Deletion of work data by IT - GDPR Breach?

Cerdito

Hi all,

Say someone returns from maternity leave to find that IT had deleted all their emails and stored data. This is due to a new policy IT have enacted of deleting accounts inactive for longer than 6 months. The person on maternity leave has been off for longer than this due to accumulated annual leave and unpaid leave. IT have not considered such a scenario in their new policy.

Article 4 of the EU’s General Data Protection Regulation (GDPR) defines a personal data breach as follows:

“A breach of security leading to the accidental or unlawful destruction, loss, alteration, unauthorised disclosure of, or access to, personal data transmitted, stored or otherwise processed.”

Would this scenario constitute a personal data breach as defined above? Would the data be considered personal data or belonging to the company?

accensi0n

But nothing was hers... it's the companies no?

Cerdito

accensi0n wrote: »

But nothing was hers... it's the companies no?

Some of the data lost includes documents for professional certification by a registered body, that could potentially lead to being struck off a register if not available for audit. These were stored on the company filestore.

Again to Article 4 of GDPR, it defines personal data as:

"‘Personal data’ means any information relating to an identified or identifiable natural person (‘data subject’); an identifiable natural person is one who can be identified, directly or indirectly, in particular by reference to an identifier such as a name, an identification number, location data, an online identifier or to one or more factors specific to the physical, physiological, genetic, mental, economic, cultural or social identity of that natural person."

The information lost / destroyed most definitely can identify the person.

Wheety

“A breach of security leading to the accidental or unlawful destruction, loss, alteration, unauthorised disclosure of, or access to, personal data transmitted, stored or otherwise processed.”

There was no breach of security. It's their data, they deleted it. If you had documents for professional certification you should have had copies on your own storage.

It's an awful policy and should be changed but they did not breach GDPR.

Ballso

Why would you keep the only copies of your professional certifications on your employers IT systems? Crazy stuff.

Tow

We see this sort of crap at least once a month...

Just get IT to restore it from backup :-) Official complaint to senor management if they cannot.

"documents for professional certification by a registered body" where are the originals? If only electronic just get the registered body to reissue them and invoice the company. However, you should not be storing the only copy of personally important data on a work computer.

The cost of hiring data entry temps for a few months to try and rebuild a mission critical database from years of files will soon put and end to such polices.

is_that_so

Cerdito wrote: »

Some of the data lost includes documents for professional certification by a registered body, that could potentially lead to being struck off a register if not available for audit. These were stored on the company filestore.

Again to Article 4 of GDPR, it defines personal data as:

"‘Personal data’ means any information relating to an identified or identifiable natural person (‘data subject’); an identifiable natural person is one who can be identified, directly or indirectly, in particular by reference to an identifier such as a name, an identification number, location data, an online identifier or to one or more factors specific to the physical, physiological, genetic, mental, economic, cultural or social identity of that natural person."

The information lost / destroyed most definitely can identify the person.

Hmm, no backup of data. It sounds to me like the person doesn't really care about GPDR just their own private data. And that question again is why they stored personal data on a resource used for company activity and that really did not belong to them in any way.

Cerdito

Tow wrote: »

We see this sort of crap at least once a month...

Just get IT to restore it from backup :-) Official complaint to senor management if they cannot.

"documents for professional certification by a registered body" where are the originals? If only electronic just get the registered body to reissue them and invoice the company. However, you should not be storing the only copy of personally important data on a work computer.

The cost of hiring data entry temps for a few months to try and rebuild a mission critical database from years of files will soon put them right.

IT's position is that it will take at least a month to restore from backup due to other projects taking priority, also they will not guarantee a restore is even possible. Complaint has been made to the CTO who responded defensively, placing blame on HR and offering to cease data restoration efforts if the complainant is not happy. Account deletion policy came from the CTO himself. This is public sector.

The aim of the GDPR angle would have been to use it as a lever to hurry up the restoration efforts but I take the point that there was no security breach involved and also that personal data should have been stored elsewhere.

Wheety

If it's Public Sector there could be FOI issues from them having such short retention policy for staff who have left. I know in this case it was maternity leave but that's a flaw in their policy.

I suppose if there was an FOI request they would restore from backup fairly sharpish.

Suppose you could put in a 'subject access request' under GDPR to get all information they hold on you. There's a time limit of 30 days for them to perform it. I doubt it would go down well with the company though.

offering to cease data restoration efforts if the complainant is not happy.

Maybe the CTO should read up on GDPR themselves.

Mister_Happy

Is an employees salary & bonus information considered personal data? If a company mistakenly publishes this information for all within the organisation to see what would/could be the ramifications if any?

sydthebeat

Six months seems an awfully short time to hold company docs, emails etc. You'd have to wonder what would happen in the case of an insurance claim.....

Usually the length of time required to hold documents equals the statute of limitations for an insurance claim ie 10 years in the case of professional indemnity.

whippet

The data is still there ... it’s just not priority to restore it.

It’s not a GDPR issue ... it’s seems that GDPR is just a buzz word now for anyone looking to look for anything to complain about with regards to IT / Data.

First of all .. personal data shouldn’t be stored on work infrastructure and if it is the employers published policy can allow it to delete / archive this data as it see fit.

It looks like the OP will just have to sit tight and be nice to the IT team until they get around to restoring it

Glass fused light

sydthebeat wrote: »

Six months seems an awfully sort time to hold company docs, emails etc. You'd have to wonder what would happen in the case of an insurance claim.....

The normal procedure in emails in any company i worked in with a short email retention policy was (as a result of them being US bases and getting pulled into class actions law cases on a regular basis plus expected turnover in all levels of staff)

All emails were to be processed as soon as possible after being received once dealt with the email should be filed and deleted from the inbox.

The person who knew they woul be out puts on an out of office message directing people to a person who can either resolved the issue or pass the email on to someone who can

It the person was out without notice the IT department normally have a person/team with the ability to put on a out of office or even bounce the emails back to the sender

Business emails were to be saved into specific client folders or by business area so that they can be found and accessed by the appropriate people.

Even in the case of an insurance claim the documents and communications should never be retained in a email system but saved into ther appropriate files with appropriate destruction dates added per the data retention policy.



In the original case the emails were deleted as per policy so no breach
However if they are retained in a backup there is still a right of access
So was it fair processing
Was the email a personal one or a one related to the business?
What is the organisations policy regarding use of company assets for non-business related communication?
IMO the certs while containing personal data would not be part of the buiness records but rather a personal communication.
It would be in the persons HR files etc only when produced by the employee as in this instance the employee used the workmail as if it was a personal mail and HR would have no access to the data until the employee forwarded it on.
Does the employee have a right to demand an email from her auntie congratulating her on the birth of her baby if the rule is that all emails are deleted after 6 months?

GerardKeating

Cerdito wrote: »

“A breach of security leading to the accidental or unlawful destruction, loss, alteration, unauthorised disclosure of, or access to, personal data transmitted, stored or otherwise processed.”

For your assertion (that this was a GDPR breach) to hold, the deletion must be unauthorised, but it was authorised, since you stated it was comany IT policy.