Gdpr

b.e.s.s.

Hi, my co-worker's wife works as a cleaner in the bank (outsourcing cleaning company). He says that she has to dispose the confidential mails and copies of personal documentation. However, he says that in order for her to dispose it, she has to manually remove them from the office bin and put it into special bags with seal, then bring it downstairs and put them into caged blue bins for collection.
My question is, is it actually correct that a cleaner has direct access to the personal information of banks clients? If not, what is the best course of actions here. Thanks

Heres Johnny

Tackling the big issues of our times

b.e.s.s.

Heres Johnny wrote: »

Tackling the big issues of our times

The bigger issue the louder noise.

Boards.ie: Mark

Hi b.e.s.s.,

I've moved your thread over to Legal Discussion where I think it's more fitting as users have more insight and knowledge. However, I know that actual legal advice isn't permitted.

bennyineire

b.e.s.s. wrote: »

Hi, my co-worker's wife works as a cleaner in the bank (outsourcing cleaning company). He says that she has to dispose the confidential mails and copies of personal documentation. However, he says that in order for her to dispose it, she has to manually remove them from the office bin and put it into special bags with seal, then bring it downstairs and put them into caged blue bins for collection.
My question is, is it actually correct that a cleaner has direct access to the personal information of banks clients? If not, what is the best course of actions here. Thanks

Mmm it would seem the are exposing themselves alright as this person can look it this documentation if they wished to. There the process would be in breach if this person did get hold of this information and used it. This would be a data breach and the first thing looked at would be how they got the data.

This person should only get this documentation in an unreadable or shredded form, the data processor here (who ever is putting the documentation in the bin) should insure the documentation is either shredded or unreadable before placed in the bin.

Please know this is my opinion on my understanding of GDPR and this is not legal advise that you can use quoting from me

AnRothar

b.e.s.s. wrote: »

for her to dispose it, she has to manually remove them from the office bin and put it into special bags with seal, then bring it downstairs and put them into caged blue bins for collection.

There is a process in place for the disposal of the confidential waste.


The cleaner is part of that process.


Is the cleaner sharing the information with anyone they should not be sharing it with?

Homer

How would you propose the documents are disposed of? Mission impossible style spontaneous combustion? Or old fashioned shred everything?

Vetch

In this scenario, the cleaning company is a processor, and the bank as controller should have a data processing agreement in place with the cleaning company. In turn, the cleaning company should ensure that its staff keep any information seen confidential, receive any appropriate training etc. What's described sounds unusual for a bank though regardless of whether an agreement is in place.

wench

Homer wrote: »

How would you propose the documents are disposed of? Mission impossible style spontaneous combustion? Or old fashioned shred everything?

It's hardly rocket science.


In my office there are three ways of handling paper waste.
Non-confidential goes in open bins in the offices, emptied by the cleaners.
Confidential goes in secure bins with just a slot for insertion. The collection company comes every couple of weeks and shreds the contents on-site.
Even more sensitive confidential waste can be shredded directly by the user.

bennyineire

Vetch wrote: »

In this scenario, the cleaning company is a processor, and the bank as controller should have a data processing agreement in place with the cleaning company. In turn, the cleaning company should ensure that its staff keep any information seen confidential, receive any appropriate training etc. What's described sounds unusual for a bank though regardless of whether an agreement is in place.

Nope the cleaning company are NOT the processor as they are not processing any data, they are merely disposing paper. What data are the processing ?

The bank is the controller but who ever is putting the data in the bin is the processor and there method of disposing this data is leaving the bank open to data breach.

If there was an agreement that the cleaning company could possible see some personal data whilst disposing it then this would need to be clearly explained to the people who's data could possible be seen and those people would have to give express permission that the data could be used this way

Vetch

bennyineire wrote: »

Nope the cleaning company are NOT the processor as they are not processing any data, they are merely disposing paper. What data are the processing ?

The bank is the controller but who ever is putting the data in the bin is the processor and there method of disposing this data is leaving the bank open to data breach.

