GDPR - member's details, professional organisation

Perhaps someone could give their opinion on this situation in relation to GDPR. I've an interest in ethical hacking and security from a technical position, so I'm posting here for hopefully a more learned legal opinion.

A friend is a medical professional, and they are legally required to register with a governing body. No issues with this, it's standard practice.
However the site of this body once you are successfully logged into lists the personal details of each member, such as their date of birth, their home address, home and mobile number and place of employment among other information.

Based on what I have been told by my friend they did not consent to their information being shared with other members of the site and I have read the terms set out by the body that they were required to sign when registering and cannot find any reference to consent for this information to be shared.

From the stand point of a hacker the site is a gold mine in terms of further targets for phishing etc. I personally can't see this level of PII being available to all members of the site being in line with GDPR especially as no consent was given by my friend to have their information shared with other members of the site, but someone else can perhaps tell me if it is.

GerardKeating

Perhaps a condition of membership is that your details are on the members register?

thomasdylan

The medical council website has area you work in and year you qualified. In some cases it showed the eircode of the doctor's home address but this was removed/deleted after complaints. I don't think there's any justification for having DOB up, the important things are name, qualfication and registration number.

GerardKeating

GerardKeating wrote: »

Perhaps a condition of membership is that your details are on the members register?

Not that I could see, but the level of information available to other members shouldn't be required surely. Why would a member in Kerry for example need to know the date of birth, home address and personal email and phone number of a member based in Donegal.
Their workplace and it's phone number should be sufficient if they need to contact a member in a specific area of the country.

antoinolachtnai

This is pretty basic stuff. Consent is far from the only grounds on which personal data can be shared. It is vital that a medical professional understand this if only because the vital interests of a patient might be at stake.

Registering up for the Medical Council is not like getting a mobile phone. Nor is it a matter of ‘standard practice’. The stuff you sign is meant to be informative but it is in itself of little direct legal consequence.

In fact the register, the registration process and the register’s publication is governed by statute law. Again, I would expect a medical professional to know the legal basis of he register.

It is necessary as a matter of practicality that at the very least the year of birth be known to avoid confusion for the simple reason that many medical practitioners share their name with an older relative.

Is the law and manner of access to the register as good as it could be? There is certainly an argument to be made about this. Your friend could talk to his trade union, which I think was extensively consulted about the legislation.

thomasdylan

antoinolachtnai wrote: »

Consent is far from the only grounds on which personal data can be shared. It is vital that a medical professional understand this if only because the vital interests of a patient might be at stake.

The register and its publication is governed by law. Again, I would expect a medical professional to know the legal basis of he register.

It is necessary as a matter of practicality that at the very least the year of birth be known to avoid confusion for the simple reason that many medical practitioners share their name with an older relative.

I don't think you understand this. All medical professionals in Ireland have a unique identifier - a registration number provided by their regulatory body. For the likes of doctors that number should be seen beside the doctor's name on all prescriptions and letters sent. There's no need for anything like DOB or address to be available online, it's invasive and entirely redundant.

antoinolachtnai

thomasdylan wrote: »

I don't think you understand this. All medical professionals in Ireland have a unique identifier - a registration number provided by their regulatory body. For the likes of doctors that number should be seen beside the doctor's name on all prescriptions and letters sent. There's no need for anything like DOB or address to be available online, it's invasive and entirely redundant.

That is your opinion. But the Medical Council and the statute disagrees.

The (unfortunately common) idea that all you have to do to check that a medical professional is legitimate and that a document originated from them is to check their name and medical council number exists in the register is an incorrect one.

mrslancaster

antoinolachtnai wrote: »

...

In fact the register, the registration process and the register’s publication is governed by statute law...

so does that mean gdpr regulations do not apply if other legislation was in existence before may2018? Why was there so much work and worry for organisations to make sure all their systems and processes were
gdpr compliant? Are things like this register exempt

antoinolachtnai

antoinolachtnai wrote: »

That is your opinion. But the Medical Council disagrees.

The (unfortunately common) idea that all you have to do to check that a medical professional is legitimate and that a document originated from them is to check their name and medical council number exists in the register is an incorrect one.

I'm not naming the site and will not be, but it's not the one you're talking about.

My friend is a nurse not a doctor, but doctors are also part of the site and their details are listed to the same level.

As I said it's the level of PII that I don't think is necessary, as there is no need for a members home address, phone number etc to be available to every member in the country, in order for a member to be able to complete any of their job requirements.

Also as stated earlier, if breached by guessing/knowing a members login details, or any other method, from a hacking perspective having this level of personal information for all members once your logged into the site is a gold mine.

thomasdylan

antoinolachtnai wrote: »

That is your opinion. But the Medical Council and the statute disagrees.

The (unfortunately common) idea that all you have to do to check that a medical professional is legitimate and that a document originated from them is to check their name and medical council number exists in the register is an incorrect one.

The medical council only shows doctor name, registration number, qualification(s) and year of qualification online. It doesn't give residential address or date of birth online so I don't think they do disagree.

I don't really understand your second paragraph.

antoinolachtnai

You may be right that it is excessive. The problem is that it is up to the regulator to decide how they administer the register. It is very hard to stop them legally. The most effective way to deal with it is through the representative body. You could go through the other machinery, but it would not be effective.

thomasdylan

DubInMeath wrote: »

I'm not naming the site and will not be, but it's not the one you're talking about.

My friend is a nurse not a doctor, but doctors are also part of the site and their details are listed to the same level.

As I said it's the level of PII that I don't think is necessary, as there is no need for a members home address, phone number etc to be available to every member in the country, in order for a member to be able to complete any of their job requirements.

Also as stated earlier, if breached by guessing/knowing a members login details, or any other method, from a hacking perspective having this level of personal information for all members once your logged into the site is a gold mine.

I'd be unhappy myself if that information was available. I agree and I don't think there's justification for any of that information to be seen.

Glass fused light

DubInMeath wrote: »

Perhaps someone could give their opinion on this situation in relation to GDPR. I've an interest in ethical hacking and security from a technical position, so I'm posting here for hopefully a more learned legal opinion.

A friend is a medical professional, and they are legally required to register with a governing body. No issues with this, it's standard practice.
However the site of this body once you are successfully logged into lists the personal details of each member, such as their date of birth, their home address, home and mobile number and place of employment among other information.

As pointed out if there is an existing legal obligation to collect and publish the data there is no "issue" as the GDPR requirement on processing is sadisfied by the existing and future obligation.

However this should be something that the organisation takes very seriously. Linking a work place and home address could have serious implications for an individual's personal security. The risk could arise either from a professional (animal rights, anti-abortion) or personal sphere (ex partner etc).

The first option your friend has is to write to the body which constructed and controls the data and ask for a copy on their data protection policy and how each displayed data point complies with the organisations obligation to control access to the data. Plus ask what options are available to have the data retained by the organisation but not accessable to all members. If there is no legal obligation to publish the data then it should not be visible to other members.

The quicker option is to make a complaint to the data protection commissioner, and let the organisation justify the database and why each data point is published.