GDPR and PPS

laurajaney83

My employer sent my pps number to the parent company in US. I don’t mind that I guess that’s normal enough. But the US company sent it to another company in south east Asia by mistake along with my address. I guess they thought it was a zip code. The Asian company posted me something in March with the PPS number written on the outside envelope like a zip code.

Is this a serious data breach? Or only if my PPS gets used? Maybe postal workers are covered by confidentiality agreements so risk is low? I’m worried since I can’t change my PPS number... any advice?

athlone573

laurajaney83 wrote: »

My employer sent my pps number to the parent company in US. I don’t mind that I guess that’s normal enough. But the US company sent it to another company in south east Asia by mistake along with my address. I guess they thought it was a zip code. The Asian company posted me something in March with the PPS number written on the outside envelope like a zip code.

Is this a serious data breach? Or only if my PPS gets used? Maybe postal workers are covered by confidentiality agreements so risk is low? I’m worried since I can’t change my PPS number... any advice?

What do you think a Chinese postman is going to do with your PPS number?

You could log a complaint with the GDPR person (your employer's to start with) but I think the most you'll get is an apology. No harm logging it though so they can improve their processes.

laurajaney83

athlone573 wrote: »

What do you think a Chinese postman is going to do with your PPS number?

You could log a complaint with the GDPR person (your employer's to start with) but I think the most you'll get is an apology. No harm logging it though so they can improve their processes.

The first line made me LOL. - I should have mentioned that I never received the letter it is stuck in limbo. But I would imagine it is somewhere in the postal system. Still accountability sucks for stuff like this.. I’m more annoyed with the us company for not being more careful with my ppsn.

martingriff

laurajaney83 wrote: »

My employer sent my pps number to the parent company in US. I don’t mind that I guess that’s normal enough. But the US company sent it to another company in south east Asia by mistake along with my address. I guess they thought it was a zip code. The Asian company posted me something in March with the PPS number written on the outside envelope like a zip code.

Is this a serious data breach? Or only if my PPS gets used? Maybe postal workers are covered by confidentiality agreements so risk is low? I’m worried since I can’t change my PPS number... any advice?

I would contact your work in relation to it. Get them to find out what happened. What is data protection in the USA

Victor

athlone573 wrote: »

What do you think a Chinese postman is going to do with your PPS number?

It's not "is going to do", it's more what someone could do with name, address, employer and PPSN. Not that automated mail sorting systems scan and retain the full address.

martingriff wrote: »

What is data protection in the USA

To a certain degree it doesn't exist.

CIARAN_BOYLE

If your US parent company sent your pps number to South East Asia that's not a gdpr breach as its fully outside the EU.

If your own company sent your pps to the American parent that may or may not be a data breach depending on if there's a legitimate business reason to supply your pps number to the US aren't. I suspect that there would not be.

athlone573

On the face of it, it is a GDPR breach, by my interpretation, although I would consider the risk of harm to be relatively minor (as alluded to earlier) the OP may legitimately be concerned.

I would suggest writing to your company's "Data Controller" stating your concerns and see how they respond.

Realistically I don't see a case for significant compensation and it may be unwise to rock the boat too much with your employer.

doc22

CIARAN_BOYLE wrote: »

If your US parent company sent your pps number to South East Asia that's not a gdpr breach as its fully outside the EU.

If your own company sent your pps to the American parent that may or may not be a data breach depending on if there's a legitimate business reason to supply your pps number to the US aren't. I suspect that there would not be.

Could you explain how it isn't a breach as GDPR covers the EU persons data across the world .......

CIARAN_BOYLE

doc22 wrote: »

Could you explain how it isn't a breach as GDPR covers the EU persons data across the world .......

Perhaps you would like to establish your point further

By my reading of the provisions the articles that deal with territoriality are 3.1, 3.2 and 3.3.

Article 3.1: GDPR applies to EU based organisation even if handling data outside the eu. The parent is not a EU based entity.
Article 3.2 applies gdp to non EU based organisations regarding the monitoring of online information or regarding the sale of goods or services to citizens within the EU. This breach would appear to be neither.
Article 3.3: Relates to EU embassies and similar odd exception.

So from my understanding the data breach would be sending the pps number to the US parent. If the US parent did something with the data it wouldn't be covered and they shouldn't have had the data in the first place.

athlone573

There are extra territorial arrangements whereby data processors in certain third countries are allowed, provided their data privacy safeguards are deemed equivalent by the EU. This list of countries would include major developed economies.

It may be that a breach of regulations occurred when the data left the US (as well as the data breach that occurred when the data was exposed via the postal service)