Data Breach Query

IrishAlice

Hi There,

Would anyone be able to tell me if the below examples constitute data breaches?

I have been told by an employer that a member of staff is out on sick leave due to a cardiac operation and that another member of staff is out due to stress leave.

I do not work for the organisation, I am a customer however I find it concerning that an employer would disclose this information so readily.

Thanks.

iwillhtfu

Don't be looking for something that isn't there.

As they say give an Irish man 5 mins and he'll tell you his life story.

CeilingFly

Where's the data beach.

I wish people would actually read up on gdpr and data protection before making ridiculous assumptions

IrishAlice

CeilingFly wrote: »

Where's the data beach.

I wish people would actually read up on gdpr and data protection before making ridiculous assumptions

Not making ridiculous assumptions, was asking a genuine question.

It just didn't sit right with me that this information was disclosed.

Allinall

IrishAlice wrote: »

Not making ridiculous assumptions, was asking a genuine question.

It just didn't sit right with me that this information was disclosed.

Did they name the employees in question?

Do you know them?

IrishAlice

Allinall wrote: »

Did they name the employees in question?

Do you know them?

Yes they named the employees.

The circumstances of the disclosures were probably what made it feel off to me.

They used these employees illnesses to deflect from a complaint that was made to them regarding their customer service and practices.

Fann Linn

A few out in our place also due to pregnancy, menopause, flu and a few suspended.

#databreach

IrishAlice

Fann Linn wrote: »

A few out in our place also due to pregnancy, menopause, flu and a few suspended.

#databreach

I don't see the need for all the smart answers here.

I wouldn't be happy if my employer told a third party I was out on stress leave.

Might not be a data breach but it's not appropriate to talk about employees health issues to a third party.

iwillhtfu

IrishAlice wrote: »

Might not be a data breach but it's not appropriate to talk about employees health issues to a third party.

You've answered your own question. Mods lock it up

barneystinson

IrishAlice wrote: »

I don't see the need for all the smart answers here.

I wouldn't be happy if my employer told a third party I was out on stress leave.

Might not be a data breach but it's not appropriate to talk about employees health issues to a third party.

What if you were on annual leave? Would it be a breach then?

Or gone on your lunch break?

Where's the line, in your view? Genuine question.

IrishAlice

barneystinson wrote: »

What if you were on annual leave? Would it be a breach then?

Or gone on your lunch break?

Where's the line, in your view? Genuine question.

Anything relating to a persons health crosses the line is how I would see it.

In my workplace if someone is on sick leave the nature of their illness is never disclosed to anyone.

sexmag

IrishAlice wrote: »

Anything relating to a persons health crosses the line is how I would see it.

In my workplace if someone is on sick leave the nature of their illness is never disclosed to anyone.

Contact the employees in question and let them take it from there

Allinall

barneystinson wrote: »

What if you were on annual leave? Would it be a breach then?

Or gone on your lunch break?

Where's the line, in your view? Genuine question.

If you were told they were on annual leave as they suffered a miscarriage ( as an example) then, whether a data breach or not, it is extremely bad form.

cobhguy28

IrishAlice wrote: »

Fann Linn wrote: »

A few out in our place also due to pregnancy, menopause, flu and a few suspended.

#databreach

I don't see the need for all the smart answers here.

I wouldn't be happy if my employer told a third party I was out on stress leave.

Might not be a data breach but it's not appropriate to talk about employees health issues to a third party.

You get smart answers on here because A lot of the people answer with what, they think the law is or should be, without actually knowing what it is. 
So if a person has information on someones health as a data controller say like a HR manager and they disclose this to a customer then Yes it could be a data breach.

lunamoon

I think they probably told you because some customers would keep ringing asking when the person is going to be back. Less likely to do that if they know the person isn't off in the Canaries on their holibobs and are dealing with a major health issue.

seagull

They could just say they're out on sick leave without giving details. Or even better, just say they've had to take some time off, and leave it at that.

Trampas

Did you gain access to the data by controlling the person?

The person said it out.

Nothing was breached they said stuff out that they shouldn’t have

IrishAlice

Trampas wrote: »

Did you gain access to the data by controlling the person?

The person said it out.

Nothing was breached they said stuff out that they shouldn’t have

Yes it was the data controller who disclosed the information.

It was odd too because one of the people mentioned was unrelated to the issue at hand.

dudara

Technically, it was a data breach. An individual’s health information is personal data and it was not necessary to disclose it to you.

But the question is, what’s practical here? Reporting to the DPC would be overkill. Perhaps a letter or conversation with the business owner etc.

IrishAlice

dudara wrote: »

Technically, it was a data breach. An individual’s health information is personal data and it was not necessary to disclose it to you.

But the question is, what’s practical here? Reporting to the DPC would be overkill. Perhaps a letter or conversation with the business owner etc.

I agree the practical option is a conversation with the owner.

It hadn't crossed my mind to report to the DPC, I more so wanted to know if it actually was a data breach before I said anything.

dudara

Consider if there is material damage to the impacted individuals. If there isn’t, then it’s not really worth reporting to the DPC. They’ll be dealing with enough reports and complaints as it is

Tow

dudara wrote: »

Technically, it was a data breach. An individual’s health information is personal data and it was not necessary to disclose it to you.

But the question is, what’s practical here? Reporting to the DPC would be overkill. Perhaps a letter or conversation with the business owner etc.

Mr Shatter has argued in court and won, that telling someone data which is in your mind is not a breach of the data protection acts.

https://www.rte.ie/news/courts/2017/1109/918656-shatter/

sexmag

Tow wrote: »

Mr Shatter has argued in court and won, that telling someone data which is in your mind is not a breach of the data protection acts.

https://www.rte.ie/news/courts/2017/1109/918656-shatter/

that case is from 2017, GDPR is more strigent now, particularly with personal data, however in the ops case if there is no damage done then i dont see an issue in reporting it, now if the people go around talking about employees personal information all day thats a different matter

Stanford

IrishAlice wrote: »

Hi There,

Would anyone be able to tell me if the below examples constitute data breaches?

I have been told by an employer that a member of staff is out on sick leave due to a cardiac operation and that another member of staff is out due to stress leave.

I do not work for the organisation, I am a customer however I find it concerning that an employer would disclose this information so readily.

Thanks.

This is clearly a data breach as reasons for work absences due to ill health are absolutely private between the Employer and Employee, it also shows total unprofessionalism on behalf of the person who made the statement, the fact that you are not an Employee makes the issue more serious but the same confidentiality would extend to colleagues of the Employees. My advice is to tell the people concerned and let them deal with the matter if they so choose, you will then have discharged your duty and it is no longer your problem, do not engage on the matter further

Stanford

CeilingFly wrote: »

Where's the data beach.

I wish people would actually read up on gdpr and data protection before making ridiculous assumptions

Disclosing confidential sensitive information which should only be held between the Employer and Employee to an unrelated third party, thats the data breach