If there was an agreement that the cleaning company could possible see some personal data whilst disposing it then this would need to be clearly explained to the people who's data could possible be seen and those people would have to give express permission that the data could be used this way

You have an interesting take on Data Protection law.

This is the definition of processing in GDPR - the cleaner is organising, structuring, using, therefore processing:
'processing' means any operation or set of operations which is performed on personal data or on sets of personal data, whether or not by automated means, such as collection, recording, organisation, structuring, storage, adaptation or alteration, retrieval, consultation, use, disclosure by transmission, dissemination or otherwise making available, alignment or combination, restriction, erasure or destruction.

The bank and all its employees constitute the controller. Whoever puts paper in the bin is most likely a direct bank employee. Employees are never processors.

As the bank is the controller, regardless of who puts paper in the bin or who is responsible for disposal, the bank is responsible for ensuring that there is a secure disposal system.

b.e.s.s.

Homer wrote: »

How would you propose the documents are disposed of? Mission impossible style spontaneous combustion? Or old fashioned shred everything?

The amount and the weight of those bags.

b.e.s.s.

AnRothar wrote: »

There is a process in place for the disposal of the confidential waste.


The cleaner is part of that process.


Is the cleaner sharing the information with anyone they should not be sharing it with?

My understanding is that everyone should be doing their own job they are trained for.
They are cleaners and hardly gdpr trained especially those who lack English language. So, although I am not aware of instances where they have indeed share it with anyone, but I don't know for fact. Besides those ladies are on low pay and god knows what is in their heads.

rock22

b.e.s.s. wrote: »

My understanding is that everyone should be doing their own job they are trained for.
They are cleaners and hardly gdpr trained especially those who lack English language. So, although I am not aware of instances where they have indeed share it with anyone, but I don't know for fact. Besides those ladies are on low pay and god knows what is in their heads.

You have a very interesting , and dare I say distorted, take on low pay workers , or ladies ..

b.e.s.s.

rock22 wrote: »

You have a very interesting , and dare I say distorted, take on low pay workers , or ladies ..

Of course not everyone is twisted in their minds and there are plenty of rich and greedy people who'd have no problem using copy of your passport to take a loan or sell your house without you even knowing it. I also come as you would say, from a third world country and seen people disregard adherence to rules and policies on daily basis due to financial difficulty and basic struggle. That's one of the reasons it is qualified as a third world I would imagine. But i guess you are right implying me being a bit biased here. No hard feelings thought as I didn't mean to offend anyone and as a matter of a fact trying to help someone.

brian_t

b.e.s.s. wrote: »

They are cleaners and hardly gdpr trained especially those who lack English language. So, although I am not aware of instances where they have indeed share it with anyone, but I don't know for fact. Besides those ladies are on low pay and god knows what is in their heads.

Cleaning Up was a 6 part drama on ITV in January this year.

Episode 1

Sam is a struggling mum ............... having to a work zero-hour contract on the minimum wage as a cleaner in Canary Wharf.

Sam’s life is thrown into disarray when she discovers access to lucrative and illegal stock market information at the office she cleans. ...................

https://www.itv.com/presscentre/ep1week2/cleaning

Glencarraig

Apologies if slightly off topic. I work as a delivery driver and in one office block (a number of different companies) the reception is manned by a facilities company. When I say I have a delivery for XYZ company they ask me to sign in on a tablet. First question asked is "what is your email address", followed by my name and company name.

I fail to see what the need for an email address is and I refused to give one and the "system" will not allow me to proceed with the sign in. I have been told to "just make one up" which to me defeats the whole need to give an email in the first place.

Am I in any way covered by GDPR in refusing to give my, or any email address ?

qwerty13

Do they not mean your company email address?? Like so they can contact you if they need to???

Glencarraig

qwerty13 wrote: »

Do they not mean your company email address?? Like so they can contact you if they need to???

Well given the comment "just make one up", I dont think they specifically want the company email. The whole thing just seems like overkill to me.

nuac

Mod
Rock 22 and B.E.S.S.
Pls be nice on this forum - no sniping at each other