Breach of GDPR on twitter?

macker46

Hi, my employer has shared something on twitter that contains my name, photograph and what department I work in on twitter without my consent. Is this a breach of GDPR or not?

GerardKeating

macker46 wrote: »

Hi, my employer has shared something on twitter that contains my name, photograph and what department I work in on twitter without my consent. Is this a breach of GDPR or not?

Depends on the context, and you might have given consent, somewhere in the fineprint of your employment contract.

macker46

The context is a newsletter that has new staff listed. As far as I can see there is nothing in my contract that allows sharing of images on social media. The dept I work in has access to sensitive data that could be useful to people that would not necessarily be on the right side of the law and therefore we could be a target. This has never happened before in the organisation and other staff members in the department are shocked by it as none of us would like it widely known that we work in that particular dept

macker46

Does anyone know if this is a GDPR breach or not? Thanks!

thejaguar

macker46 wrote: »

Does anyone know if this is a GDPR breach or not? Thanks!

It's not a straightforward yes or no.

As the poster above said - there could be something in your employment contract / terms of employment which allows for this.

It's probably a good idea to start by talking to your employer about it. Ask them on what legal basis they publicly shared your information (I'm assuming it was public if it was on Twitter).

If they can't satisfy you that they had a legitimate basis - then you may be able to argue that a breach occurred. What you do then is up to you.

Augme

It would be tough to argue a breach I think. When you work for an department there is legimate expectations for people to give their personal information. For example writing your name in a work signature, using a name badge with/without photo id, providing your name during a phonecall, working in reception etc. There are natural interactions that would be difficult to conduct without giving away basic information like your name so I'm not sure how successful you would be in saying it is a breach.


If you have just started in a new role launching straight into a data breach claim probably isn't the best course of action either.

joeguevara

I don't think its possible to determine based on the information on whether its a data protection breach. In my opinion, if you determine that there is a real issue (and not simply that a newsletter went out on Twitter) then you should proceed. If there is a security concern etc then that would satisfy that. Then it should be discussed informally with the DPO (or if one isn't required the person with responsibility for DP) to outline this and request an erasure of this if required. If this doesn't work then t can be made formally. It is quite common that new starters are published in the press (but usually this is for higher profile candidates). Why are they publishing a newsletter on twitter if it is for internal use.

Joe Exotic

THis doc might help
https://www.dataprotection.ie/sites/default/files/uploads/2019-08/190812%20GDPR%20Breach%20Notification%20Quick%20Guide.pdf

The important definition:
A personal data breach means a breach of security leading to the accidental or unlawful destruction, loss, alteration, unauthorised disclosure of, or access to, personal data.

The term ‘personal data’ means any information concerning or relating to an identified or identifiable individual. Controllers should be aware that a personal data breach can cover a lot more than just ‘losing’ personal data. Personal data breaches include incidents that are the result of both accidents (such as sending an email to the wrong recipient) as well as deliberate acts (such as phishing attacks to gain access to customer data).

So from what you said they disclosed your name and photograph - both are personal information.

So the Question is was it an Authourised Disclosure.

That depends heavily on context, contract etc.

macker46

joeguevara wrote: »

I don't think its possible to determine based on the information on whether its a data protection breach. In my opinion, if you determine that there is a real issue (and not simply that a newsletter went out on Twitter) then you should proceed. If there is a security concern etc then that would satisfy that. Then it should be discussed informally with the DPO (or if one isn't required the person with responsibility for DP) to outline this and request an erasure of this if required. If this doesn't work then t can be made formally. It is quite common that new starters are published in the press (but usually this is for higher profile candidates). Why are they publishing a newsletter on twitter if it is for internal use.

It’s the 1st issue of an internal newsletter, person who posted it is a manager who is trying to promote himself to the larger country wide public organisation. There was absolutely no need to share it on Twitter. People who work in thIs dept don’t have day to day interaction with members of the public. The dept caries out duties that the staff would not like to advertise outside the organisation as it is possible that they could be approached by individuals on the wrong side of the law

joeguevara

macker46 wrote: »

It’s the 1st issue of an internal newsletter, person who posted it is a manager who is trying to promote himself to the larger country wide public organisation. There was absolutely no need to share it on Twitter. People who work in thIs dept don’t have day to day interaction with members of the public. The dept caries out duties that the staff would not like to advertise outside the organisation as it is possible that they could be approached by individuals on the wrong side of the law

If it is then, this is a security issue. If you fee a reasonable threat, raise it with the DPO. I would preface it with you are not one to rock the boat needlessly but as you have no dealings with the public then publicising something where there is a real security threat should not occur.

If there is not other way somebody would no your role, and it could lead to a threat then I would raise it. You should have received an employee privacy policy which outlines what you're personal data may be used for. If the above isn't on it, then there is an issue.

One thing though, is the only way that individuals on the wrong side of the law would approach you is from this newsletter? Is it really a possibility?

macker46

If you have just started in a new role launching straight into a data breach claim probably isn't the best course of action either.[/quote]

I won’t be persuing a claim, I just want to know where I stand so that if he does it again that I can categorically state if it’s a breach or not. He’s not the easiest man to deal with and I don’t expect he’ll admit that it probably wasn’t a good idea to share such information. Thanks for the feedback

Dodge

Are you in a Union or is there a dedicated GDPR/information security/digital protection unit

It sounds like you don't work for a small company so there should be people in your organisation, you can contact about this. And that's what you should do. No one here knows the full details.

