Proof / reporting of DPA breach.

Steve

Hypothetical situation:

Association A has a strong membership.

One of the members has privileged access (committee member) , doesn't agree with how association A is being operated and decides to form Association B in competition.

Is it a DPA breach if the member mails current members to tell them?

I assume it is if they take home a list of emails on a memory stick and do it privately, but what if they did it while still a serving member of association A?

Steve

Second part of the question - sorry - is what proof is needed in terms of DPA and how should a breach be reported by a third party (if thats even possible).

4ensic15

Steve wrote: »

Hypothetical situation:

Association A has a strong membership.

One of the members has privileged access (committee member) , doesn't agree with how association A is being operated and decides to form Association B in competition.

Is it a DPA breach if the member mails current members to tell them?

I assume it is if they take home a list of emails on a memory stick and do it privately, but what if they did it while still a serving member of association A?

Yes. The data was gathered for the purpose of running association A. Not for the purpose of promoting association B. Access beyond that authorised and unlawful use of the data.

Manach

As 4ensic15 said. Personal data only can be, AFAIR from the old EU Directive, can only be used for the purpose it was collected. I think there was an Irish DPC ruling on such dealing with sales employees taking client data.

GerardKeating

Steve wrote: »

Second part of the question - sorry - is what proof is needed in terms of DPA and how should a breach be reported by a third party (if thats even possible).

Proof of the data breach would be required, so perhaps a search of the offenders computers/USB keys etc, and actually finding the data.

Anyone can report a data breach, but unless the association concerned is of significance, it might be difficult to get one one to launch an investigation.

hullaballoo

I'm not sure about that. They are diligent if nothing else in the DPC.

They would be very interested in a data leak such as the one contained in the OP.

Having just recently reported someone for a relatively minor (but intensely annoying) breach, they seem to investigate all complaints.

4ensic15

GerardKeating wrote: »

Proof of the data breach would be required, so perhaps a search of the offenders computers/USB keys etc, and actually finding the data.

Anyone can report a data breach, but unless the association concerned is of significance, it might be difficult to get one one to launch an investigation.

If there are mails to members to encourage them to jump ship, it would be possible to get some people who got mails but are not jumping ship to produce copies of their emails. That would only leave the source as the object of the investigation. That shouldn't be difficult to establish either.

barman linen

4ensic15 wrote: »

If there are mails to members to encourage them to jump ship, it would be possible to get some people who got mails but are not jumping ship to produce copies of their emails. That would only leave the source as the object of the investigation. That shouldn't be difficult to establish either.

While I agree with the main points in the post above I cant see how it is immediately apparent that merely showing someone received an email is proof that the data was accessed and came from Association A.

I work in sales and regularly guess emails from company email formats etc. Personal emails are harder to guess but not impossible.

I think you would need proof that the addresses were accessed and copied/used from the original source.