody and as far as im aware from the folders details that info has been available for over a year. Nothing was done regards removing this information for a number of days even after I reported it, it was only after I notified an individual (senior to me) out of courtesy that their personal information was present and he contacted the individual responsible that it was taken down. This is a reason of concern to me.

We have fairly concise HR policy regards Data Protection which references the Data Protection Commissioners Office and thats why I looked for their code of practice in this situation.