Curb Your Enthusiasm

Out of interest, is someone posting a car license plate / photo of your car on social media also a GDPR issue? Or is this public info anyway?

seagull

You're probably better off raising it with your line manager as a security issue rather than going after the GDPR angle. At this stage, you just want it off twitter.

angel eyes 2012

If it is a public body they should have a Data Protection Officer in place who is responsible for protecting the personal data of all data subjects including employees. Their role is quite specific and set out in the GDPR. They are obliged to be independent and treat any complaint in a confidential manner.

In the circumstances, this appears to be misuse of personal data - it is highly unlikely that the possible use of your image in a staff newsletter is included in any contract drafted by a public body.

You should make informal contact with the DPO and advise you want to have a chat about a concern you have in relation to the processing of your personal data. Best not to broadcast the fact that you are doing this, as other posters said, you don't want to get a reputation as a complainer at this stage. Equally, I would not be flagging it with the DPC. Give the organisation a chance to remedy the situation in the first instance.

Technically, at the very least, an email should have went around to all the staff members whose image was included in the newsletter. The GDPR is all about demonstrating compliance and being transparent about the purpose of any data processing.

micar

macker46 wrote: »

Hi, my employer has shared something on twitter that contains my name, photograph and what department I work in on twitter without my consent. Is this a breach of GDPR or not?

Can you ask your employer to delete the tweet?

antodeco

OP, do you have a LinkedIn page with all of the same information on it?

Also, are you personally uncomfortable with this being shared or is it more a case of wondering where GDPR lies?

Seth Brundle

antodeco wrote: »

OP, do you have a LinkedIn page with all of the same information on it?

Irrelevant in the context of his employer sharing the information.

Curb Your Enthusiasm

Curb Your Enthusiasm wrote: »

Out of interest, is someone posting a car license plate / photo of your car on social media also a GDPR issue? Or is this public info anyway?

It's not identifiable on its own and in public so no, I don't think so.

macker46

macker46 wrote: »

It’s the 1st issue of an internal newsletter, person who posted it is a manager who is trying to promote himself to the larger country wide public organisation. There was absolutely no need to share it on Twitter. People who work in thIs dept don’t have day to day interaction with members of the public. The dept caries out duties that the staff would not like to advertise outside the organisation as it is possible that they could be approached by individuals on the wrong side of the law

Ok so just to be sure I have it right. It's an internal document, so staff members only. in that context, you are in it as a nrw employee being introduced to current employees.

Then a bonehead decided to make this internal document public, through the companies Twitter or his own?

If I was in your shoes, yeah that would bug me and I would also think the company would be unhappy with this behavior too. Bring it too the attention of a superior and it should resolve itself soon enough without you needing to make anything official.

Metroid diorteM

Where I work there would be no tolerance for such stupidity but we've all had training. Twitter is not a safe place to publish anything in my opinion.

LinkedIn is irrelevant. Managing your privacy does not mean a free for all because you used a particular service in the past. I've managed to keep my own info off LinkedIn but that's a luxury most cant afford.

This is a case of ignorance in power. An unfortunately common scenario these days. Can you seperately raise the topic of GDPR training for the team to avoid legal problems? If you can get data security training (including customer data) this could be another avenue to prevent such a mistake in the future.

silent_spark

micar wrote: »

Can you ask your employer to delete the tweet?

Aside from the legalities, this is the obvious first step if you haven't already - ask the person who tweeted the newsletter would they mind deleting the tweet, as you weren't aware it was going outside internal channels and you're extremely uncomfortable with it due to the potential safety risk. Any reasonable person would delete it, particularly if your role is sensitive enough to warrant worry about your personal safety.

macker46

silent_spark wrote: »

Aside from the legalities, this is the obvious first step if you haven't already - ask the person who tweeted the newsletter would they mind deleting the tweet, as you weren't aware it was going outside internal channels and you're extremely uncomfortable with it due to the potential safety risk. Any reasonable person would delete it, particularly if your role is sensitive enough to warrant worry about your personal safety.

The problem is this person is not reasonable and is also the DPO!!!

macker46

Niner leprauchan wrote: »

Ok so just to be sure I have it right. It's an internal document, so staff members only. in that context, you are in it as a nrw employee being introduced to current employees.

Then a bonehead decided to make this internal document public, through the companies Twitter or his own?

If I was in your shoes, yeah that would bug me and I would also think the company would be unhappy with this behavior too. Bring it too the attention of a superior and it should resolve itself soon enough without you needing to make anything official.

He is the highest level person in the section of the public organisation I work in, the man is completely unreasonable

macker46

macker46 wrote: »

He is the highest level person in the section of the public organisation I work in, the man is completely unreasonable

So go outside your section or get the union to do it. Its the public sector, there will be HR department, unions and probable a staff / peer support service that while not within their remit, can easily help someone out